Google Git
Sign in
webkit / WebKit / 7a0055298606dce82a2f1c5e3da8cc79dcb1f736^! / .
commit7a0055298606dce82a2f1c5e3da8cc79dcb1f736[log] [tgz]
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Dec 05 04:29:03 2019 +0000
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Dec 05 04:29:03 2019 +0000
treec95489eab2c9acc6cef3d209d2347a6f6664f01b
parent67175abcf1c533e84579770009346b1ad32cc2ab [diff]
Nullptr crash in RenderLayoutState::pageLogicalHeight const via RenderGrid::computeIntrinsicLogicalWidths inside RenderMarquee::updateMarqueePosition
https://bugs.webkit.org/show_bug.cgi?id=204527

Patch by Jack Lee <shihchieh_lee@apple.com> on 2019-12-04
Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: fast/table/crash-empty-layoutStateStack.html

* rendering/RenderTable.cpp:
(WebCore::RenderTable::layout):
(WebCore::RenderTable::markForPaginationRelayoutIfNeeded):

LayoutTests:

* fast/table/crash-empty-layoutStateStack-expected.txt: Added.
* fast/table/crash-empty-layoutStateStack.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@253139 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index e6aff93..c650863 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,13 @@
+2019-12-04  Jack Lee  <shihchieh_lee@apple.com>
+
+        Nullptr crash in RenderLayoutState::pageLogicalHeight const via RenderGrid::computeIntrinsicLogicalWidths inside RenderMarquee::updateMarqueePosition
+        https://bugs.webkit.org/show_bug.cgi?id=204527
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/table/crash-empty-layoutStateStack-expected.txt: Added.
+        * fast/table/crash-empty-layoutStateStack.html: Added.
+
 2019-12-04  Alexey Shvayka  <shvaikalesh@gmail.com>
 
         Non-callable "handleEvent" property is silently ignored

diff --git a/LayoutTests/fast/table/crash-empty-layoutStateStack-expected.txt b/LayoutTests/fast/table/crash-empty-layoutStateStack-expected.txt
new file mode 100644
index 0000000..948ebd3
--- /dev/null
+++ b/LayoutTests/fast/table/crash-empty-layoutStateStack-expected.txt

@@ -0,0 +1,3 @@
+Bug 204527: Crashes in RenderTable when layoutStateStack is empty
+This test passes if it does not CRASH.
+

diff --git a/LayoutTests/fast/table/crash-empty-layoutStateStack.html b/LayoutTests/fast/table/crash-empty-layoutStateStack.html
new file mode 100644
index 0000000..272887d
--- /dev/null
+++ b/LayoutTests/fast/table/crash-empty-layoutStateStack.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+    </script>
+    <style>
+        marquee {display: inline-grid;}
+        table {writing-mode: tb-rl;}
+    </style>
+    </head>
+
+    <body>
+        <marquee><table>
+        <div class="tableAfter"></div>
+        <div>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=204527">204527</a>: Crashes in RenderTable when layoutStateStack is empty</div>
+        <div>This test passes if it does not CRASH.</div>
+    </body>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index bbeed6d..14c9f6e 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog

@@ -1,3 +1,16 @@
+2019-12-04  Jack Lee  <shihchieh_lee@apple.com>
+
+        Nullptr crash in RenderLayoutState::pageLogicalHeight const via RenderGrid::computeIntrinsicLogicalWidths inside RenderMarquee::updateMarqueePosition
+        https://bugs.webkit.org/show_bug.cgi?id=204527
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: fast/table/crash-empty-layoutStateStack.html
+
+        * rendering/RenderTable.cpp:
+        (WebCore::RenderTable::layout):
+        (WebCore::RenderTable::markForPaginationRelayoutIfNeeded):
+
 2019-12-04  Chris Dumez  <cdumez@apple.com>
 
         PageConfiguration::progressTrackerClient should use a smart pointer

diff --git a/Source/WebCore/rendering/RenderTable.cpp b/Source/WebCore/rendering/RenderTable.cpp
index 751fe01..f3113af 100644
--- a/Source/WebCore/rendering/RenderTable.cpp
+++ b/Source/WebCore/rendering/RenderTable.cpp

@@ -559,7 +559,7 @@
     }
 
     auto* layoutState = view().frameView().layoutContext().layoutState();
-    if (layoutState->pageLogicalHeight())
+    if (layoutState && layoutState->pageLogicalHeight())
         setPageLogicalOffset(layoutState->pageLogicalOffset(this, logicalTop()));
 
     bool didFullRepaint = repainter.repaintAfterLayout();
@@ -1584,7 +1584,7 @@
 void RenderTable::markForPaginationRelayoutIfNeeded()
 {
     auto* layoutState = view().frameView().layoutContext().layoutState();
-    if (!layoutState->isPaginated() || (!layoutState->pageLogicalHeightChanged() && (!layoutState->pageLogicalHeight() || layoutState->pageLogicalOffset(this, logicalTop()) == pageLogicalOffset())))
+    if (!layoutState || !layoutState->isPaginated() || (!layoutState->pageLogicalHeightChanged() && (!layoutState->pageLogicalHeight() || layoutState->pageLogicalOffset(this, logicalTop()) == pageLogicalOffset())))
         return;
     
     // When a table moves, we have to dirty all of the sections too.