- Revision
- 293068
- Author
- [email protected]
- Date
- 2022-04-19 22:38:05 -0700 (Tue, 19 Apr 2022)
Log Message
Cherry-pick r291281. rdar://problem/90245637
Crash in KeyframeList.cpp:183 in WebCore::KeyframeList::fillImplicitKeyframes
https://bugs.webkit.org/show_bug.cgi?id=237858
Reviewed by Antoine Quint.
Source/WebCore:
When filling implicit key frames, we iterate through the current keyframes (m_keyframes),
and cache the address of the implicitZeroKeyframe and implicitOneKeyframe.
However, if we're not provided with an existing implicit zero keyframe, we will create a new one
and insert it to the list of current keyframes.
This mutates m_keyframes and the old address for the implicitOneKeyframe would no longer be valid.
Thus we should iterate through the current keyframes, after the insertion, to get the latest address.
Test: animations/fill-implicit-keyframes-crash.html
* rendering/style/KeyframeList.cpp:
(WebCore::KeyframeList::fillImplicitKeyframes):
LayoutTests:
* animations/fill-implicit-keyframes-crash-expected.txt: Added.
* animations/fill-implicit-keyframes-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291281 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-613-branch/LayoutTests/ChangeLog (293067 => 293068)
--- branches/safari-613-branch/LayoutTests/ChangeLog 2022-04-20 05:38:01 UTC (rev 293067)
+++ branches/safari-613-branch/LayoutTests/ChangeLog 2022-04-20 05:38:05 UTC (rev 293068)
@@ -1,3 +1,46 @@
+2022-04-19 Alan Coon <[email protected]>
+
+ Cherry-pick r291281. rdar://problem/90245637
+
+ Crash in KeyframeList.cpp:183 in WebCore::KeyframeList::fillImplicitKeyframes
+ https://bugs.webkit.org/show_bug.cgi?id=237858
+
+ Reviewed by Antoine Quint.
+
+ Source/WebCore:
+
+ When filling implicit key frames, we iterate through the current keyframes (m_keyframes),
+ and cache the address of the implicitZeroKeyframe and implicitOneKeyframe.
+
+ However, if we're not provided with an existing implicit zero keyframe, we will create a new one
+ and insert it to the list of current keyframes.
+
+ This mutates m_keyframes and the old address for the implicitOneKeyframe would no longer be valid.
+ Thus we should iterate through the current keyframes, after the insertion, to get the latest address.
+
+ Test: animations/fill-implicit-keyframes-crash.html
+
+ * rendering/style/KeyframeList.cpp:
+ (WebCore::KeyframeList::fillImplicitKeyframes):
+
+ LayoutTests:
+
+ * animations/fill-implicit-keyframes-crash-expected.txt: Added.
+ * animations/fill-implicit-keyframes-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291281 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-03-15 Gabriel Nava Marino <[email protected]>
+
+ Crash in KeyframeList.cpp:183 in WebCore::KeyframeList::fillImplicitKeyframes
+ https://bugs.webkit.org/show_bug.cgi?id=237858
+
+ Reviewed by Antoine Quint.
+
+ * animations/fill-implicit-keyframes-crash-expected.txt: Added.
+ * animations/fill-implicit-keyframes-crash.html: Added.
+
2022-04-18 Kocsen Chung <[email protected]>
Cherry-pick r292858. rdar://problem/90699078
Added: branches/safari-613-branch/LayoutTests/animations/fill-implicit-keyframes-crash-expected.txt (0 => 293068)
--- branches/safari-613-branch/LayoutTests/animations/fill-implicit-keyframes-crash-expected.txt (rev 0)
+++ branches/safari-613-branch/LayoutTests/animations/fill-implicit-keyframes-crash-expected.txt 2022-04-20 05:38:05 UTC (rev 293068)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
Added: branches/safari-613-branch/LayoutTests/animations/fill-implicit-keyframes-crash.html (0 => 293068)
--- branches/safari-613-branch/LayoutTests/animations/fill-implicit-keyframes-crash.html (rev 0)
+++ branches/safari-613-branch/LayoutTests/animations/fill-implicit-keyframes-crash.html 2022-04-20 05:38:05 UTC (rev 293068)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<style>
+ body {
+ animation-name: a0;
+ animation-duration: 100ms
+ }
+ @keyframes a0 {
+ 10% {
+ scale: 1
+ }
+ 11%, 12%, 13%, 14%, 15%, 16%, 17%, 18%, 19%, 20%, 21%, 22%, 23%, 24%, 100% {
+ background: blue
+ }
+
+ }
+</style>
+<script>
+ _onload_ = () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log("This test passes if it does not crash.");
+ }
+</script>
Modified: branches/safari-613-branch/Source/WebCore/ChangeLog (293067 => 293068)
--- branches/safari-613-branch/Source/WebCore/ChangeLog 2022-04-20 05:38:01 UTC (rev 293067)
+++ branches/safari-613-branch/Source/WebCore/ChangeLog 2022-04-20 05:38:05 UTC (rev 293068)
@@ -1,5 +1,59 @@
2022-04-19 Alan Coon <[email protected]>
+ Cherry-pick r291281. rdar://problem/90245637
+
+ Crash in KeyframeList.cpp:183 in WebCore::KeyframeList::fillImplicitKeyframes
+ https://bugs.webkit.org/show_bug.cgi?id=237858
+
+ Reviewed by Antoine Quint.
