Cherry-pick 272448.251@safari-7618-branch (9baf717). https://bugs.web…

…kit.org/show_bug.cgi?id=267297 "NULL Object : Crash under WebCore::RenderObject::~RenderObject; WebCore::RenderText::~RenderText; WebCore::RenderTreeBuilder::destroy" https://bugs.webkit.org/show_bug.cgi?id=267297 rdar://119186861. Reviewed by Alan Baradlay. Document::caretPositionFromPoint API is using CheckPtr to get RenderObject even though the Object is already destroyed. In order to make sure CheckedPtr is valid the render needs to be destroyed earlier not after. Using updateLayoutIgnorePendingStylesheets API for uptodate renderer tree. * LayoutTests/dom/html/document-renderobject-null-crash-expected.txt: Added test expected file. * LayoutTests/dom/html/document-renderobject-null-crash.html: Added test case. * Source/WebCore/dom/Document.cpp: (WebCore::Document::caretPositionFromPoint): Added updateLayoutIgnorePendingStylesheets to get updated renderer tree before using CheckedPtr. Canonical link: https://commits.webkit.org/272448.251@safari-7618-branch Canonical link: https://commits.webkit.org/266719.396@webkitglib/2.42
WebKit · Mar 14, 2024 · 1f3d5af · 1f3d5af
1 parent ee13077
commit 1f3d5af
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/LayoutTests/dom/html/document-renderobject-null-crash-expected.txt b/LayoutTests/dom/html/document-renderobject-null-crash-expected.txt
@@ -0,0 +1,2 @@
+style,#x4 { } code:last-child,style { no-repeat;quotes: 'a' 'd';-webkit-box-shadow: } *:dir(ltr) { 100%;display: contents;order: } function gc() { { } } function main() { try { v20 } catch { } try { x35.rel = "stylesheet"; } catch { } try { } catch { } try { document.dir = "auto"; } catch { } try { v14 = document.caretRangeFromPoint(15,9); } catch { } } if (window.testRunner) { testRunner.dumpAsText(); } This test passes if it doesn't crash.
+
diff --git a/LayoutTests/dom/html/document-renderobject-null-crash.html b/LayoutTests/dom/html/document-renderobject-null-crash.html
@@ -0,0 +1,34 @@
+<style>
+style,#x4 { }
+code:last-child,style { no-repeat;quotes: 'a' 'd';-webkit-box-shadow: }
+*:dir(ltr) { 100%;display: contents;order: }
+</style>
+<script>
+function gc() {
+ {
+ }
+}
+function main() {
+try { v20 } catch { }
+try { x35.rel = "stylesheet"; } catch { }
+try { } catch { }
+try { document.dir = "auto"; } catch { }
+try { v14 = document.caretRangeFromPoint(15,9); } catch { }
+}
+</script>
+<head>
+<div onload="main()">
+<link id="x35" href="x" importance="high">
+</table>
+</dialog>
+<input disabled="">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+<div></div>
+<p>This test passes if it doesn't crash.</p>
+</body>
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
@@ -1669,6 +1669,8 @@ std::optional<BoundaryPoint> Document::caretPositionFromPoint(const LayoutPoint&
     if (!node)
         return std::nullopt;
 
+    updateLayoutIgnorePendingStylesheets();
+
     auto* renderer = node->renderer();
     if (!renderer)
         return std::nullopt;