null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
https://bugs.webkit.org/show_bug.cgi?id=234654
<rdar://problem/86571571>
Reviewed by Antti Koivisto.
Source/WebCore:
needsLayout() check in invalidateLineLayoutPath is insufficient for modern line layout.
m_lineLayout = std::monostate() does not only destroy the line layout object but it also nukes all the IFC geometries.
It is equivalent to having all the child boxes dirty, since in order to re-generate the geometry information,
we have to layout _all_ the boxes (note that nuking the legacy line layout object does not destroy the inline tree).
The bug here is that needsLayout() returns true for cases (e.g. posChildNeedsLayout) when
while the geometry is all gone, we are going to take a special layout codepath which expects pre-computed geometries.
Test: fast/block/line-layout/line-layout-collect-overflow-crash.html
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::invalidateLineLayoutPath):
LayoutTests:
* fast/block/line-layout/line-layout-collect-overflow-crash-expected.txt: Added.
* fast/block/line-layout/line-layout-collect-overflow-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@287867 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/rendering/RenderBlockFlow.cpp b/Source/WebCore/rendering/RenderBlockFlow.cpp
index 1eaf2d2..3e7e0cc 100644
--- a/Source/WebCore/rendering/RenderBlockFlow.cpp
+++ b/Source/WebCore/rendering/RenderBlockFlow.cpp
@@ -3562,7 +3562,7 @@
#endif
m_lineLayout = std::monostate();
setLineLayoutPath(path);
- if (needsLayout())
+ if (selfNeedsLayout() || normalChildNeedsLayout())
return;
// FIXME: We should just kick off a subtree layout here (if needed at all) see webkit.org/b/172947.
setNeedsLayout();
