Commit 30264438 authored by robert@webkit.org's avatar robert@webkit.org

Regression(r127163): Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer

https://bugs.webkit.org/show_bug.cgi?id=95632

Reviewed by Abhishek Arya.

Source/WebCore:

Don't add floats to the floating object set of blocks that avoid floats. There's no point in doing that
and they will never get cleared out during relayout.

Tests: fast/css/intruding-floats-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::clearFloatsIfNeeded):

LayoutTests:

* fast/css/intruding-floats-crash-expected.txt: Added.
* fast/css/intruding-floats-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127509 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 5f2e9dec
2012-09-04 Robert Hogan <robert@webkit.org>
Regression(r127163): Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer
https://bugs.webkit.org/show_bug.cgi?id=95632
Reviewed by Abhishek Arya.
* fast/css/intruding-floats-crash-expected.txt: Added.
* fast/css/intruding-floats-crash.html: Added.
2012-09-04 Michael Saboff <msaboff@apple.com>
equal() in CSSParser.cpp should check the length of characters
<html>
<head>
<style>
.c3 { text-decoration: inherit; border-style: dotted; }
.c6:only-of-type { position: relative; content: url(data:text/plain,aaa); }
.c6 + .c3 { display: table-row; float: right; }
.c6[class^="c6"] { overflow: auto; }
.c7:nth-last-of-type(odd) { float: right; width: 100%; }
.c7:nth-last-child(2n) { display: -wap-marquee; float: none; }
.c7[class$="c7"] { content: url(data:text/plain,aaa); }
.c8 { display: compact; -webkit-column-count: 65536; }
.c8:first-of-type { float: none; -webkit-column-span: all;}
</style>
<script>
if (window.testRunner) {
testRunner.waitUntilDone();
testRunner.dumpAsText();
}
var nodes = Array();
function tryToCrash()
{
document.body.OffsetTop;
setTimeout('testRunner.notifyDone();',10);
}
function boom() {
try { nodes[8] = document.createElement('nav'); } catch(e) {}
try { nodes[12] = document.createElement('ins'); } catch(e) {}
try { nodes[48] = document.createElement('button'); } catch(e) {}
try { document.documentElement.appendChild(nodes[48]); } catch(e) {}
try { nodes[59] = document.createElement('sub'); } catch(e) {}
try { nodes[59].setAttribute('class', 'c7'); } catch(e) {}
try { document.documentElement.appendChild(nodes[59]); } catch(e) {}
try { nodes[65] = document.createElement('b'); } catch(e) {}
try { nodes[65].setAttribute('class', 'c6'); } catch(e) {}
try { document.documentElement.appendChild(nodes[65]); } catch(e) {}
try { nodes[66] = document.createElement('tbody'); } catch(e) {}
try { nodes[66].setAttribute('class', 'c3'); } catch(e) {}
try { document.documentElement.appendChild(nodes[66]); } catch(e) {}
try { nodes[68] = document.createElement('button'); } catch(e) {}
try { document.documentElement.appendChild(nodes[68]); } catch(e) {}
try { nodes[77] = document.createElement('i'); } catch(e) {}
try { document.documentElement.appendChild(nodes[77]); } catch(e) {}
try { nodes[78] = document.createElement('aside'); } catch(e) {}
try { document.documentElement.appendChild(nodes[78]); } catch(e) {}
try { nodes[84] = document.createElement('nav'); } catch(e) {}
try { nodes[84].setAttribute('class', 'c8'); } catch(e) {}
try { nodes[86] = document.createElement('colgroup'); } catch(e) {}
try { document.documentElement.appendChild(nodes[86]); } catch(e) {}
setTimeout('try { nodes[12].appendChild(nodes[65]); } catch(e) {}', 5);
setTimeout('try { nodes[8].appendChild(nodes[86]); } catch(e) {}', 4);
setTimeout("try { nodes[68].setAttribute('class', 'c8'); } catch(e) {}", 2);
setTimeout('try { nodes[68].appendChild(nodes[84]); } catch(e) {}', 3);
setTimeout('document.execCommand("SelectAll", false, "");', 1);
setTimeout('tryToCrash();', 6);
}
window.onload = boom;
</script>
</head>
<body>
Passes if it doesn't crash!
</body>
</html>
2012-09-04 Robert Hogan <robert@webkit.org>
Regression(r127163): Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer
https://bugs.webkit.org/show_bug.cgi?id=95632
Reviewed by Abhishek Arya.
Don't add floats to the floating object set of blocks that avoid floats. There's no point in doing that
and they will never get cleared out during relayout.
Tests: fast/css/intruding-floats-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::clearFloatsIfNeeded):
2012-09-04 Michael Saboff <msaboff@apple.com>
equal() in CSSParser.cpp should check the length of characters
......@@ -2124,7 +2124,7 @@ LayoutUnit RenderBlock::clearFloatsIfNeeded(RenderBox* child, MarginInfo& margin
LayoutUnit logicalTop = yPos + heightIncrease;
// After margin collapsing, one of our floats may now intrude into the child. If the child doesn't contain floats of its own it
// won't get picked up for relayout even though the logical top estimate was wrong - so add the newly intruding float now.
if (containsFloats() && child->isRenderBlock() && !toRenderBlock(child)->containsFloats() && lowestFloatLogicalBottom() > logicalTop)
if (containsFloats() && child->isRenderBlock() && !toRenderBlock(child)->containsFloats() && !child->avoidsFloats() && lowestFloatLogicalBottom() > logicalTop)
toRenderBlock(child)->addIntrudingFloats(this, logicalLeftOffsetForContent(), logicalTop);
return logicalTop;
......@@ -4511,6 +4511,8 @@ bool RenderBlock::hasOverhangingFloat(RenderBox* renderer)
void RenderBlock::addIntrudingFloats(RenderBlock* prev, LayoutUnit logicalLeftOffset, LayoutUnit logicalTopOffset)
{
ASSERT(!avoidsFloats());
// If the parent or previous sibling doesn't have any floats to add, don't bother.
if (!prev->m_floatingObjects)
return;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment