[webkit-changes] [WebKit/WebKit] 51d7c7: Renderinline::offsetForInFlowPositionedInline caus...

[Arunsundar Kannan]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 51d7c7775f9625ce5679c11768b50eea2520b905
      https://github.com/WebKit/WebKit/commit/51d7c7775f9625ce5679c11768b50eea2520b905
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-07-31 (Mon, 31 Jul 2023)

  Changed paths:
    A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt
    A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html
    M Source/WebCore/rendering/RenderInline.cpp

  Log Message:
  -----------
  Renderinline::offsetForInFlowPositionedInline causes a null-deref of a laybox on repaint.
https://bugs.webkit.org/show_bug.cgi?id=255552.
rdar://107952390.

Reviewed by Alan Baradlay.

Line layout codepath invalidation is triggered by JS which issues a repaint on the newly inserted renderer. The newly inserted renderer is used for geometry computations and which calls offsetForInFlowPositionedInline in case of inline boxes. This tries to access the lineBoxes assocaited with the renderers but they invalidated by previous repaints. This leads to null deref of the lineboxes.

* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt: Added.
* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::isLineLayoutPresent const):
* Source/WebCore/rendering/RenderBlockFlow.h:
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::offsetForInFlowPositionedInline const):

Originally-landed-as: 259548.678 at safari-7615-branch (7c662f5b36e3). rdar://107952390
Canonical link: https://commits.webkit.org/266452@main