Skip to site navigation (Press enter)

[webkit-changes] [140739] branches/chromium/1364

cevans Thu, 24 Jan 2013 15:34:38 -0800

Title: [140739] branches/chromium/1364

Revision: 140739
Author: [email protected]
Date: 2013-01-24 15:36:25 -0800 (Thu, 24 Jan 2013)

Log Message

Merge 139788
BUG=168780
Review URL: https://codereview.chromium.org/12042093


Modified Paths

branches/chromium/1364/Source/WebCore/rendering/RenderObjectChildList.cpp


Added Paths

branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384-expected.txt
branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384.html

Diff

Copied: branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384-expected.txt (from rev 139788, trunk/LayoutTests/fast/css-generated-content/bug-106384-expected.txt) (0 => 140739)


--- branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384-expected.txt	                        (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384-expected.txt	2013-01-24 23:36:25 UTC (rev 140739)
@@ -0,0 +1,3 @@
+Bug 106384: Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree.
+
+Passed if this test did not crash or assert.

Copied: branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384.html (from rev 139788, trunk/LayoutTests/fast/css-generated-content/bug-106384.html) (0 => 140739)


--- branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384.html	                        (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/css-generated-content/bug-106384.html	2013-01-24 23:36:25 UTC (rev 140739)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+
+<style>
+ruby:after {
+    display: block;
+    content: "";
+}
+</style>
+
+<p>
+    Bug 106384: Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree.
+</p>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+_onload_ = function() {
+    var ruby = document.createElement('ruby');
+    document.body.appendChild(ruby);
+    // Cause a layout.
+    document.body.offsetLeft;
+    ruby.appendChild(document.createTextNode('Passed if this test did not crash or assert.'));
+};
+</script>

Modified: branches/chromium/1364/Source/WebCore/rendering/RenderObjectChildList.cpp (140738 => 140739)


--- branches/chromium/1364/Source/WebCore/rendering/RenderObjectChildList.cpp	2013-01-24 23:28:07 UTC (rev 140738)
+++ branches/chromium/1364/Source/WebCore/rendering/RenderObjectChildList.cpp	2013-01-24 23:36:25 UTC (rev 140739)
@@ -153,10 +153,17 @@
     }
 
     ASSERT(!child->parent());
-    while (beforeChild->parent() != owner && beforeChild->parent()->isAnonymousBlock())
+    while (beforeChild->parent() && beforeChild->parent() != owner)
         beforeChild = beforeChild->parent();
-    ASSERT(beforeChild->parent() == owner);
 
+    // This should never happen, but if it does prevent render tree corruption
+    // where child->parent() ends up being owner but child->nextSibling()->parent()
+    // is not owner.
+    if (beforeChild->parent() != owner) {
+        ASSERT_NOT_REACHED();
+        return;
+    }
+
     ASSERT(!owner->isBlockFlow() || (!child->isTableSection() && !child->isTableRow() && !child->isTableCell()));
 
     if (beforeChild == firstChild())

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes