FragmentInterval, FragmentIntervalTree and FragmentSearchAdapter should hold not...
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Jul 2018 20:35:28 +0000 (20:35 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Jul 2018 20:35:28 +0000 (20:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=187249
<rdar://problem/41725869>

Reviewed by Simon Fraser.

Source/WebCore:

Test: fast/multicol/crash-in-vertical-writing-mode.html

* rendering/RenderFragmentedFlow.cpp:
(WebCore::RenderFragmentedFlow::updateFragmentsFragmentedFlowPortionRect):
* rendering/RenderFragmentedFlow.h:
(WTF::ValueToString<WeakPtr<WebCore::RenderFragmentContainer>>::string):

LayoutTests:

* fast/multicol/crash-in-vertical-writing-mode-expected.txt: Added.
* fast/multicol/crash-in-vertical-writing-mode.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233696 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/fast/multicol/crash-in-vertical-writing-mode-expected.txt [new file with mode: 0644]
LayoutTests/fast/multicol/crash-in-vertical-writing-mode.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderFragmentedFlow.cpp
Source/WebCore/rendering/RenderFragmentedFlow.h

index f10e584..0cc7f00 100644 (file)
@@ -1,3 +1,14 @@
+2018-07-10  Zalan Bujtas  <zalan@apple.com>
+
+        FragmentInterval, FragmentIntervalTree and FragmentSearchAdapter should hold not hold raw pointers to renderers.
+        https://bugs.webkit.org/show_bug.cgi?id=187249
+        <rdar://problem/41725869>
+
+        Reviewed by Simon Fraser.
+
+        * fast/multicol/crash-in-vertical-writing-mode-expected.txt: Added.
+        * fast/multicol/crash-in-vertical-writing-mode.html: Added.
+
 2018-07-10  John Wilander  <wilander@apple.com>
 
         Resource Load Statistics: Make testRunner.statisticsResetToConsistentState() take a completion handler
index 70cbbb3..87c8105 100644 (file)
@@ -2202,3 +2202,5 @@ webkit.org/b/179176 svg/wicd/test-rightsizing-a.xhtml [ Pass Failure ]
 webkit.org/b/172864 imported/blink/storage/indexeddb/blob-delete-objectstore-db.html [ Pass Timeout ]
 
 webkit.org/b/187183 http/tests/security/pasteboard-file-url.html [ Skip ]
+
+[ Debug ] fast/multicol/crash-in-vertical-writing-mode.html [ Skip ]
diff --git a/LayoutTests/fast/multicol/crash-in-vertical-writing-mode-expected.txt b/LayoutTests/fast/multicol/crash-in-vertical-writing-mode-expected.txt
new file mode 100644 (file)
index 0000000..b335769
--- /dev/null
@@ -0,0 +1,2 @@
+PASS if no
+crash
diff --git a/LayoutTests/fast/multicol/crash-in-vertical-writing-mode.html b/LayoutTests/fast/multicol/crash-in-vertical-writing-mode.html
new file mode 100644 (file)
index 0000000..c456540
--- /dev/null
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style id=style>
+html {
+    position: fixed; 
+    column-count: 2;
+}
+
+summary {
+    column-span: all;
+}
+
+details {
+    content: url();
+}
+
+table {
+    writing-mode: vertical-rl;
+}
+
+span {
+    display: grid;
+}
+</style>
+</head>
+<body>
+<details>
+  <summary>PASS if no</summary>
+</details>
+
+<span>
+  <table>
+    <caption>crash</caption>
+  </table>
+</span>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+style.appendChild(document.createElement("span"));
+</script>
+</body>
+</html>
\ No newline at end of file
index 4dcd574..c8d4699 100644 (file)
@@ -1,3 +1,18 @@
+2018-07-10  Zalan Bujtas  <zalan@apple.com>
+
+        FragmentInterval, FragmentIntervalTree and FragmentSearchAdapter should hold not hold raw pointers to renderers.
+        https://bugs.webkit.org/show_bug.cgi?id=187249
+        <rdar://problem/41725869>
+
+        Reviewed by Simon Fraser.
+
+        Test: fast/multicol/crash-in-vertical-writing-mode.html
+
+        * rendering/RenderFragmentedFlow.cpp:
+        (WebCore::RenderFragmentedFlow::updateFragmentsFragmentedFlowPortionRect):
+        * rendering/RenderFragmentedFlow.h:
+        (WTF::ValueToString<WeakPtr<WebCore::RenderFragmentContainer>>::string):
+
 2018-07-10  Ryosuke Niwa  <rniwa@webkit.org>
 
         Disable cross-origin-window-policy by default
index f5a9b8d..7bb5bfc 100644 (file)
@@ -791,7 +791,7 @@ void RenderFragmentedFlow::updateFragmentsFragmentedFlowPortionRect()
 
         fragment->setFragmentedFlowPortionRect(isHorizontalWritingMode() ? fragmentRect : fragmentRect.transposedRect());
 
-        m_fragmentIntervalTree.add(FragmentIntervalTree::createInterval(logicalHeight, logicalHeight + fragmentLogicalHeight, fragment));
+        m_fragmentIntervalTree.add(FragmentIntervalTree::createInterval(logicalHeight, logicalHeight + fragmentLogicalHeight, makeWeakPtr(fragment)));
 
         logicalHeight += fragmentLogicalHeight;
     }
index 1eac978..f73ca0d 100644 (file)
@@ -234,14 +234,13 @@ protected:
         bool m_rangeInvalidated;
     };
 
-    typedef PODInterval<LayoutUnit, RenderFragmentContainer*> FragmentInterval;
-    typedef PODIntervalTree<LayoutUnit, RenderFragmentContainer*> FragmentIntervalTree;
+    typedef PODInterval<LayoutUnit, WeakPtr<RenderFragmentContainer>> FragmentInterval;
+    typedef PODIntervalTree<LayoutUnit, WeakPtr<RenderFragmentContainer>> FragmentIntervalTree;
 
     class FragmentSearchAdapter {
     public:
         FragmentSearchAdapter(LayoutUnit offset)
             : m_offset(offset)
-            , m_result(nullptr)
         {
         }
         
@@ -249,11 +248,11 @@ protected:
         const LayoutUnit& highValue() const { return m_offset; }
         void collectIfNeeded(const FragmentInterval&);
 
-        RenderFragmentContainer* result() const { return m_result; }
+        RenderFragmentContainer* result() const { return m_result.get(); }
 
     private:
         LayoutUnit m_offset;
-        RenderFragmentContainer* m_result;
+        WeakPtr<RenderFragmentContainer> m_result;
     };
 
     // Map a line to its containing fragment.
@@ -288,6 +287,10 @@ template <> struct ValueToString<WebCore::RenderFragmentContainer*> {
     static String string(const WebCore::RenderFragmentContainer* value) { return String::format("%p", value); }
 };
 
+template <> struct ValueToString<WeakPtr<WebCore::RenderFragmentContainer>> {
+    static String string(const WeakPtr<WebCore::RenderFragmentContainer> value) { return value.get() ? ValueToString<WebCore::RenderFragmentContainer*>::string(value.get()) : String(); }
+};
+
 } // namespace WTF
 #endif