Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(497)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2099523002: Avoid dereferencing layoutObject during FloatingObject::unsafeClone (Closed)

Created:
4 years, 6 months ago by chrishtr
Modified:
4 years, 5 months ago
Reviewers:
Xianzhu, wkorman
CC:
blink-reviews, blink-reviews-layout_chromium.org, chromium-reviews, eae+blinkwatch, jchaffraix+rendering, leviw+renderwatch, pdr+renderingwatchlist_chromium.org, szager+layoutwatch_chromium.org, zoltan1
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Avoid dereferencing layoutObject during FloatingObject::unsafeClone There are bugs in the code that detaches subtrees in which a floating object sometimes is not detached from its owning m_floatingObjects set yet is still deleted. BUG=619380 Committed: https://crrev.com/23aafd7fac7245071163eea43cc4dfeb6f302b9f Cr-Commit-Position: refs/heads/master@{#401899}

Patch Set 1 #

Patch Set 2 : none #

Patch Set 3 : none #

Patch Set 4 : none #

Total comments: 2

Patch Set 5 : none #

Total comments: 4
Unified diffs Side-by-side diffs Delta from patch set Stats (+32 lines, -3 lines) Patch
A third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html View 1 1 chunk +21 lines, -0 lines 2 comments Download
A + third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash-expected.txt View 1 0 chunks +-1 lines, --1 lines 0 comments Download
M third_party/WebKit/Source/core/layout/FloatingObjects.h View 1 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/Source/core/layout/FloatingObjects.cpp View 1 2 3 4 3 chunks +11 lines, -3 lines 2 comments Download

Messages

Total messages: 15 (7 generated)
chrishtr
I was unable to fix out the root cause in floats. The layout team will ...
4 years, 6 months ago (2016-06-23 23:35:06 UTC) #4
Xianzhu
lgtm as a workaround. https://codereview.chromium.org/2099523002/diff/60001/third_party/WebKit/Source/core/layout/FloatingObjects.cpp File third_party/WebKit/Source/core/layout/FloatingObjects.cpp (right): https://codereview.chromium.org/2099523002/diff/60001/third_party/WebKit/Source/core/layout/FloatingObjects.cpp#newcode80 third_party/WebKit/Source/core/layout/FloatingObjects.cpp:80: // FIXME(chrishtr): Avoid the following ...
4 years, 6 months ago (2016-06-24 00:20:12 UTC) #5
chrishtr
https://codereview.chromium.org/2099523002/diff/60001/third_party/WebKit/Source/core/layout/FloatingObjects.cpp File third_party/WebKit/Source/core/layout/FloatingObjects.cpp (right): https://codereview.chromium.org/2099523002/diff/60001/third_party/WebKit/Source/core/layout/FloatingObjects.cpp#newcode80 third_party/WebKit/Source/core/layout/FloatingObjects.cpp:80: // FIXME(chrishtr): Avoid the following hack when performing an ...
4 years, 6 months ago (2016-06-24 16:11:25 UTC) #6
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2099523002/80001
4 years, 6 months ago (2016-06-24 16:12:28 UTC) #9
commit-bot: I haz the power
Committed patchset #5 (id:80001)
4 years, 6 months ago (2016-06-24 17:47:05 UTC) #10
commit-bot: I haz the power
Patchset 5 (id:??) landed as https://crrev.com/23aafd7fac7245071163eea43cc4dfeb6f302b9f Cr-Commit-Position: refs/heads/master@{#401899}
4 years, 6 months ago (2016-06-24 17:51:10 UTC) #12
wkorman
https://codereview.chromium.org/2099523002/diff/80001/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html File third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html (right): https://codereview.chromium.org/2099523002/diff/80001/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html#newcode2 third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html:2: Passes if it does not crash. Does this crash ...
4 years, 6 months ago (2016-06-24 18:10:35 UTC) #14
chrishtr
4 years, 5 months ago (2016-07-01 15:43:39 UTC) #15
Message was sent while issue was closed. 
https://codereview.chromium.org/2099523002/diff/80001/third_party/WebKit/Layo...
File
third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html
(right):

https://codereview.chromium.org/2099523002/diff/80001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html:2:
Passes if it does not crash.
On 2016/06/24 at 18:10:35, wkorman wrote:
> Does this crash without the change, in a non-ASAN build? Or is this test just
for validating fix with ASAN? It doesn't seem to crash with current ToT or dev
build.

Just crashes in ASAN. But there are ASAN bots that run on all layout tests.

https://codereview.chromium.org/2099523002/diff/80001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/layout/FloatingObjects.cpp (right):

https://codereview.chromium.org/2099523002/diff/80001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/layout/FloatingObjects.cpp:124:
std::unique_ptr<FloatingObject> cloneObject = wrapUnique(new
FloatingObject(layoutObject(), getType(), m_frameRect, m_shouldPaint,
m_isDescendant, false, true));
On 2016/06/24 at 18:10:35, wkorman wrote:
> It looked like the unsafe ref was on what would be 'this' in this method, such
that this could already be too late?

The unsafe ref was on the layoutObject() parameter to the FloatingObject
constructor, since the layout
object was already deleted during subtree detach (caused by the editing command
in the test).

Powered by Google App Engine
This is Rietveld 408576698