[webkit-changes] [129144] trunk/Source/WebCore

Thu, 20 Sep 2012 11:19:20 -0700

Title: [129144] trunk/Source/WebCore
Revision
129144
Author
[email protected]
Date
2012-09-20 11:20:26 -0700 (Thu, 20 Sep 2012)

Log Message

Prevent reading stale data from InlineTextBoxes
https://bugs.webkit.org/show_bug.cgi?id=94750

Reviewed by Eric Seidel.

Text from dirty InlineTextBoxes should never be read or used. This change enforces this
design goal by forcefully zero-ing out the start and length of InlineTextBoxes when 
they're being marked dirty. It also adds asserts to accessors for those members.

This change involves making markDirty virtual. Running the line-layout performance test
as well as profiling resizing the html5 spec showed negligable impact with this change.

No new tests as this doesn't change any proper behavior.

* rendering/InlineBox.h:
(WebCore::InlineBox::markDirty): Making virtual to allow InlineTextBox to overload and
zero out its start and length.
* rendering/InlineTextBox.cpp:
(WebCore::InlineTextBox::markDirty): Zeroing out start and length when we mark the box dirty.
* rendering/InlineTextBox.h:
(WebCore::InlineTextBox::start): Adding an assert when we hit this case.
(WebCore::InlineTextBox::end): Ditto.
(WebCore::InlineTextBox::len): Ditto.
(WebCore::InlineTextBox::offsetRun): Ditto.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (129143 => 129144)


--- trunk/Source/WebCore/ChangeLog	2012-09-20 18:11:19 UTC (rev 129143)
+++ trunk/Source/WebCore/ChangeLog	2012-09-20 18:20:26 UTC (rev 129144)
@@ -1,3 +1,30 @@
+2012-09-20  Levi Weintraub  <[email protected]>
+
+        Prevent reading stale data from InlineTextBoxes
+        https://bugs.webkit.org/show_bug.cgi?id=94750
+
+        Reviewed by Eric Seidel.
+
+        Text from dirty InlineTextBoxes should never be read or used. This change enforces this
+        design goal by forcefully zero-ing out the start and length of InlineTextBoxes when 
+        they're being marked dirty. It also adds asserts to accessors for those members.
+
+        This change involves making markDirty virtual. Running the line-layout performance test
+        as well as profiling resizing the html5 spec showed negligable impact with this change.
+
+        No new tests as this doesn't change any proper behavior.
+
+        * rendering/InlineBox.h:
+        (WebCore::InlineBox::markDirty): Making virtual to allow InlineTextBox to overload and
+        zero out its start and length.
+        * rendering/InlineTextBox.cpp:
+        (WebCore::InlineTextBox::markDirty): Zeroing out start and length when we mark the box dirty.
+        * rendering/InlineTextBox.h:
+        (WebCore::InlineTextBox::start): Adding an assert when we hit this case.
+        (WebCore::InlineTextBox::end): Ditto.
+        (WebCore::InlineTextBox::len): Ditto.
+        (WebCore::InlineTextBox::offsetRun): Ditto.
+
 2012-09-20  Mike West  <[email protected]>
 
         Support paths in Content Security Policy directives.

Modified: trunk/Source/WebCore/rendering/InlineBox.h (129143 => 129144)


--- trunk/Source/WebCore/rendering/InlineBox.h	2012-09-20 18:11:19 UTC (rev 129143)
+++ trunk/Source/WebCore/rendering/InlineBox.h	2012-09-20 18:20:26 UTC (rev 129144)
@@ -262,7 +262,7 @@
     virtual void clearTruncation() { }
 
     bool isDirty() const { return m_bitfields.dirty(); }
-    void markDirty(bool dirty = true) { m_bitfields.setDirty(dirty); }
+    virtual void markDirty(bool dirty = true) { m_bitfields.setDirty(dirty); }
 
     virtual void dirtyLineBoxes();

Modified: trunk/Source/WebCore/rendering/InlineTextBox.cpp (129143 => 129144)


--- trunk/Source/WebCore/rendering/InlineTextBox.cpp	2012-09-20 18:11:19 UTC (rev 129143)
+++ trunk/Source/WebCore/rendering/InlineTextBox.cpp	2012-09-20 18:20:26 UTC (rev 129144)
@@ -64,6 +64,15 @@
     InlineBox::destroy(arena);
 }
 
+void InlineTextBox::markDirty(bool dirty)
+{
+    if (dirty) {
+        m_len = 0;
+        m_start = 0;
+    }
+    InlineBox::markDirty(dirty);
+}
+
 LayoutRect InlineTextBox::logicalOverflowRect() const
 {
     if (knownToHaveNoOverflow() || !gTextBoxesWithOverflow)

Modified: trunk/Source/WebCore/rendering/InlineTextBox.h (129143 => 129144)


--- trunk/Source/WebCore/rendering/InlineTextBox.h	2012-09-20 18:11:19 UTC (rev 129143)
+++ trunk/Source/WebCore/rendering/InlineTextBox.h	2012-09-20 18:20:26 UTC (rev 129144)
@@ -64,17 +64,19 @@
     void setNextTextBox(InlineTextBox* n) { m_nextTextBox = n; }
     void setPreviousTextBox(InlineTextBox* p) { m_prevTextBox = p; }
 
-    unsigned start() const { return m_start; }
-    unsigned end() const { return m_len ? m_start + m_len - 1 : m_start; }
-    unsigned len() const { return m_len; }
+    unsigned start() const { ASSERT(!isDirty()); return m_start; }
+    unsigned end() const { ASSERT(!isDirty()); return m_len ? m_start + m_len - 1 : m_start; }
+    unsigned len() const { ASSERT(!isDirty()); return m_len; }
 
     void setStart(unsigned start) { m_start = start; }
     void setLen(unsigned len) { m_len = len; }
 
-    void offsetRun(int d) { m_start += d; }
+    void offsetRun(int d) { ASSERT(!isDirty()); m_start += d; }
 
     unsigned short truncation() { return m_truncation; }
 
+    virtual void markDirty(bool dirty = true) OVERRIDE;
+
     using InlineBox::hasHyphen;
     using InlineBox::setHasHyphen;
     using InlineBox::canHaveLeadingExpansion;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to