Title: [272250] branches/safari-611-branch
- Revision
- 272250
- Author
- [email protected]
- Date
- 2021-02-02 17:39:26 -0800 (Tue, 02 Feb 2021)
Log Message
Cherry-pick r271644. rdar://problem/73890311
[css-multicol] OOM with 1px height columns
https://bugs.webkit.org/show_bug.cgi?id=220490
Reviewed by Ryosuke Niwa.
Source/WebCore:
Test: fast/multicol/newmulticol/zero-height-columns-oom-crash.html
Multicol sometimes computes <= 0 heights for the columns. For all those cases the code was adjusting them to 1px
values apparently to avoid creating an "infinite" amount of columns. However that adjustment was precisely causing
OOM situations in those cases where there was a relatively large amount of free space. In those cases the code was
creating dozens of thousands of 1px height columns (with all their associated structures) until we run out of memory.
Using zero heights in those cases seem sane because it's already being properly handled in the current code.
* rendering/RenderMultiColumnSet.cpp:
(WebCore::RenderMultiColumnSet::heightAdjustedForSetOffset const): cap negative heights to 0.
LayoutTests:
* fast/multicol/newmulticol/zero-height-columns-oom-crash-expected.txt: Added.
* fast/multicol/newmulticol/zero-height-columns-oom-crash.html: Added.
* imported/blink/fast/pagination/first-letter-inherit-all-crash-expected.txt: Updated expectations.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271644 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-611-branch/LayoutTests/ChangeLog (272249 => 272250)
--- branches/safari-611-branch/LayoutTests/ChangeLog 2021-02-03 01:39:22 UTC (rev 272249)
+++ branches/safari-611-branch/LayoutTests/ChangeLog 2021-02-03 01:39:26 UTC (rev 272250)
@@ -1,5 +1,47 @@
2021-02-02 Alan Coon <[email protected]>
+ Cherry-pick r271644. rdar://problem/73890311
+
+ [css-multicol] OOM with 1px height columns
+ https://bugs.webkit.org/show_bug.cgi?id=220490
+
+ Reviewed by Ryosuke Niwa.
+
+ Source/WebCore:
+
+ Test: fast/multicol/newmulticol/zero-height-columns-oom-crash.html
+
+ Multicol sometimes computes <= 0 heights for the columns. For all those cases the code was adjusting them to 1px
+ values apparently to avoid creating an "infinite" amount of columns. However that adjustment was precisely causing
+ OOM situations in those cases where there was a relatively large amount of free space. In those cases the code was
+ creating dozens of thousands of 1px height columns (with all their associated structures) until we run out of memory.
+
+ Using zero heights in those cases seem sane because it's already being properly handled in the current code.
+
+ * rendering/RenderMultiColumnSet.cpp:
+ (WebCore::RenderMultiColumnSet::heightAdjustedForSetOffset const): cap negative heights to 0.
+
+ LayoutTests:
+
+ * fast/multicol/newmulticol/zero-height-columns-oom-crash-expected.txt: Added.
+ * fast/multicol/newmulticol/zero-height-columns-oom-crash.html: Added.
+ * imported/blink/fast/pagination/first-letter-inherit-all-crash-expected.txt: Updated expectations.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271644 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-01-18 Sergio Villar Senin <[email protected]>
+
+ [css-multicol] OOM with 1px height columns
+ https://bugs.webkit.org/show_bug.cgi?id=220490
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/multicol/newmulticol/zero-height-columns-oom-crash-expected.txt: Added.
+ * fast/multicol/newmulticol/zero-height-columns-oom-crash.html: Added.
+ * imported/blink/fast/pagination/first-letter-inherit-all-crash-expected.txt: Updated expectations.
+
+2021-02-02 Alan Coon <[email protected]>
+
Cherry-pick r271635. rdar://problem/73890109
Elements in a table are incorrectly selected in _javascript_.
Added: branches/safari-611-branch/LayoutTests/fast/multicol/newmulticol/zero-height-columns-oom-crash-expected.txt (0 => 272250)
--- branches/safari-611-branch/LayoutTests/fast/multicol/newmulticol/zero-height-columns-oom-crash-expected.txt (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/multicol/newmulticol/zero-height-columns-oom-crash-expected.txt 2021-02-03 01:39:26 UTC (rev 272250)
@@ -0,0 +1,3 @@
+* { display: block; writing-mode: vertical-lr; -webkit-column-axis: horizontal; } *::first-letter {}
+if (window.testRunner) testRunner.dumpAsText();
+The test PASS if it does not crash.
Added: branches/safari-611-branch/LayoutTests/fast/multicol/newmulticol/zero-height-columns-oom-crash.html (0 => 272250)
--- branches/safari-611-branch/LayoutTests/fast/multicol/newmulticol/zero-height-columns-oom-crash.html (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/multicol/newmulticol/zero-height-columns-oom-crash.html 2021-02-03 01:39:26 UTC (rev 272250)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<style>
+* {
+ display: block;
+ writing-mode: vertical-lr;
+ -webkit-column-axis: horizontal;
+}
+*::first-letter {}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<p>The test PASS if it does not crash.</p>
Modified: branches/safari-611-branch/LayoutTests/imported/blink/fast/pagination/first-letter-inherit-all-crash-expected.txt (272249 => 272250)
--- branches/safari-611-branch/LayoutTests/imported/blink/fast/pagination/first-letter-inherit-all-crash-expected.txt 2021-02-03 01:39:22 UTC (rev 272249)
+++ branches/safari-611-branch/LayoutTests/imported/blink/fast/pagination/first-letter-inherit-all-crash-expected.txt 2021-02-03 01:39:26 UTC (rev 272250)
@@ -2,4 +2,4 @@
PASS if no crash or assertion failure.
-x
+
Modified: branches/safari-611-branch/Source/WebCore/ChangeLog (272249 => 272250)
--- branches/safari-611-branch/Source/WebCore/ChangeLog 2021-02-03 01:39:22 UTC (rev 272249)
+++ branches/safari-611-branch/Source/WebCore/ChangeLog 2021-02-03 01:39:26 UTC (rev 272250)
@@ -1,5 +1,55 @@
2021-02-02 Alan Coon <[email protected]>
+ Cherry-pick r271644. rdar://problem/73890311
+
+ [css-multicol] OOM with 1px height columns
+ https://bugs.webkit.org/show_bug.cgi?id=220490
+
+ Reviewed by Ryosuke Niwa.
+
+ Source/WebCore:
+
+ Test: fast/multicol/newmulticol/zero-height-columns-oom-crash.html
+
+ Multicol sometimes computes <= 0 heights for the columns. For all those cases the code was adjusting them to 1px
+ values apparently to avoid creating an "infinite" amount of columns. However that adjustment was precisely causing
+ OOM situations in those cases where there was a relatively large amount of free space. In those cases the code was
+ creating dozens of thousands of 1px height columns (with all their associated structures) until we run out of memory.
+
+ Using zero heights in those cases seem sane because it's already being properly handled in the current code.
+
+ * rendering/RenderMultiColumnSet.cpp:
+ (WebCore::RenderMultiColumnSet::heightAdjustedForSetOffset const): cap negative heights to 0.
+
+ LayoutTests:
+
+ * fast/multicol/newmulticol/zero-height-columns-oom-crash-expected.txt: Added.
+ * fast/multicol/newmulticol/zero-height-columns-oom-crash.html: Added.
+ * imported/blink/fast/pagination/first-letter-inherit-all-crash-expected.txt: Updated expectations.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271644 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-01-18 Sergio Villar Senin <[email protected]>
+
+ [css-multicol] OOM with 1px height columns
+ https://bugs.webkit.org/show_bug.cgi?id=220490
+
+ Reviewed by Ryosuke Niwa.
+
+ Test: fast/multicol/newmulticol/zero-height-columns-oom-crash.html
+
+ Multicol sometimes computes <= 0 heights for the columns. For all those cases the code was adjusting them to 1px
+ values apparently to avoid creating an "infinite" amount of columns. However that adjustment was precisely causing
+ OOM situations in those cases where there was a relatively large amount of free space. In those cases the code was
+ creating dozens of thousands of 1px height columns (with all their associated structures) until we run out of memory.
+
+ Using zero heights in those cases seem sane because it's already being properly handled in the current code.
+
+ * rendering/RenderMultiColumnSet.cpp:
+ (WebCore::RenderMultiColumnSet::heightAdjustedForSetOffset const): cap negative heights to 0.
+
+2021-02-02 Alan Coon <[email protected]>
+
Cherry-pick r271635. rdar://problem/73890109
Elements in a table are incorrectly selected in _javascript_.
Modified: branches/safari-611-branch/Source/WebCore/rendering/RenderMultiColumnSet.cpp (272249 => 272250)
--- branches/safari-611-branch/Source/WebCore/rendering/RenderMultiColumnSet.cpp 2021-02-03 01:39:22 UTC (rev 272249)
+++ branches/safari-611-branch/Source/WebCore/rendering/RenderMultiColumnSet.cpp 2021-02-03 01:39:26 UTC (rev 272250)
@@ -148,7 +148,7 @@
LayoutUnit contentLogicalTop = logicalTop() - multicolBlock.borderAndPaddingBefore();
height -= contentLogicalTop;
- return std::max(height, 1_lu); // Let's avoid zero height, as that would probably cause an infinite amount of columns to be created.
+ return std::max(height, 0_lu);
}
LayoutUnit RenderMultiColumnSet::pageLogicalTopForOffset(LayoutUnit offset) const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
