Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(118)

Issue 2082893005: Make previousLinePosition() not to use dangling RootInlineBox (Closed)

Created:
4 years, 6 months ago by yosin_UTC9
Modified:
4 years, 6 months ago
Reviewers:
yoichio
CC:
blink-reviews, chromium-reviews, tfarina
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Make previousLinePosition() not to use dangling RootInlineBox This patch makes |previousLinePosition()| not to use dangling |RootInlineBox| pointer to avoid use-after-free. Before this patch, |isEditablePosition()| is called with |DoUpdateStyle| parameter to update layout tree if needed. Usually, layout tree isn't updated by this |isEditablePosition()| call since |previousLinePosition()| updates layout tree at entry. However, if there are pending style sheet, e.g. @import directive, and HTML import, e.g link rel=import, layout tree is updated since document isn't rendering ready, |haveImportLoaded()| && |haveRenderBlockingStyleSheetsLoaded()|. BUG=618237 TEST=LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html Committed: https://crrev.com/fb81c66590538c2487a34b8623066a22d0b27dff Committed: https://crrev.com/e9c943f368d15bbfe414aedf5e001792257f3eeb Cr-Original-Commit-Position: refs/heads/master@{#401231} Cr-Commit-Position: refs/heads/master@{#401581}

Patch Set 1 : 2016-06-22T14:22:55 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+29 lines, -1 line) Patch
A third_party/WebKit/LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html View 1 chunk +28 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/editing/VisibleUnits.cpp View 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 17 (7 generated)
yosin_UTC9
PTAL mac and win10 bots failures aren't related to this patch.
4 years, 6 months ago (2016-06-22 06:36:23 UTC) #3
yoichio
lgtm but one question. Does isEditablePosition need update with pending stylesheets? Since canonicalization requires only ...
4 years, 6 months ago (2016-06-22 07:42:05 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2082893005/1
4 years, 6 months ago (2016-06-22 07:56:36 UTC) #6
yosin_UTC9
On 2016/06/22 at 07:42:05, yoichio wrote: > lgtm > but one question. > Does isEditablePosition ...
4 years, 6 months ago (2016-06-22 08:03:09 UTC) #7
commit-bot: I haz the power
Committed patchset #1 (id:1)
4 years, 6 months ago (2016-06-22 08:41:35 UTC) #9
commit-bot: I haz the power
Patchset 1 (id:??) landed as https://crrev.com/fb81c66590538c2487a34b8623066a22d0b27dff Cr-Commit-Position: refs/heads/master@{#401231}
4 years, 6 months ago (2016-06-22 08:42:43 UTC) #11
dgozman
A revert of this CL (patchset #1 id:1) has been created in https://codereview.chromium.org/2084913005/ by dgozman@chromium.org. ...
4 years, 6 months ago (2016-06-22 17:08:53 UTC) #12
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2082893005/1
4 years, 6 months ago (2016-06-23 09:46:35 UTC) #14
commit-bot: I haz the power
Committed patchset #1 (id:1)
4 years, 6 months ago (2016-06-23 11:32:15 UTC) #15
commit-bot: I haz the power
4 years, 6 months ago (2016-06-23 11:43:15 UTC) #17
Message was sent while issue was closed.
Patchset 1 (id:??) landed as
https://crrev.com/e9c943f368d15bbfe414aedf5e001792257f3eeb
Cr-Commit-Position: refs/heads/master@{#401581}

Powered by Google App Engine
This is Rietveld 408576698