Nullptr deref in WebCore::RenderTableCaption::containingBlockLogicalWidthForContent
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Dec 2017 19:15:33 +0000 (19:15 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Dec 2017 19:15:33 +0000 (19:15 +0000)
https://bugs.webkit.org/show_bug.cgi?id=180251
<rdar://problem/34138562>

Reviewed by Simon Fraser.

Source/WebCore:

containingBlockLogicalWidthForContent should check whether the renderer is actually
attached to the tree.

Test: fast/table/caption-crash-when-layer-backed.html

* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::containingBlockLogicalWidthForContent const):
* rendering/RenderTableCaption.h:
(WebCore::RenderTableCaption::containingBlockLogicalWidthForContent const):

LayoutTests:

* fast/table/caption-crash-when-layer-backed-expected.txt: Added.
* fast/table/caption-crash-when-layer-backed.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225402 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/table/caption-crash-when-layer-backed-expected.txt [new file with mode: 0644]
LayoutTests/fast/table/caption-crash-when-layer-backed.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBoxModelObject.cpp
Source/WebCore/rendering/RenderTableCaption.h

index 1db5b84..1e7a5c3 100644 (file)
@@ -1,3 +1,14 @@
+2017-12-01  Zalan Bujtas  <zalan@apple.com>
+
+        Nullptr deref in WebCore::RenderTableCaption::containingBlockLogicalWidthForContent
+        https://bugs.webkit.org/show_bug.cgi?id=180251
+        <rdar://problem/34138562>
+
+        Reviewed by Simon Fraser.
+
+        * fast/table/caption-crash-when-layer-backed-expected.txt: Added.
+        * fast/table/caption-crash-when-layer-backed.html: Added.
+
 2017-12-01  Zan Dobersek  <zdobersek@igalia.com>
 
         Unreviewed GTK+ gardening. Updating baselines affected in r225366.
diff --git a/LayoutTests/fast/table/caption-crash-when-layer-backed-expected.txt b/LayoutTests/fast/table/caption-crash-when-layer-backed-expected.txt
new file mode 100644 (file)
index 0000000..1b39013
--- /dev/null
@@ -0,0 +1,2 @@
+PASS if no crash.
+foobar
diff --git a/LayoutTests/fast/table/caption-crash-when-layer-backed.html b/LayoutTests/fast/table/caption-crash-when-layer-backed.html
new file mode 100644 (file)
index 0000000..7eee251
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+caption { 
+    will-change: transform;
+    padding: 100%; 
+    -webkit-background-clip: content; 
+}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+PASS if no crash.
+<table><caption>foobar</caption></table>
+</body>
+</html>
\ No newline at end of file
index 7de9730..36ca971 100644 (file)
@@ -1,3 +1,21 @@
+2017-12-01  Zalan Bujtas  <zalan@apple.com>
+
+        Nullptr deref in WebCore::RenderTableCaption::containingBlockLogicalWidthForContent
+        https://bugs.webkit.org/show_bug.cgi?id=180251
+        <rdar://problem/34138562>
+
+        Reviewed by Simon Fraser.
+
+        containingBlockLogicalWidthForContent should check whether the renderer is actually
+        attached to the tree.
+
+        Test: fast/table/caption-crash-when-layer-backed.html
+
+        * rendering/RenderBoxModelObject.cpp:
+        (WebCore::RenderBoxModelObject::containingBlockLogicalWidthForContent const):
+        * rendering/RenderTableCaption.h:
+        (WebCore::RenderTableCaption::containingBlockLogicalWidthForContent const):
+
 2017-12-01  Youenn Fablet  <youenn@apple.com>
 
         Clear WebSWClientConnection in case storage process IPC connection is closing
index d0a3d37..320f29c 100644 (file)
@@ -2493,7 +2493,9 @@ void RenderBoxModelObject::paintBoxShadow(const PaintInfo& info, const LayoutRec
 
 LayoutUnit RenderBoxModelObject::containingBlockLogicalWidthForContent() const
 {
-    return containingBlock()->availableLogicalWidth();
+    if (auto* containingBlock = this->containingBlock())
+        return containingBlock->availableLogicalWidth();
+    return { };
 }
 
 RenderBoxModelObject* RenderBoxModelObject::continuation() const
index 36f87aa..fc5e717 100644 (file)
@@ -33,7 +33,7 @@ public:
 
     Element& element() const { return downcast<Element>(nodeForNonAnonymous()); }
 
-    LayoutUnit containingBlockLogicalWidthForContent() const override { return containingBlock()->logicalWidth(); }
+    LayoutUnit containingBlockLogicalWidthForContent() const override;
     
 private:
     bool isTableCaption() const override { return true; }
@@ -44,6 +44,13 @@ private:
     RenderTable* table() const;
 };
 
+inline LayoutUnit RenderTableCaption::containingBlockLogicalWidthForContent() const
+{
+    if (auto* containingBlock = this->containingBlock())
+        return containingBlock->logicalWidth();
+    return { };
+}
+
 } // namespace WebCore
 
 SPECIALIZE_TYPE_TRAITS_RENDER_OBJECT(RenderTableCaption, isTableCaption())