Bug 177960 - RenderButton should not hold raw pointers to its direct children.
Summary: RenderButton should not hold raw pointers to its direct children.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: zalan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-10-05 13:00 PDT by zalan
Modified: 2017-10-05 14:14 PDT (History)
6 users (show)

See Also:


Attachments
Patch (4.65 KB, patch)
2017-10-05 13:05 PDT, zalan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description zalan 2017-10-05 13:00:25 PDT
m_buttonText and m_inner
Comment 1 Radar WebKit Bug Importer 2017-10-05 13:01:04 PDT
<rdar://problem/34840807>
Comment 2 zalan 2017-10-05 13:05:08 PDT
Created attachment 322888 [details]
Patch
Comment 3 Antti Koivisto 2017-10-05 13:10:00 PDT
Comment on attachment 322888 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=322888&action=review

> Source/WebCore/rendering/RenderButton.cpp:83
>      // violated.
>      if (&oldChild == m_inner || !m_inner || oldChild.parent() == this) {
>          ASSERT(&oldChild == m_inner || !m_inner);

The comment above talks about "security problems" that I don't think exist with the recent improvements. Maybe the comment, oldChild.parent() == this test and the assert can go?
Comment 4 Simon Fraser (smfr) 2017-10-05 13:10:22 PDT
Comment on attachment 322888 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=322888&action=review

> Source/WebCore/rendering/RenderButton.cpp:139
> +    return { };

Is this as efficient as returning emptyString()?

> Source/WebCore/rendering/RenderButton.h:74
> +    WeakPtr<RenderBlock> m_inner;

Do we actually need to reference this, or can we find it via a tree walk?
Comment 5 Antti Koivisto 2017-10-05 13:17:45 PDT
Comment on attachment 322888 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=322888&action=review

>> Source/WebCore/rendering/RenderButton.cpp:139
>> +    return { };
> 
> Is this as efficient as returning emptyString()?

That returns a null string, not an empty string (and is more efficient).
Comment 6 zalan 2017-10-05 13:45:43 PDT
(In reply to Antti Koivisto from comment #3)
> Comment on attachment 322888 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=322888&action=review
> 
> > Source/WebCore/rendering/RenderButton.cpp:83
> >      // violated.
> >      if (&oldChild == m_inner || !m_inner || oldChild.parent() == this) {
> >          ASSERT(&oldChild == m_inner || !m_inner);
> 
> The comment above talks about "security problems" that I don't think exist
> with the recent improvements. Maybe the comment, oldChild.parent() == this
> test and the assert can go?
The comment/assert actually attempts to catch cases where the RenderButton's inner subtree gets split up for whatever reason (the original bug was column spanning). So I think this is still valid (though not super useful, I admit).
Comment 7 WebKit Commit Bot 2017-10-05 14:14:47 PDT
Comment on attachment 322888 [details]
Patch

Clearing flags on attachment: 322888

Committed r222932: <http://trac.webkit.org/changeset/222932>
Comment 8 WebKit Commit Bot 2017-10-05 14:14:49 PDT
All reviewed patches have been landed.  Closing bug.