RESOLVED FIXED 177960
RenderButton should not hold raw pointers to its direct children. 
https://bugs.webkit.org/show_bug.cgi?id=177960
Summary RenderButton should not hold raw pointers to its direct children.
zalan
Reported 2017-10-05 13:00:25 PDT
m_buttonText and m_inner
Attachments
Patch (4.65 KB, patch)
2017-10-05 13:05 PDT, zalan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-10-05 13:01:04 PDT
<rdar://problem/34840807>
zalan
Comment 2 2017-10-05 13:05:08 PDT
Created attachment 322888 [details] Patch
Antti Koivisto
Comment 3 2017-10-05 13:10:00 PDT
Comment on attachment 322888 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=322888&action=review > Source/WebCore/rendering/RenderButton.cpp:83 > // violated. > if (&oldChild == m_inner || !m_inner || oldChild.parent() == this) { > ASSERT(&oldChild == m_inner || !m_inner); The comment above talks about "security problems" that I don't think exist with the recent improvements. Maybe the comment, oldChild.parent() == this test and the assert can go?
Simon Fraser (smfr)
Comment 4 2017-10-05 13:10:22 PDT
Comment on attachment 322888 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=322888&action=review > Source/WebCore/rendering/RenderButton.cpp:139 > + return { }; Is this as efficient as returning emptyString()? > Source/WebCore/rendering/RenderButton.h:74 > + WeakPtr<RenderBlock> m_inner; Do we actually need to reference this, or can we find it via a tree walk?
Antti Koivisto
Comment 5 2017-10-05 13:17:45 PDT
Comment on attachment 322888 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=322888&action=review >> Source/WebCore/rendering/RenderButton.cpp:139 >> + return { }; > > Is this as efficient as returning emptyString()? That returns a null string, not an empty string (and is more efficient).
zalan
Comment 6 2017-10-05 13:45:43 PDT
(In reply to Antti Koivisto from comment #3) > Comment on attachment 322888 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=322888&action=review > > > Source/WebCore/rendering/RenderButton.cpp:83 > > // violated. > > if (&oldChild == m_inner || !m_inner || oldChild.parent() == this) { > > ASSERT(&oldChild == m_inner || !m_inner); > > The comment above talks about "security problems" that I don't think exist > with the recent improvements. Maybe the comment, oldChild.parent() == this > test and the assert can go? The comment/assert actually attempts to catch cases where the RenderButton's inner subtree gets split up for whatever reason (the original bug was column spanning). So I think this is still valid (though not super useful, I admit).
WebKit Commit Bot
Comment 7 2017-10-05 14:14:47 PDT
Comment on attachment 322888 [details] Patch Clearing flags on attachment: 322888 Committed r222932: <http://trac.webkit.org/changeset/222932>
WebKit Commit Bot
Comment 8 2017-10-05 14:14:49 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.