"NULL Object : Crash under WebCore::RenderObject::~RenderObject; WebC…

…ore::RenderText::~RenderText; WebCore::RenderTreeBuilder::destroy" https://bugs.webkit.org/show_bug.cgi?id=267297 rdar://119186861. Reviewed by Alan Baradlay. Document::caretPositionFromPoint API is using CheckPtr to get RenderObject even though the Object is already destroyed. In order to make sure CheckedPtr is valid the render needs to be destroyed earlier not after. Using updateLayoutIgnorePendingStylesheets API for uptodate renderer tree. * LayoutTests/dom/html/document-renderobject-null-crash-expected.txt: Added test expected file. * LayoutTests/dom/html/document-renderobject-null-crash.html: Added test case. * Source/WebCore/dom/Document.cpp: (WebCore::Document::caretPositionFromPoint): Added updateLayoutIgnorePendingStylesheets to get updated renderer tree before using CheckedPtr. Originally-landed-as: 272448.251@safari-7618-branch (9baf717). rdar://124556134 Canonical link: https://commits.webkit.org/276275@main
WebKit · Mar 18, 2024 · 0be7669 · 0be7669
1 parent 35eac71
commit 0be7669
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/LayoutTests/dom/html/document-renderobject-null-crash-expected.txt b/LayoutTests/dom/html/document-renderobject-null-crash-expected.txt
@@ -0,0 +1,2 @@
+style,#x4 { } code:last-child,style { no-repeat;quotes: 'a' 'd';-webkit-box-shadow: } *:dir(ltr) { 100%;display: contents;order: } function gc() { { } } function main() { try { v20 } catch { } try { x35.rel = "stylesheet"; } catch { } try { } catch { } try { document.dir = "auto"; } catch { } try { v14 = document.caretRangeFromPoint(15,9); } catch { } } if (window.testRunner) { testRunner.dumpAsText(); } This test passes if it doesn't crash.
+
diff --git a/LayoutTests/dom/html/document-renderobject-null-crash.html b/LayoutTests/dom/html/document-renderobject-null-crash.html
@@ -0,0 +1,34 @@
+<style>
+style,#x4 { }
+code:last-child,style { no-repeat;quotes: 'a' 'd';-webkit-box-shadow: }
+*:dir(ltr) { 100%;display: contents;order: }
+</style>
+<script>
+function gc() {
+ {
+ }
+}
+function main() {
+try { v20 } catch { }
+try { x35.rel = "stylesheet"; } catch { }
+try { } catch { }
+try { document.dir = "auto"; } catch { }
+try { v14 = document.caretRangeFromPoint(15,9); } catch { }
+}
+</script>
+<head>
+<div onload="main()">
+<link id="x35" href="x" importance="high">
+</table>
+</dialog>
+<input disabled="">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+<div></div>
+<p>This test passes if it doesn't crash.</p>
+</body>
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
@@ -2068,6 +2068,8 @@ std::optional<BoundaryPoint> Document::caretPositionFromPoint(const LayoutPoint&
     if (!node)
         return std::nullopt;
 
+    updateLayoutIgnorePendingStylesheets();
+
     CheckedPtr renderer = node->renderer();
     if (!renderer)
         return std::nullopt;