[webkit-changes] [WebKit/WebKit] de47ae: WTFCrashWithSecurityImplication in WebCore::Render...

Tue Dec 19 13:36:16 PST 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: de47ae4003e992e436df92a14ed69138601d9039
      https://github.com/WebKit/WebKit/commit/de47ae4003e992e436df92a14ed69138601d9039
  Author: Antti Koivisto <antti at apple.com>
  Date:   2023-12-19 (Tue, 19 Dec 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/multicol/last-set-crash-expected.txt
    A LayoutTests/fast/multicol/last-set-crash.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
    M Source/WebCore/rendering/RenderMultiColumnFlow.h

  Log Message:
  -----------
  WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://114559559

Reviewed by Alan Baradlay.

* LayoutTests/TestExpectations:

Skip test on debug due to some assertion failures.

* LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
* LayoutTests/fast/multicol/last-set-crash.html: Added.
* Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):

Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the multicolumn set under a different multicolumn flow.
Check for this.

* Source/WebCore/rendering/RenderMultiColumnFlow.h:

Also make it use WeakPtr.

Originally-landed-as: 267815.546 at safari-7617-branch (f524a15d0633). rdar://114559559
Canonical link: https://commits.webkit.org/272294@main