| Summary: | [RenderTreeUpdater] NULL ptr deref in updateRenderTree | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Brandon <brandonstewart> | ||||||||||||
| Component: | Layout and Rendering | Assignee: | Brandon <brandonstewart> | ||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||
| Severity: | Normal | CC: | bfulgham, brandonstewart, cdumez, changseok, esprehn+autocc, ews-watchlist, glenn, kangil.han, koivisto, kondapallykalyan, msaboff, pdr, simon.fraser, webkit-bug-importer, zalan | ||||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||||
| Version: | Safari Technology Preview | ||||||||||||||
| Hardware: | Unspecified | ||||||||||||||
| OS: | Unspecified | ||||||||||||||
| Attachments: |
|
||||||||||||||
Created attachment 438889 [details]
Patch
Created attachment 439055 [details]
Patch 2
Let's not try to fix the Changelog formatting in this patch. Created attachment 439102 [details]
Patch3 test
Created attachment 439106 [details]
Patch
Good fix. Comment on attachment 439106 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=439106&action=review > LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater.html:15 > +<html> > +<script> > + onload = () => { > + let div0 = document.createElement('div'); > + div0.style.display = 'contents'; > + let div1 = document.createElement('div'); > + div1.append('ab'); > + div0.appendChild(div1); > + document.body.appendChild(div0); > + document.body.offsetTop; > + div1.innerHTML = 'a'; > + new Document().appendChild(div0); > + }; > +</script> > +</html> Please add if (window.testRunner) testRunner.dumpAsText() in the beginning. > LayoutTests/platform/mac/fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt:5 > +layer at (0,0) size 800x600 > + RenderView at (0,0) size 800x600 > +layer at (0,0) size 800x600 > + RenderBlock {HTML} at (0,0) size 800x600 > + RenderBody {BODY} at (8,8) size 784x584 ...and avoid getting an unnecessary render tree dump. Created attachment 439127 [details]
Patch
Committed r283030 (242090@main): <https://commits.webkit.org/242090@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439127 [details]. |
This script causes a crash <script> onload = () => { let div0 = document.createElement('div'); div0.style.display = 'contents'; let div1 = document.createElement('div'); div1.append('ab'); div0.appendChild(div1); document.body.appendChild(div0); document.body.offsetTop; div1.innerHTML = 'a'; new Document().appendChild(div0); }; </script> Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001072d946f WebCore::shouldCreateRenderer(WebCore::Element const&, WebCore::RenderElement const&) + 0 (RenderTreeUpdater.cpp:137) [inlined] 1 com.apple.WebCore 0x00000001072d946f WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 2367 (RenderTreeUpdater.cpp:198) 2 com.apple.WebCore 0x00000001072d8a4b WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 507 (RenderTreeUpdater.cpp:126) 3 com.apple.WebCore 0x000000010664fe99 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 105 (Document.cpp:2023) 4 com.apple.WebCore 0x0000000106650357 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1127 (Document.cpp:2113) 5 com.apple.WebCore 0x0000000106650973 WebCore::Document::updateStyleIfNeeded() + 371 (Document.cpp:2205) <rdar://83101139>