[webkit-changes] [152825] trunk

[commit-queue]

Title: [152825] trunk

Revision

152825

Author

commit-qu...@webkit.org

Date

2013-07-17 18:02:56 -0700 (Wed, 17 Jul 2013)

Log Message

Dereference null pointer crash in Length::decrementCalculatedRef()
https://bugs.webkit.org/show_bug.cgi?id=118686

Patch by Jacky Jiang <zhaji...@blackberry.com> on 2013-07-17
Reviewed by Simon Fraser.

Source/WebCore:

Length(Calculated) won't insert any CalculationValue to CalculationValueHandleMap;
therefore, we dereference null CalculationValue pointer when the temporary
Length object goes out of the scope.
Length(Calculated) is not allowed as it doesn't make sense that we construct
a Calculated Length object with uninitialized calc _expression_.
The code just wants to blend with zero. To fix the bug, we can just blend
with Length(0, Fixed) here as we currently can blend different type units
and zero has the same behavior regardless of unit.

Test: transitions/transition-transform-translate-calculated-length-crash.html

* platform/graphics/transforms/TranslateTransformOperation.cpp:
(WebCore::TranslateTransformOperation::blend):

LayoutTests:

* transitions/transition-transform-translate-calculated-length-crash-expected.txt: Added.
* transitions/transition-transform-translate-calculated-length-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp

Added Paths

• trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash-expected.txt
• trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (152824 => 152825)

--- trunk/LayoutTests/ChangeLog	2013-07-18 00:43:18 UTC (rev 152824)
+++ trunk/LayoutTests/ChangeLog	2013-07-18 01:02:56 UTC (rev 152825)
@@ -1,3 +1,13 @@
+2013-07-17  Jacky Jiang  <zhaji...@blackberry.com>
+
+        Dereference null pointer crash in Length::decrementCalculatedRef()
+        https://bugs.webkit.org/show_bug.cgi?id=118686
+
+        Reviewed by Simon Fraser.
+
+        * transitions/transition-transform-translate-calculated-length-crash-expected.txt: Added.
+        * transitions/transition-transform-translate-calculated-length-crash.html: Added.
+
 2013-07-17  Stephanie Lewis  <sle...@apple.com>
 
         Skip crashing MathML tests while waiting for a fix for 

Added: trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash-expected.txt (0 => 152825)

--- trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash-expected.txt	2013-07-18 01:02:56 UTC (rev 152825)
@@ -0,0 +1,5 @@
+Bug https://bugs.webkit.org/show_bug.cgi?id=118686: Dereference null pointer crash in Length::decrementCalculatedRef()
+
+The test passes if it does not crash.
+
+

Added: trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash.html (0 => 152825)

--- trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash.html	                        (rev 0)
+++ trunk/LayoutTests/transitions/transition-transform-translate-calculated-length-crash.html	2013-07-18 01:02:56 UTC (rev 152825)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<style>
+    div {
+        -webkit-transition:-webkit-transform 50ms;
+    }
+    #div2 {
+        -webkit-transform:translate(-webkit-calc(10% + 10px));
+    }
+</style>
+<body>
+    <p>Bug https://bugs.webkit.org/show_bug.cgi?id=118686: Dereference null pointer crash in Length::decrementCalculatedRef()</p>
+    <p>The test passes if it does not crash.</p>
+    <div id="div1"></div>
+    <div id="div2"></div>
+</body>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    document.getElementById("div1").style.webkitTransform = "translate(-webkit-calc(10% + 20px))";
+    document.getElementById("div2").style.webkitTransform = "none";
+</script>

Modified: trunk/Source/WebCore/ChangeLog (152824 => 152825)

--- trunk/Source/WebCore/ChangeLog	2013-07-18 00:43:18 UTC (rev 152824)
+++ trunk/Source/WebCore/ChangeLog	2013-07-18 01:02:56 UTC (rev 152825)
@@ -1,3 +1,24 @@
+2013-07-17  Jacky Jiang  <zhaji...@blackberry.com>
+
+        Dereference null pointer crash in Length::decrementCalculatedRef()
+        https://bugs.webkit.org/show_bug.cgi?id=118686
+
+        Reviewed by Simon Fraser.
+
+        Length(Calculated) won't insert any CalculationValue to CalculationValueHandleMap;
+        therefore, we dereference null CalculationValue pointer when the temporary
+        Length object goes out of the scope.
+        Length(Calculated) is not allowed as it doesn't make sense that we construct
+        a Calculated Length object with uninitialized calc _expression_.
+        The code just wants to blend with zero. To fix the bug, we can just blend
+        with Length(0, Fixed) here as we currently can blend different type units
+        and zero has the same behavior regardless of unit.
+
+        Test: transitions/transition-transform-translate-calculated-length-crash.html
+
+        * platform/graphics/transforms/TranslateTransformOperation.cpp:
+        (WebCore::TranslateTransformOperation::blend):
+
 2013-07-17  Tim Horton  <timothy_hor...@apple.com>
 
         Update blocked/missing plug-in UI

Modified: trunk/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp (152824 => 152825)

--- trunk/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp	2013-07-18 00:43:18 UTC (rev 152824)
+++ trunk/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp	2013-07-18 01:02:56 UTC (rev 152825)
@@ -29,16 +29,15 @@
 {
     if (from && !from->isSameType(*this))
         return this;
-    
+
+    Length zeroLength(0, Fixed);
     if (blendToIdentity)
-        return TranslateTransformOperation::create(Length(m_x.type()).blend(m_x, progress), 
-                                                   Length(m_y.type()).blend(m_y, progress), 
-                                                   Length(m_z.type()).blend(m_z, progress), m_type);
+        return TranslateTransformOperation::create(zeroLength.blend(m_x, progress), zeroLength.blend(m_y, progress), zeroLength.blend(m_z, progress), m_type);
 
     const TranslateTransformOperation* fromOp = static_cast<const TranslateTransformOperation*>(from);
-    Length fromX = fromOp ? fromOp->m_x : Length(m_x.type());
-    Length fromY = fromOp ? fromOp->m_y : Length(m_y.type());
-    Length fromZ = fromOp ? fromOp->m_z : Length(m_z.type());
+    Length fromX = fromOp ? fromOp->m_x : zeroLength;
+    Length fromY = fromOp ? fromOp->m_y : zeroLength;
+    Length fromZ = fromOp ? fromOp->m_z : zeroLength;
     return TranslateTransformOperation::create(m_x.blend(fromX, progress), m_y.blend(fromY, progress), m_z.blend(fromZ, progress), m_type);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes