Google Git
Sign in
chromium / chromium / src / 19574981b2967dc3e17da37df392bb3ae6695ae8^! / .
commit19574981b2967dc3e17da37df392bb3ae6695ae8[log] [tgz]
authorYoshifumi Inoue <yosin@chromium.org>Fri Mar 15 07:09:38 2019
committerCommit Bot <commit-bot@chromium.org>Fri Mar 15 07:09:38 2019
tree1c507523758ac0d4de3795f7061b3dd74210cb60
parentb48ffad8dd1e0aa410bfd778a89b1e1fe8d01196 [diff]
Make NGAbstractInlineText::GetOrCreate() to take only NGPaintFragment

This patch changes to |NGAbstractInlineText::GetOrCreate()| to take only
|NGPaintFragment| to avoid to create |NGAbstractInlineText| having
|NGPaintFragment| not to associated to |line_layout_item_| member variable.

These invalid |NGAbstractInlineText| causes crash by referring destructed
|LayoutObject| in |NGAbstractInlineText::Detach()|.

This crash can be happend in following scenario:

1. Create |NGAbstractInlineText| by |LayoutText::FirstAbstractInlineText()|
with layout object L1 and fragment F1_1 then get A1(L1, F1)
2. Create |NGAbstractInlineText::NextOnLine()| with L1 and F2 then get
A2(L1, F2) where F2 is associated to L2.
3. Destroy L1 then call Detach() for A1(L1, F1) => no problem
4. Destroy L2 then call Detach() for A2(L1, F2) => crash since L1 is destroyed

Bug: 928925
Change-Id: Ic0a55b4e15723e1988d0727aba45723aed4d3a4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1525257
Auto-Submit: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#641109}
diff --git a/third_party/blink/renderer/core/layout/layout_text.cc b/third_party/blink/renderer/core/layout/layout_text.cc
index 33f5dfad..c856d15 100644
--- a/third_party/blink/renderer/core/layout/layout_text.cc
+++ b/third_party/blink/renderer/core/layout/layout_text.cc

@@ -2453,8 +2453,7 @@
     if (!fragments.IsEmpty() &&
         fragments.IsInLayoutNGInlineFormattingContext()) {
       has_abstract_inline_text_box_ = true;
-      return NGAbstractInlineTextBox::GetOrCreate(LineLayoutText(this),
-                                                  **fragments.begin());
+      return NGAbstractInlineTextBox::GetOrCreate(fragments.front());
     }
   }
   return LegacyAbstractInlineTextBox::GetOrCreate(LineLayoutText(this),

diff --git a/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.cc b/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.cc
index 39036706..478a1d3 100644
--- a/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.cc
+++ b/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.cc

@@ -19,7 +19,6 @@
     NGAbstractInlineTextBox::g_abstract_inline_text_box_map_ = nullptr;
 
 scoped_refptr<AbstractInlineTextBox> NGAbstractInlineTextBox::GetOrCreate(
-    LineLayoutText line_layout_item,
     const NGPaintFragment& fragment) {
   DCHECK(fragment.GetLayoutObject()->IsText()) << fragment.GetLayoutObject();
   if (!g_abstract_inline_text_box_map_) {
@@ -30,7 +29,8 @@
   if (it != g_abstract_inline_text_box_map_->end())
     return it->value;
   scoped_refptr<AbstractInlineTextBox> obj =
-      base::AdoptRef(new NGAbstractInlineTextBox(line_layout_item, fragment));
+      base::AdoptRef(new NGAbstractInlineTextBox(
+          LineLayoutText(ToLayoutText(fragment.GetLayoutObject())), fragment));
   g_abstract_inline_text_box_map_->Set(&fragment, obj);
   return obj;
 }
@@ -110,7 +110,7 @@
   const NGPaintFragment* next_fragment = NextTextFragmentForSameLayoutObject();
   if (!next_fragment)
     return nullptr;
-  return GetOrCreate(GetLineLayoutItem(), *next_fragment);
+  return GetOrCreate(*next_fragment);
 }
 
 LayoutRect NGAbstractInlineTextBox::LocalBounds() const {
@@ -214,7 +214,7 @@
   NGPaintFragmentTraversal cursor(*fragment_->ContainerLineBox(), *fragment_);
   for (cursor.MoveToNext(); !cursor.IsAtEnd(); cursor.MoveToNext()) {
     if (cursor->GetLayoutObject()->IsText())
-      return GetOrCreate(GetLineLayoutItem(), *cursor);
+      return GetOrCreate(*cursor);
   }
   return nullptr;
 }
@@ -228,7 +228,7 @@
   NGPaintFragmentTraversal cursor(*fragment_->ContainerLineBox(), *fragment_);
   for (cursor.MoveToPrevious(); !cursor.IsAtEnd(); cursor.MoveToPrevious()) {
     if (cursor->GetLayoutObject()->IsText())
-      return GetOrCreate(GetLineLayoutItem(), *cursor);
+      return GetOrCreate(*cursor);
   }
   return nullptr;
 }

diff --git a/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.h b/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.h
index 4932dec9..d74e962 100644
--- a/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.h
+++ b/third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.h

@@ -17,11 +17,8 @@
 class CORE_EXPORT NGAbstractInlineTextBox final : public AbstractInlineTextBox {
  private:
   // Returns existing or newly created |NGAbstractInlineTextBox|.
-  // * |line_layout_item| is |LayoutText| associated to |fragment|. For first
-  // letter part, it is remaining part of |LayoutTextFragment|.
   // * |fragment| should be attached to |NGPhysicalTextFragment|.
   static scoped_refptr<AbstractInlineTextBox> GetOrCreate(
-      LineLayoutText line_layout_item,
       const NGPaintFragment& fragment);
   static void WillDestroy(NGPaintFragment*);