Title: [275164] trunk
- Revision
- 275164
- Author
- [email protected]
- Date
- 2021-03-29 10:34:55 -0700 (Mon, 29 Mar 2021)
Log Message
Release assert in Vector::at in RenderLayoutState::establishLineGrid
Source/WebCore:
https://bugs.webkit.org/show_bug.cgi?id=223368
Patch by Frédéric Wang <[email protected]> on 2021-03-29
Reviewed by Zalan Bujtas.
Fix out-of-bound access for layoutStateStack and ensure the whole vector is browsed.
Test: fast/line-grid/establish-line-grid-crash.html
* rendering/RenderLayoutState.cpp:
(WebCore::RenderLayoutState::establishLineGrid): Fix the exit condition.
LayoutTests:
https://bugs.webkit.org/show_bug.cgi?id=223362
Patch by Frédéric Wang <[email protected]> on 2021-03-29
Reviewed by Zalan Bujtas.
Add regression test.
* fast/line-grid/establish-line-grid-crash-expected.txt: Added.
* fast/line-grid/establish-line-grid-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (275163 => 275164)
--- trunk/LayoutTests/ChangeLog 2021-03-29 17:21:03 UTC (rev 275163)
+++ trunk/LayoutTests/ChangeLog 2021-03-29 17:34:55 UTC (rev 275164)
@@ -1,3 +1,15 @@
+2021-03-29 Frédéric Wang <[email protected]>
+
+ Release assert in Vector::at in RenderLayoutState::establishLineGrid
+ https://bugs.webkit.org/show_bug.cgi?id=223362
+
+ Reviewed by Zalan Bujtas.
+
+ Add regression test.
+
+ * fast/line-grid/establish-line-grid-crash-expected.txt: Added.
+ * fast/line-grid/establish-line-grid-crash.html: Added.
+
2021-03-28 Antoine Quint <[email protected]>
Add support for animating the vertical-align CSS property
Added: trunk/LayoutTests/fast/line-grid/establish-line-grid-crash-expected.txt (0 => 275164)
--- trunk/LayoutTests/fast/line-grid/establish-line-grid-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/line-grid/establish-line-grid-crash-expected.txt 2021-03-29 17:34:55 UTC (rev 275164)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+:first-child { display: inline-block; -webkit-line-grid: b; } div { -webkit-line-grid: a; } div, head { min-height: calc(1px + 0%); }
+
Added: trunk/LayoutTests/fast/line-grid/establish-line-grid-crash.html (0 => 275164)
--- trunk/LayoutTests/fast/line-grid/establish-line-grid-crash.html (rev 0)
+++ trunk/LayoutTests/fast/line-grid/establish-line-grid-crash.html 2021-03-29 17:34:55 UTC (rev 275164)
@@ -0,0 +1,22 @@
+<style>
+ :first-child {
+ display: inline-block;
+ -webkit-line-grid: b;
+ }
+ div {
+ -webkit-line-grid: a;
+ }
+ div, head {
+ min-height: calc(1px + 0%);
+ }
+</style>
+<script>
+ _onload_ = () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log('This test passes if it does not crash.');
+ document.head.appendChild(document.createElement('div'));
+ document.execCommand('SelectAll');
+ };
+</script>
+<div></div>
Modified: trunk/Source/WebCore/ChangeLog (275163 => 275164)
--- trunk/Source/WebCore/ChangeLog 2021-03-29 17:21:03 UTC (rev 275163)
+++ trunk/Source/WebCore/ChangeLog 2021-03-29 17:34:55 UTC (rev 275164)
@@ -1,3 +1,17 @@
+2021-03-29 Frédéric Wang <[email protected]>
+
+ Release assert in Vector::at in RenderLayoutState::establishLineGrid
+ https://bugs.webkit.org/show_bug.cgi?id=223368
+
+ Reviewed by Zalan Bujtas.
+
+ Fix out-of-bound access for layoutStateStack and ensure the whole vector is browsed.
+
+ Test: fast/line-grid/establish-line-grid-crash.html
+
+ * rendering/RenderLayoutState.cpp:
+ (WebCore::RenderLayoutState::establishLineGrid): Fix the exit condition.
+
2021-03-28 Simon Fraser <[email protected]>
Plumb DisplayUpdate through the display refresh monitors
Modified: trunk/Source/WebCore/rendering/RenderLayoutState.cpp (275163 => 275164)
--- trunk/Source/WebCore/rendering/RenderLayoutState.cpp 2021-03-29 17:21:03 UTC (rev 275163)
+++ trunk/Source/WebCore/rendering/RenderLayoutState.cpp 2021-03-29 17:34:55 UTC (rev 275164)
@@ -232,7 +232,7 @@
if (m_lineGrid->style().lineGrid() == renderer.style().lineGrid())
return;
auto* currentGrid = m_lineGrid.get();
- for (int i = layoutStateStack.size() - 1; i <= 0; --i) {
+ for (int i = layoutStateStack.size() - 1; i >= 0; --i) {
auto& currentState = *layoutStateStack[i].get();
if (currentState.m_lineGrid == currentGrid)
continue;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
