[webkit-changes] [129189] trunk

Thu, 20 Sep 2012 21:14:15 -0700

Title: [129189] trunk
Revision
129189
Author
[email protected]
Date
2012-09-20 21:15:18 -0700 (Thu, 20 Sep 2012)

Log Message

Source/WebCore: Fix use-after free when using a variable to specify a -webkit-filter.
https://bugs.webkit.org/show_bug.cgi?id=97153

Reviewed by Abhishek Arya.

Make StyleResolver's m_pendingSVGDocuments a hashmap of RefPtr instead of raw pointers such that the document values cannot be freed prematurely.
Present assumption is that storing raw pointers is ok because CSSValues will live as long as the StyleResolver instance, however that it no longer
true when variables are used, so we must ensure we increment the reference counter to ensure the CSSValues are not freed prematurely.

Test: fast/css/variables/var-filter.html

* css/StyleResolver.cpp:
(WebCore::StyleResolver::collectMatchingRulesForList):
* css/StyleResolver.h:
(StyleResolver):

LayoutTests: Fix bug when using a variable to specify a -webkit-filter.
https://bugs.webkit.org/show_bug.cgi?id=97153

Reviewed by Abhishek Arya.

Use a variable in a -webkit-filter css property.

* fast/css/variables/var-filter-expected.txt: Added.
* fast/css/variables/var-filter.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (129188 => 129189)


--- trunk/LayoutTests/ChangeLog	2012-09-21 04:00:21 UTC (rev 129188)
+++ trunk/LayoutTests/ChangeLog	2012-09-21 04:15:18 UTC (rev 129189)
@@ -1,3 +1,15 @@
+2012-09-20  Luke Macpherson   <[email protected]>
+
+        Fix bug when using a variable to specify a -webkit-filter.
+        https://bugs.webkit.org/show_bug.cgi?id=97153
+
+        Reviewed by Abhishek Arya.
+
+        Use a variable in a -webkit-filter css property.
+
+        * fast/css/variables/var-filter-expected.txt: Added.
+        * fast/css/variables/var-filter.html: Added.
+
 2012-09-20  Noel Gordon  <[email protected]>
 
         Unreviewed test expectations edit.

Added: trunk/LayoutTests/fast/css/variables/var-filter-expected.txt (0 => 129189)


--- trunk/LayoutTests/fast/css/variables/var-filter-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/variables/var-filter-expected.txt	2012-09-21 04:15:18 UTC (rev 129189)
@@ -0,0 +1 @@
+This test is successful if it does not crash.

Added: trunk/LayoutTests/fast/css/variables/var-filter.html (0 => 129189)


--- trunk/LayoutTests/fast/css/variables/var-filter.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/variables/var-filter.html	2012-09-21 04:15:18 UTC (rev 129189)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+internals.settings.setCSSVariablesEnabled(true);
+</script>
+<style>
+body {
+  -webkit-var-a: url(1);
+  -webkit-filter: -webkit-var(a);
+}
+</style>
+This test is successful if it does not crash.
+</html>

Modified: trunk/Source/WebCore/ChangeLog (129188 => 129189)


--- trunk/Source/WebCore/ChangeLog	2012-09-21 04:00:21 UTC (rev 129188)
+++ trunk/Source/WebCore/ChangeLog	2012-09-21 04:15:18 UTC (rev 129189)
@@ -1,3 +1,21 @@
+2012-09-20  Luke Macpherson   <[email protected]>
+
+        Fix use-after free when using a variable to specify a -webkit-filter.
+        https://bugs.webkit.org/show_bug.cgi?id=97153
+
+        Reviewed by Abhishek Arya.
+
+        Make StyleResolver's m_pendingSVGDocuments a hashmap of RefPtr instead of raw pointers such that the document values cannot be freed prematurely.
+        Present assumption is that storing raw pointers is ok because CSSValues will live as long as the StyleResolver instance, however that it no longer
+        true when variables are used, so we must ensure we increment the reference counter to ensure the CSSValues are not freed prematurely.
+
+        Test: fast/css/variables/var-filter.html
+
+        * css/StyleResolver.cpp:
+        (WebCore::StyleResolver::collectMatchingRulesForList):
+        * css/StyleResolver.h:
+        (StyleResolver):
+
 2012-09-20  Levi Weintraub  <[email protected]>
 
         Prevent reading stale data from InlineTextBoxes

Modified: trunk/Source/WebCore/css/StyleResolver.cpp (129188 => 129189)


--- trunk/Source/WebCore/css/StyleResolver.cpp	2012-09-21 04:00:21 UTC (rev 129188)
+++ trunk/Source/WebCore/css/StyleResolver.cpp	2012-09-21 04:15:18 UTC (rev 129189)
@@ -5191,7 +5191,7 @@
         if (filterOperation->getOperationType() == FilterOperation::REFERENCE) {
             ReferenceFilterOperation* referenceFilter = static_cast<ReferenceFilterOperation*>(filterOperation.get());
 
-            WebKitCSSSVGDocumentValue* value = m_pendingSVGDocuments.get(referenceFilter);
+            WebKitCSSSVGDocumentValue* value = m_pendingSVGDocuments.get(referenceFilter).get();
             if (!value)
                 continue;
             CachedSVGDocument* cachedDocument = value->load(cachedResourceLoader);

Modified: trunk/Source/WebCore/css/StyleResolver.h (129188 => 129189)


--- trunk/Source/WebCore/css/StyleResolver.h	2012-09-21 04:00:21 UTC (rev 129188)
+++ trunk/Source/WebCore/css/StyleResolver.h	2012-09-21 04:15:18 UTC (rev 129189)
@@ -515,7 +515,7 @@
 #endif
 
 #if ENABLE(CSS_FILTERS) && ENABLE(SVG)
-    HashMap<FilterOperation*, WebKitCSSSVGDocumentValue*> m_pendingSVGDocuments;
+    HashMap<FilterOperation*, RefPtr<WebKitCSSSVGDocumentValue> > m_pendingSVGDocuments;
 #endif
 
 #if ENABLE(STYLE_SCOPED)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to