RESOLVED FIXED 123013
Bad cast with toRenderBoxModelObject in RenderBlock::updateFirstLetter()
https://bugs.webkit.org/show_bug.cgi?id=123013
Summary Bad cast with toRenderBoxModelObject in RenderBlock::updateFirstLetter()
Joone Hur
Reported 2013-10-18 02:48:37 PDT
There is a case that toRenderBoxModelObject cause a crash in RenderBlock::updateFirstLetter() due to bad cast. (http://trac.webkit.org/changeset/156742)
Attachments
Patch (2.54 KB, patch)
2013-10-18 10:14 PDT, Joone Hur
no flags
Patch (2.44 KB, patch)
2013-10-19 01:38 PDT, Joone Hur
no flags
Patch (2.55 KB, patch)
2013-10-21 02:21 PDT, Joone Hur
no flags
Joone Hur
Comment 1 2013-10-18 10:14:16 PDT
Andreas Kling
Comment 2 2013-10-18 13:48:03 PDT
Comment on attachment 214584 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=214584&action=review Can we make a test for this? > Source/WebCore/rendering/RenderBlock.cpp:5179 > + RenderObject* oldRemainingText = oldFirstLetter->firstLetterRemainingText(); You should use a tighter type than RenderObject* here, since firstLetterRemainingText() returns a RenderTextFragment. I would use auto, like so: auto oldRemainingText = oldFirstLetter->firstLetterRemainingText(); > Source/WebCore/rendering/RenderBlock.cpp:5180 > + if (oldRemainingText && oldRemainingText->isText()) { isText() here will always be true. > Source/WebCore/rendering/RenderBlock.cpp:5183 > + toRenderText(oldRemainingText)->setText(toText(oldRemainingText->node())->data().impl()); If you use a tighter type like I suggested above, this line could become: oldRemainingText->setText(oldRemainingText->textNode()->data());
Joone Hur
Comment 3 2013-10-19 01:35:51 PDT
Comment on attachment 214584 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=214584&action=review I don't know the exact case that can reproduce this crash because it happened in ClusterFuzz: https://codereview.chromium.org/25713009/ >> Source/WebCore/rendering/RenderBlock.cpp:5179 >> + RenderObject* oldRemainingText = oldFirstLetter->firstLetterRemainingText(); > > You should use a tighter type than RenderObject* here, since firstLetterRemainingText() returns a RenderTextFragment. > I would use auto, like so: > > auto oldRemainingText = oldFirstLetter->firstLetterRemainingText(); Done. >> Source/WebCore/rendering/RenderBlock.cpp:5180 >> + if (oldRemainingText && oldRemainingText->isText()) { > > isText() here will always be true. Done. >> Source/WebCore/rendering/RenderBlock.cpp:5183 >> + toRenderText(oldRemainingText)->setText(toText(oldRemainingText->node())->data().impl()); > > If you use a tighter type like I suggested above, this line could become: > oldRemainingText->setText(oldRemainingText->textNode()->data()); Done.
Joone Hur
Comment 4 2013-10-19 01:38:22 PDT
Andreas Kling
Comment 5 2013-10-19 03:37:19 PDT
Comment on attachment 214644 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=214644&action=review > Source/WebCore/ChangeLog:10 > + There is a case that toRenderBoxModelObject causes a crash in RenderBlock::updateFirstLetter() > + due to bad cast, so we need to check whether the RenderObject is a RenderBoxModelObject > + by running isBoxModelObject() before calling toRenderBoxModelObject. This needs a comment about why we don't have a test. > Source/WebCore/rendering/RenderBlock.cpp:5178 > + if (RenderBoxModelObject* oldFirstLetter = descendant->parent()->isBoxModelObject() ? toRenderBoxModelObject(descendant->parent()) : 0) { Can we use auto instead of spelling out RenderBoxModelObject twice here? 0 -> nullptr > Source/WebCore/rendering/RenderBlock.cpp:5183 > + createFirstLetterRenderer(firstLetterBlock, toRenderText(remainingText)); We will now only call createFirstLetterRenderer() if oldFirstLetter is a RenderBoxModelObject and there was an oldRemainingText. Is this intentional, or should it go after the two if blocks?
