NULL-deref in RenderBox::clippedOverflowRectForRepaint
authorjchaffraix@webkit.org <jchaffraix@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 27 Apr 2012 18:44:03 +0000 (18:44 +0000)
committerjchaffraix@webkit.org <jchaffraix@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 27 Apr 2012 18:44:03 +0000 (18:44 +0000)
commita5cbe1d9acc0aa94b7836e8425d465842ef3ebd8
tree4356064bb7a98d30f69a526c839c709819758574
parent9650de7fa213c8ca26fbdddc8bc3bf835c7392b9
NULL-deref in RenderBox::clippedOverflowRectForRepaint
https://bugs.webkit.org/show_bug.cgi?id=84774

Reviewed by Tony Chang.

Source/WebCore:

Test: fast/inline/crash-new-continuation-with-outline.html

The bug comes from trying to repaint the :after content as part of updateBeforeAfterContent.
The repainting logic would query the yet-to-be-inserted continuation(). Then we would crash in
RenderBox::clippedOverflowRectForRepaint as we didn't have an enclosingLayer() (which any
RenderObject in the tree will have).

The fix is to check in RenderInline::clippedOverflowRectForRepaint that our continuation()
is properly inserted in the tree. We could check that it isRooted() but it's an overkill here.

* rendering/RenderInline.cpp:
(WebCore::RenderInline::clippedOverflowRectForRepaint):

LayoutTests:

* fast/inline/crash-new-continuation-with-outline-expected.txt: Added.
* fast/inline/crash-new-continuation-with-outline.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@115458 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/inline/crash-new-continuation-with-outline-expected.txt [new file with mode: 0644]
LayoutTests/fast/inline/crash-new-continuation-with-outline.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderInline.cpp