+
+ Source/WebCore:
+
+ When filling implicit key frames, we iterate through the current keyframes (m_keyframes),
+ and cache the address of the implicitZeroKeyframe and implicitOneKeyframe.
+
+ However, if we're not provided with an existing implicit zero keyframe, we will create a new one
+ and insert it to the list of current keyframes.
+
+ This mutates m_keyframes and the old address for the implicitOneKeyframe would no longer be valid.
+ Thus we should iterate through the current keyframes, after the insertion, to get the latest address.
+
+ Test: animations/fill-implicit-keyframes-crash.html
+
+ * rendering/style/KeyframeList.cpp:
+ (WebCore::KeyframeList::fillImplicitKeyframes):
+
+ LayoutTests:
+
+ * animations/fill-implicit-keyframes-crash-expected.txt: Added.
+ * animations/fill-implicit-keyframes-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291281 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-03-15 Gabriel Nava Marino <[email protected]>
+
+ Crash in KeyframeList.cpp:183 in WebCore::KeyframeList::fillImplicitKeyframes
+ https://bugs.webkit.org/show_bug.cgi?id=237858
+
+ Reviewed by Antoine Quint.
+
+ When filling implicit key frames, we iterate through the current keyframes (m_keyframes),
+ and cache the address of the implicitZeroKeyframe and implicitOneKeyframe.
+
+ However, if we're not provided with an existing implicit zero keyframe, we will create a new one
+ and insert it to the list of current keyframes.
+
+ This mutates m_keyframes and the old address for the implicitOneKeyframe would no longer be valid.
+ Thus we should iterate through the current keyframes, after the insertion, to get the latest address.
+
+ Test: animations/fill-implicit-keyframes-crash.html
+
+ * rendering/style/KeyframeList.cpp:
+ (WebCore::KeyframeList::fillImplicitKeyframes):
+
+2022-04-19 Alan Coon <[email protected]>
+
Cherry-pick r290201. rdar://problem/88672183
REGRESSION (r287524): hihello.me does not show sliding sheet at the bottom of the page
Modified: branches/safari-613-branch/Source/WebCore/rendering/style/KeyframeList.cpp (293067 => 293068)
--- branches/safari-613-branch/Source/WebCore/rendering/style/KeyframeList.cpp 2022-04-20 05:38:01 UTC (rev 293067)
+++ branches/safari-613-branch/Source/WebCore/rendering/style/KeyframeList.cpp 2022-04-20 05:38:05 UTC (rev 293068)
@@ -168,11 +168,6 @@
zeroKeyframeImplicitProperties.remove(cssPropertyId);
if (!implicitZeroKeyframe && isSuitableKeyframeForImplicitValues(keyframe))
implicitZeroKeyframe = &keyframe;
- } else if (keyframe.key() == 1) {
- for (auto cssPropertyId : keyframe.properties())
- oneKeyframeImplicitProperties.remove(cssPropertyId);
- if (!implicitOneKeyframe && isSuitableKeyframeForImplicitValues(keyframe))
- implicitOneKeyframe = &keyframe;
}
}
@@ -202,6 +197,16 @@
if (!zeroKeyframeImplicitProperties.isEmpty())
addImplicitKeyframe(0, zeroKeyframeImplicitProperties, zeroPercentKeyframe(), implicitZeroKeyframe);
+
+ for (auto& keyframe : m_keyframes) {
+ if (keyframe.key() == 1) {
+ for (auto cssPropertyId : keyframe.properties())
+ oneKeyframeImplicitProperties.remove(cssPropertyId);
+ if (!implicitOneKeyframe && isSuitableKeyframeForImplicitValues(keyframe))
+ implicitOneKeyframe = &keyframe;
+ }
+ }
+
if (!oneKeyframeImplicitProperties.isEmpty())
addImplicitKeyframe(1, oneKeyframeImplicitProperties, hundredPercentKeyframe(), implicitOneKeyframe);
}
