REGRESSION (r167879): Heap-use-after-free in WebCore::RenderFlexibleBox
authorrego@igalia.com <rego@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Apr 2014 17:34:34 +0000 (17:34 +0000)
committerrego@igalia.com <rego@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Apr 2014 17:34:34 +0000 (17:34 +0000)
commit653a47ef8edc8eae25b81bcc6598b4265b2e895a
tree4e6d2b8990c4d38ee2a91c17c96825c8db5c36f9
parent0f46d12e2546fc54800ca5a08f0217c113a52b78
REGRESSION (r167879): Heap-use-after-free in WebCore::RenderFlexibleBox
https://bugs.webkit.org/show_bug.cgi?id=132337

Reviewed by Simon Fraser.

From Blink r154582 by <jchaffraix@chromium.org>

Source/WebCore:
This is a regression from the changes in OrderIterator. The issue is
that we don't invalidate our iterator when a child is removed. This
means that we could hold onto free'd memory until the next layout
when we will recompute the iterator.

The solution is simple: just clear the memory when we remove a child.

Note that RenderGrid is not impacted by this bug as we don't use the
iterator outside layout yet, but if we do it at some point the very same
problem will arise, so the same treatment was applied to the class.

Test: fast/flexbox/order-iterator-crash.html

* rendering/OrderIterator.cpp:
(WebCore::OrderIterator::invalidate): Clear m_children Vector.
* rendering/OrderIterator.h:
(WebCore::OrderIteratorPopulator::OrderIteratorPopulator): Use
invalidate() method.
* rendering/RenderFlexibleBox.cpp:
(WebCore::RenderFlexibleBox::removeChild): Invalidate m_orderIterator.
* rendering/RenderFlexibleBox.h: Add removeChild() signature.
* rendering/RenderGrid.cpp: Invalidate m_orderIterator.
(WebCore::RenderGrid::removeChild):
* rendering/RenderGrid.h: Add removeChild() header.

LayoutTests:
Add new layout test to check that removing a child doesn't cause a crash
in OrderIterator.

* fast/flexbox/order-iterator-crash-expected.txt: Added.
* fast/flexbox/order-iterator-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@167942 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/flexbox/order-iterator-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/flexbox/order-iterator-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/OrderIterator.cpp
Source/WebCore/rendering/OrderIterator.h
Source/WebCore/rendering/RenderFlexibleBox.cpp
Source/WebCore/rendering/RenderFlexibleBox.h
Source/WebCore/rendering/RenderGrid.cpp
Source/WebCore/rendering/RenderGrid.h