Issue 10694124: Merge 122082 - Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 10694124: Merge 122082 - Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers (Closed)

Created:
8 years, 5 months ago by Hajime Morrita

Modified:
8 years, 5 months ago

Reviewers:
morrita

CC:
chromium-reviews

Base URL:
http://svn.webkit.org/repository/webkit/branches/chromium/1180/

Visibility:
Public.

More Reviews

Description

Merge 122082 - Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers https://bugs.webkit.org/show_bug.cgi?id=90480 Reviewed by Kent Tamura. Source/WebCore: If <select> has any insertion point, the attachment phase unpextedly creates a renderer for distributed node and added to the renderer of the <select>, which breaks an assumption and results the crash. This change tighten the childShouldCreateRenderer() to forbid child renderers even from distributed nodes. There is an exception as always: ValidationMessage can create a ShadowRoot to <select>, which generates usually-forbidden child renderers. This change introduces HTMLFormControlElement::validationMessageContains() to let these renderers in. Test: fast/dom/shadow/insertion-point-list-menu-crash.html * html/HTMLFormControlElement.cpp: (WebCore::HTMLFormControlElement::validationMessageContains): (WebCore): * html/HTMLFormControlElement.h: (HTMLFormControlElement): * html/HTMLSelectElement.cpp: (WebCore::HTMLSelectElement::childShouldCreateRenderer): * html/ValidationMessage.cpp: (WebCore::ValidationMessage::contains): (WebCore): * html/ValidationMessage.h: (WebCore): (ValidationMessage): LayoutTests: * fast/dom/shadow/insertion-point-list-menu-crash-expected.txt: Added. * fast/dom/shadow/insertion-point-list-menu-crash.html: Added. TBR=morrita@google.com Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=122285

Patch Set 1 #

Created: 8 years, 5 months ago

(Patch set is too large to download)

	Unified diffs	Side-by-side diffs	Stats (+24568 lines, --1 lines)			Patch
M	LayoutTests/ChangeLog	View	1 chunk	+6933 lines, -0 lines	0 comments	Download
A +	LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
A +	LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
M	Source/WebCore/ChangeLog	View	1 chunk	+17616 lines, -0 lines	0 comments	Download
M	Source/WebCore/html/HTMLFormControlElement.h	View	1 chunk	+2 lines, -0 lines	0 comments	Download
M	Source/WebCore/html/HTMLFormControlElement.cpp	View	1 chunk	+5 lines, -0 lines	0 comments	Download
M	Source/WebCore/html/HTMLSelectElement.cpp	View	1 chunk	+5 lines, -1 line	0 comments	Download
M	Source/WebCore/html/ValidationMessage.h	View	2 chunks	+2 lines, -0 lines	0 comments	Download
M	Source/WebCore/html/ValidationMessage.cpp	View	1 chunk	+7 lines, -0 lines	0 comments	Download

Messages

Total messages: 1 (0 generated)

Expand Messages | Collapse Messages