nullptr deref in ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=234018
Patch by Gabriel Nava Marino <gnavamarino@apple.com> on 2021-12-10
Reviewed by Alan Bujtas.
Source/WebCore:
Test: fast/rendering/floating-object-renderer-crash.html
When destroying a given renderer, we first remove floats and out-of-flow positioned objects
from their containing block before detaching the renderer from the tree. We do this by obtaining
the renderer’s outermost block containing a floating object and recursively marking all siblings
and descendants for layout.
The criteria for continuing down the list of children require the current block to contain floats
or be able to shrink to avoid floats. However, we can have a scenario where the current child block
doesn’t have a float, but one of its descendants does. In this case, although we should continue to
that descendant and remove the float, we do not.
The proposal in this patch will instead check whether the child block contains a float, or any of its descendants do.
If so we should continue traversing towards that descendant.
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::subtreeContainsFloat const):
(WebCore::RenderBlockFlow::subtreeContainsFloats const):
(WebCore::RenderBlockFlow::markAllDescendantsWithFloatsForLayout):
* rendering/RenderBlockFlow.h:
LayoutTests:
* fast/rendering/floating-object-renderer-crash-expected.txt: Added.
* fast/rendering/floating-object-renderer-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@286866 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/rendering/RenderBlockFlow.cpp b/Source/WebCore/rendering/RenderBlockFlow.cpp
index 8bc34bc..e7df3d0 100644
--- a/Source/WebCore/rendering/RenderBlockFlow.cpp
+++ b/Source/WebCore/rendering/RenderBlockFlow.cpp
@@ -2109,6 +2109,30 @@
return m_floatingObjects && m_floatingObjects->set().contains<FloatingObjectHashTranslator>(renderer);
}
+bool RenderBlockFlow::subtreeContainsFloat(RenderBox& renderer) const
+{
+ bool contains = m_floatingObjects && m_floatingObjects->set().contains<FloatingObjectHashTranslator>(renderer);
+ for (auto& block : childrenOfType<RenderBlock>(*this)) {
+ if (!is<RenderBlockFlow>(block))
+ continue;
+ auto& blockFlow = downcast<RenderBlockFlow>(block);
+ contains |= blockFlow.subtreeContainsFloat(renderer);
+ }
+ return contains;
+}
+
+bool RenderBlockFlow::subtreeContainsFloats() const
+{
+ bool contains = m_floatingObjects && !m_floatingObjects->set().isEmpty();
+ for (auto& block : childrenOfType<RenderBlock>(*this)) {
+ if (!is<RenderBlockFlow>(block))
+ continue;
+ auto& blockFlow = downcast<RenderBlockFlow>(block);
+ contains |= blockFlow.subtreeContainsFloats();
+ }
+ return contains;
+}
+
void RenderBlockFlow::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
{
RenderBlock::styleDidChange(diff, oldStyle);
@@ -2878,7 +2902,7 @@
continue;
}
auto& blockFlow = downcast<RenderBlockFlow>(block);
- if ((floatToRemove ? blockFlow.containsFloat(*floatToRemove) : blockFlow.containsFloats()) || blockFlow.shrinkToAvoidFloats())
+ if ((floatToRemove ? blockFlow.subtreeContainsFloat(*floatToRemove) : blockFlow.subtreeContainsFloats()) || blockFlow.shrinkToAvoidFloats())
blockFlow.markAllDescendantsWithFloatsForLayout(floatToRemove, inLayout);
}
}
