[webkit-changes] [201223] trunk

Fri, 20 May 2016 13:44:14 -0700

Title: [201223] trunk
Revision
201223
Author
[email protected]
Date
2016-05-20 13:43:39 -0700 (Fri, 20 May 2016)

Log Message

Fix null dereferencing in CSSAnimationTriggerScrollValue::equals
https://bugs.webkit.org/show_bug.cgi?id=157930

Patch by Alex Christensen <[email protected]> on 2016-05-20
Reviewed by Dean Jackson.

Source/WebCore:

Test: fast/css/compare-animation-trigger.html

* css/CSSAnimationTriggerScrollValue.cpp:
(WebCore::CSSAnimationTriggerScrollValue::equals):
* css/CSSAnimationTriggerScrollValue.h:
(WebCore::CSSAnimationTriggerScrollValue::create):
(WebCore::CSSAnimationTriggerScrollValue::startValue):
(WebCore::CSSAnimationTriggerScrollValue::endValue):
(WebCore::CSSAnimationTriggerScrollValue::hasEndValue):
(WebCore::CSSAnimationTriggerScrollValue::operator==):
(WebCore::CSSAnimationTriggerScrollValue::CSSAnimationTriggerScrollValue):
* css/CSSToStyleMap.cpp:
(WebCore::CSSToStyleMap::mapAnimationTrigger):
* css/CSSValue.h:
(WebCore::CSSValue::operator==):

LayoutTests:

* fast/css/compare-animation-trigger-expected.txt: Added.
* fast/css/compare-animation-trigger.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (201222 => 201223)


--- trunk/LayoutTests/ChangeLog	2016-05-20 19:36:01 UTC (rev 201222)
+++ trunk/LayoutTests/ChangeLog	2016-05-20 20:43:39 UTC (rev 201223)
@@ -1,3 +1,13 @@
+2016-05-20  Alex Christensen  <[email protected]>
+
+        Fix null dereferencing in CSSAnimationTriggerScrollValue::equals
+        https://bugs.webkit.org/show_bug.cgi?id=157930
+
+        Reviewed by Dean Jackson.
+
+        * fast/css/compare-animation-trigger-expected.txt: Added.
+        * fast/css/compare-animation-trigger.html: Added.
+
 2016-05-20  Dave Hyatt  <[email protected]>
 
         Scrolling broken in iTunes connect pages

Added: trunk/LayoutTests/fast/css/compare-animation-trigger-expected.txt (0 => 201223)


--- trunk/LayoutTests/fast/css/compare-animation-trigger-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/compare-animation-trigger-expected.txt	2016-05-20 20:43:39 UTC (rev 201223)
@@ -0,0 +1,3 @@
+This test verifies that comparing two CSSAnimationTriggerScrollValues without end values does not crash.
+
+

Added: trunk/LayoutTests/fast/css/compare-animation-trigger.html (0 => 201223)


--- trunk/LayoutTests/fast/css/compare-animation-trigger.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/compare-animation-trigger.html	2016-05-20 20:43:39 UTC (rev 201223)
@@ -0,0 +1,19 @@
+<html>
+<head>
+<style>
+    div { -webkit-animation-trigger : container-scroll(20px); }
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+function run() {
+    document.getElementById("test").focus();
+    document.execCommand('insertHTML', false, '<div id="insertedDiv" style="-webkit-animation-trigger : container-scroll(20px); "></div>');
+}
+</script>
+</head>
+<body _onload_="run()">
+<p>This test verifies that comparing two CSSAnimationTriggerScrollValues without end values does not crash.</p>
+<div id="test" contenteditable></div>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (201222 => 201223)


--- trunk/Source/WebCore/ChangeLog	2016-05-20 19:36:01 UTC (rev 201222)
+++ trunk/Source/WebCore/ChangeLog	2016-05-20 20:43:39 UTC (rev 201223)
@@ -1,3 +1,26 @@
+2016-05-20  Alex Christensen  <[email protected]>
+
+        Fix null dereferencing in CSSAnimationTriggerScrollValue::equals
+        https://bugs.webkit.org/show_bug.cgi?id=157930
+
+        Reviewed by Dean Jackson.
+
+        Test: fast/css/compare-animation-trigger.html
+
+        * css/CSSAnimationTriggerScrollValue.cpp:
+        (WebCore::CSSAnimationTriggerScrollValue::equals):
+        * css/CSSAnimationTriggerScrollValue.h:
+        (WebCore::CSSAnimationTriggerScrollValue::create):
+        (WebCore::CSSAnimationTriggerScrollValue::startValue):
+        (WebCore::CSSAnimationTriggerScrollValue::endValue):
+        (WebCore::CSSAnimationTriggerScrollValue::hasEndValue):
+        (WebCore::CSSAnimationTriggerScrollValue::operator==):
+        (WebCore::CSSAnimationTriggerScrollValue::CSSAnimationTriggerScrollValue):
+        * css/CSSToStyleMap.cpp:
+        (WebCore::CSSToStyleMap::mapAnimationTrigger):
+        * css/CSSValue.h:
+        (WebCore::CSSValue::operator==):
+
 2016-05-20  Dave Hyatt  <[email protected]>
 
