Bug 160830

Summary: Binding NULL pointer to reference in WebCore::RenderObject
Product: WebKit Reporter: Jonathan Bedard <jbedard>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Severity: Normal CC: commit-queue, darin, dbates, esprehn+autocc, glenn, kondapallykalyan, mmaxfield, rniwa, ryanhaddad
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Description Flags
Archive of layout-test-results from ews122 for ios-simulator-elcapitan-wk2 none

Description Jonathan Bedard 2016-08-12 15:52:12 PDT

It appears possible that m_nextObject can be NULL.  In this event, the function commitLineBreakAtCurrentWidth(...) is an illegal call because it requires a reference.  Note that even when m_nextObject is NULL, commitLineBreakAtCurrentWidth(...) still needs to be called.
Comment 1 Jonathan Bedard 2016-08-12 15:57:57 PDT
Created attachment 285969 [details]
Comment 2 Jonathan Bedard 2016-08-12 16:01:12 PDT
Note that this change aimed for minimum impact on existing code. Investigation of commitLineBreakAtCurrentWidth(...) indicates that the code path called by this function handles and expects NULL pointers for RenderObjects, and one notable caller of commitLineBreakAtCurrentWidth(...) passes NULL RenderObjects in certain circmstances.
Comment 3 Daniel Bates 2016-08-12 16:36:21 PDT
Comment on attachment 285969 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=285969&action=review

> Source/WebCore/rendering/line/BreakingContext.h:170
> +    void commitLineBreakAtCurrentWidth(RenderObject* object, unsigned offset = 0, int nextBreak = -1)

I understand the motivation for changing from a pointer to a reference to fix the compiler warning on line 1228 in BreakingContext::commitAndUpdateLineBreakIfNeeded(), but is this preferred way to allow moving to the end of the iterator (assuming the code in BreakingContext::commitAndUpdateLineBreakIfNeeded() is correct)? Does anyone ever call this function or InlineIterator::moveTo(RenderObject*, unsigned, int) with a null RenderObject and a non-zero offset? What does it mean to support such calls?
Comment 4 Jonathan Bedard 2016-08-15 10:41:20 PDT
Created attachment 286066 [details]
Comment 5 Jonathan Bedard 2016-08-15 10:48:59 PDT
A few note about the underlying architecture: The central issue resolved in this patch is that the iterator can point to nothing (by design) functions which access the WebCore::InlineIterator generally assume the iterator is always pointing to something.  Additionally, when assigning this iterator to nothing, calls were made which assume the iterator was being assigned to a reference.  This patch attempts to unify assumptions, allowing the iterator to explicitly be assigned to NULL.
Comment 6 Myles C. Maxfield 2016-08-15 10:55:38 PDT
Comment on attachment 286066 [details]

Please add a rest which causes the bull reference to be created.
Comment 7 Myles C. Maxfield 2016-08-15 10:56:27 PDT
(In reply to comment #6)
> Comment on attachment 286066 [details]
> Patch
> Please add a rest which causes the bull reference to be created.

*null reference

(Sorry for the typo)
Comment 8 Myles C. Maxfield 2016-08-15 11:00:23 PDT
(In reply to comment #7)
> (In reply to comment #6)
> > Comment on attachment 286066 [details]
> > Patch
> > 
> > Please add a rest which causes the bull reference to be created.
> *null reference
> (Sorry for the typo)


Wow, I am not typing well today....
Comment 9 Jonathan Bedard 2016-08-15 14:11:13 PDT
(In reply to comment #8)
> Please add a test which causes the null reference to be created.

The tests actually already exist, js/dom/script-start-end-locations.html and js/dom/cross-frame-symbols.html, for example, both cause this to happen (these are by no means an exhaustive list).

This bug was caught with Clang's undefined behavior sanitizer, which I am running locally.  Currently, for a number of reasons, we cannot run the undefined behavior sanitizer on our build machines.  Since this bug was the result of converting a NULL pointer to a reference and then back to a pointer, the above tests did not cause a crash.

I'm not sure how to test this, unless the undefined behavior sanitizer is integrated to our testing framework, which is a possible long term plan, but won't happen in the near future.
Comment 10 Myles C. Maxfield 2016-08-16 11:20:37 PDT
Comment on attachment 286066 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=286066&action=review

> Source/WebCore/rendering/line/BreakingContext.h:546
> +        if (m_current.renderer())

if (auto* renderer = m_current.renderer()) commitLineBreakAtCurrentWidth(*renderer);
Comment 11 Jonathan Bedard 2016-08-16 13:31:35 PDT
Created attachment 286199 [details]
Comment 12 WebKit Commit Bot 2016-08-18 10:42:15 PDT
Comment on attachment 286199 [details]

Rejecting attachment 286199 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'apply-attachment', '--no-update', '--non-interactive', 286199, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit

Last 500 characters of output:
unk #8 succeeded at 944 (offset -1 lines).
Hunk #9 succeeded at 1021 (offset -1 lines).
Hunk #10 succeeded at 1038 (offset -1 lines).
Hunk #11 succeeded at 1098 (offset -1 lines).
Hunk #12 succeeded at 1236 (offset -1 lines).
Hunk #13 succeeded at 1274 (offset -1 lines).
2 out of 13 hunks FAILED -- saving rejects to file Source/WebCore/rendering/line/BreakingContext.h.rej

Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

Full output: http://webkit-queues.webkit.org/results/1893939
Comment 13 Jonathan Bedard 2016-08-18 12:07:53 PDT
Created attachment 286383 [details]
Comment 14 Jonathan Bedard 2016-08-18 12:09:47 PDT
Comment on attachment 286383 [details]

Offset had been changed to Optional<unsigned> from int, the most recent patch fixes conflicts.
Comment 15 Build Bot 2016-08-18 14:26:00 PDT
Comment on attachment 286383 [details]

Attachment 286383 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/1894581

New failing tests:
Comment 16 Build Bot 2016-08-18 14:26:04 PDT
Created attachment 286395 [details]
Archive of layout-test-results from ews122 for ios-simulator-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122  Port: ios-simulator-elcapitan-wk2  Platform: Mac OS X 10.11.5
Comment 17 Jonathan Bedard 2016-08-18 16:57:08 PDT
There was a bug in EWS, the first bot timed out while running tests.
Comment 18 WebKit Commit Bot 2016-08-18 18:03:28 PDT
Comment on attachment 286383 [details]

Clearing flags on attachment: 286383

Committed r204620: <http://trac.webkit.org/changeset/204620>
Comment 19 WebKit Commit Bot 2016-08-18 18:03:33 PDT
All reviewed patches have been landed.  Closing bug.