Cherry-pick 259548.678@safari-7615-branch (7c662f5). https://bugs.web…

…kit.org/show_bug.cgi?id=255552. Renderinline::offsetForInFlowPositionedInline causes a null-deref of a laybox on repaint. https://bugs.webkit.org/show_bug.cgi?id=255552. rdar://107952390. Reviewed by Alan Baradlay. Line layout codepath invalidation is triggered by JS which issues a repaint on the newly inserted renderer. The newly inserted renderer is used for geometry computations and which calls offsetForInFlowPositionedInline in case of inline boxes. This tries to access the lineBoxes assocaited with the renderers but they invalidated by previous repaints. This leads to null deref of the lineboxes. * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt: Added. * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added. * Source/WebCore/rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::isLineLayoutPresent const): * Source/WebCore/rendering/RenderBlockFlow.h: * Source/WebCore/rendering/RenderInline.cpp: (WebCore::RenderInline::offsetForInFlowPositionedInline const): Canonical link: https://commits.webkit.org/259548.678@safari-7615-branch
WebKit · Jul 28, 2023 · ae98f7b · ae98f7b
1 parent e507075
commit ae98f7b
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt b/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt
@@ -0,0 +1 @@
+PASS if no crash.
diff --git a/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html b/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html
@@ -0,0 +1,17 @@
+<style>
+.class7 { position: relative; }
+</style>
+<script>
+function test() {
+  if (window.testRunner)
+    testRunner.dumpAsText();
+
+  document.all[5].appendChild(htmlvar);
+  document.body.innerHTML = 'PASS if no crash.';
+}
+</script>
+<body onload=test()>
+<image src="data:image/gif;base64"></image>
+<table id="htmlvar" layout="fixed"></table>
+<font class="class7">
+<dialog open="true">
diff --git a/Source/WebCore/rendering/RenderInline.cpp b/Source/WebCore/rendering/RenderInline.cpp
@@ -882,6 +882,11 @@ LayoutSize RenderInline::offsetForInFlowPositionedInline(const RenderBox* child)
         inlinePosition = LayoutUnit::fromFloatRound(firstLineBox()->logicalLeft());
         blockPosition = firstLineBox()->logicalTop();
     } else if (LayoutIntegration::LineLayout::containing(*this)) {
+        if (!layoutBox()) {
+            // Repaint may be issued on subtrees during content mutation with newly inserted renderers.
+            ASSERT(needsLayout());
+            return LayoutSize();
+        }
         if (auto inlineBox = InlineIterator::firstInlineBoxFor(*this)) {
             inlinePosition = LayoutUnit::fromFloatRound(inlineBox->logicalLeftIgnoringInlineDirection());
             blockPosition = inlineBox->logicalTop();