         Scrolling broken in iTunes connect pages

Modified: trunk/Source/WebCore/css/CSSAnimationTriggerScrollValue.cpp (201222 => 201223)


--- trunk/Source/WebCore/css/CSSAnimationTriggerScrollValue.cpp	2016-05-20 19:36:01 UTC (rev 201222)
+++ trunk/Source/WebCore/css/CSSAnimationTriggerScrollValue.cpp	2016-05-20 20:43:39 UTC (rev 201223)
@@ -25,6 +25,7 @@
 
 #include "config.h"
 #include "CSSAnimationTriggerScrollValue.h"
+#include <wtf/PointerComparison.h>
 
 #if ENABLE(CSS_ANIMATIONS_LEVEL_2)
 
@@ -47,7 +48,7 @@
 
 bool CSSAnimationTriggerScrollValue::equals(const CSSAnimationTriggerScrollValue& other) const
 {
-    return m_startValue->equals(*other.m_startValue.get()) && m_endValue->equals(*other.m_endValue.get());
+    return m_startValue->equals(other.m_startValue.get()) && arePointingToEqualData(m_endValue.get(), other.m_endValue.get());
 }
 
 } // namespace WebCore

Modified: trunk/Source/WebCore/css/CSSAnimationTriggerScrollValue.h (201222 => 201223)


--- trunk/Source/WebCore/css/CSSAnimationTriggerScrollValue.h	2016-05-20 19:36:01 UTC (rev 201222)
+++ trunk/Source/WebCore/css/CSSAnimationTriggerScrollValue.h	2016-05-20 20:43:39 UTC (rev 201223)
@@ -38,13 +38,14 @@
         return adoptRef(*new CSSAnimationTriggerScrollValue(WTFMove(startValue), WTFMove(endValue)));
     }
 
-    const CSSValue* startValue() const { return m_startValue.get(); }
+    const CSSValue& startValue() const { return m_startValue.get(); }
     const CSSValue* endValue() const { return m_endValue.get(); }
     bool hasEndValue() const { return m_endValue; }
 
     String customCSSText() const;
 
     bool equals(const CSSAnimationTriggerScrollValue&) const;
+    bool operator==(const CSSAnimationTriggerScrollValue& other) const { return equals(other); }
 
 private:
     CSSAnimationTriggerScrollValue(Ref<CSSValue>&& startValue, RefPtr<CSSValue>&& endValue)
@@ -54,7 +55,7 @@
     {
     }
 
-    RefPtr<CSSValue> m_startValue;
+    Ref<CSSValue> m_startValue;
     RefPtr<CSSValue> m_endValue;
 };

Modified: trunk/Source/WebCore/css/CSSToStyleMap.cpp (201222 => 201223)


--- trunk/Source/WebCore/css/CSSToStyleMap.cpp	2016-05-20 19:36:01 UTC (rev 201222)
+++ trunk/Source/WebCore/css/CSSToStyleMap.cpp	2016-05-20 20:43:39 UTC (rev 201223)
@@ -531,8 +531,8 @@
     if (value.isAnimationTriggerScrollValue()) {
         auto& scrollTrigger = downcast<CSSAnimationTriggerScrollValue>(value);
 
-        const CSSPrimitiveValue* startValue = downcast<CSSPrimitiveValue>(scrollTrigger.startValue());
-        Length startLength = startValue->computeLength<Length>(m_resolver->state().cssToLengthConversionData());
+        const CSSPrimitiveValue& startValue = downcast<CSSPrimitiveValue>(scrollTrigger.startValue());
+        Length startLength = startValue.computeLength<Length>(m_resolver->state().cssToLengthConversionData());
 
         Length endLength;
         if (scrollTrigger.hasEndValue()) {

Modified: trunk/Source/WebCore/css/CSSValue.h (201222 => 201223)


--- trunk/Source/WebCore/css/CSSValue.h	2016-05-20 19:36:01 UTC (rev 201222)
+++ trunk/Source/WebCore/css/CSSValue.h	2016-05-20 20:43:39 UTC (rev 201223)
@@ -138,6 +138,7 @@
     bool traverseSubresources(const std::function<bool (const CachedResource&)>& handler) const;
 
     bool equals(const CSSValue&) const;
+    bool operator==(const CSSValue& other) const { return equals(other); }
 
 protected:
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to