Joone Hur
Comment 6 2013-10-21 02:15:00 PDT
Comment on attachment 214644 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=214644&action=review >> Source/WebCore/ChangeLog:10 >> + by running isBoxModelObject() before calling toRenderBoxModelObject. > > This needs a comment about why we don't have a test. Done. >> Source/WebCore/rendering/RenderBlock.cpp:5178 >> + if (RenderBoxModelObject* oldFirstLetter = descendant->parent()->isBoxModelObject() ? toRenderBoxModelObject(descendant->parent()) : 0) { > > Can we use auto instead of spelling out RenderBoxModelObject twice here? > 0 -> nullptr Done. >> Source/WebCore/rendering/RenderBlock.cpp:5183 >> + createFirstLetterRenderer(firstLetterBlock, toRenderText(remainingText)); > > We will now only call createFirstLetterRenderer() if oldFirstLetter is a RenderBoxModelObject and there was an oldRemainingText. > Is this intentional, or should it go after the two if blocks? This is intentional because we can remove the old first letter by running setText and then create a new one. These operations should be done together.
Joone Hur
Comment 7 2013-10-21 02:21:05 PDT
Andreas Kling
Comment 8 2013-10-21 02:31:40 PDT
Comment on attachment 214718 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=214718&action=review Ok, r=me. > Source/WebCore/rendering/RenderBlock.cpp:5183 > + createFirstLetterRenderer(firstLetterBlock, toRenderText(remainingText)); You don't need the toRenderText() here.
Joone Hur
Comment 9 2013-10-21 16:23:01 PDT
Comment on attachment 214718 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=214718&action=review >> Source/WebCore/rendering/RenderBlock.cpp:5183 >> + createFirstLetterRenderer(firstLetterBlock, toRenderText(remainingText)); > > You don't need the toRenderText() here. But, there is a build error: ../../Source/WebCore/rendering/RenderBlock.cpp:5183:78: error: invalid conversion from 'WebCore::RenderObject*' to 'WebCore::RenderText*' [-fpermissive]
Andreas Kling
Comment 10 2013-10-21 17:03:29 PDT
Comment on attachment 214718 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=214718&action=review >>> Source/WebCore/rendering/RenderBlock.cpp:5183 >>> + createFirstLetterRenderer(firstLetterBlock, toRenderText(remainingText)); >> >> You don't need the toRenderText() here. > > But, there is a build error: > ../../Source/WebCore/rendering/RenderBlock.cpp:5183:78: error: invalid conversion from 'WebCore::RenderObject*' to 'WebCore::RenderText*' [-fpermissive] Oh, you're right! I confused it with oldRemainingText. Sorry about that :)
Joone Hur
Comment 11 2013-10-21 17:14:41 PDT
(In reply to comment #10) > (From update of attachment 214718 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=214718&action=review > > >>> Source/WebCore/rendering/RenderBlock.cpp:5183 > >>> + createFirstLetterRenderer(firstLetterBlock, toRenderText(remainingText)); > >> > >> You don't need the toRenderText() here. > > > > But, there is a build error: > > ../../Source/WebCore/rendering/RenderBlock.cpp:5183:78: error: invalid conversion from 'WebCore::RenderObject*' to 'WebCore::RenderText*' [-fpermissive] > > Oh, you're right! I confused it with oldRemainingText. Sorry about that :) Thank you for the review! :)
WebKit Commit Bot
Comment 12 2013-10-21 17:28:06 PDT
Comment on attachment 214718 [details] Patch Clearing flags on attachment: 214718 Committed r157768: <http://trac.webkit.org/changeset/157768>
WebKit Commit Bot
Comment 13 2013-10-21 17:28:08 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.