Title: [161244] trunk
- Revision
- 161244
- Author
- mmaxfi...@apple.com
- Date
- 2014-01-02 17:32:18 -0800 (Thu, 02 Jan 2014)
Log Message
Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
https://bugs.webkit.org/show_bug.cgi?id=126252
Reviewed by Alexey Proskuryakov.
Source/WebCore:
lastIntermediate was a iterator pointing into a Vector, which was being re-used
even while appending to the Vector. If any of the append operators triggered
a realloc, the iterator would point to the old free'ed memory.
Test: fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html
* rendering/InlineTextBox.cpp:
(WebCore::translateIntersectionPointsToSkipInkBoundaries):
LayoutTests:
This test causes intermediateTuples, a Vector of tuples of floats, to have enough
entries to cause a realloc. In my tests, the realloc seems to always allocate the
next area of memory (without unmapping any old pages), so this test only crashes
if guardMalloc is used.
* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt: Added.
* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (161243 => 161244)
--- trunk/LayoutTests/ChangeLog 2014-01-03 01:19:50 UTC (rev 161243)
+++ trunk/LayoutTests/ChangeLog 2014-01-03 01:32:18 UTC (rev 161244)
@@ -1,3 +1,18 @@
+2014-01-02 Myles C. Maxfield <mmaxfi...@apple.com>
+
+ Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
+ https://bugs.webkit.org/show_bug.cgi?id=126252
+
+ Reviewed by Alexey Proskuryakov.
+
+ This test causes intermediateTuples, a Vector of tuples of floats, to have enough
+ entries to cause a realloc. In my tests, the realloc seems to always allocate the
+ next area of memory (without unmapping any old pages), so this test only crashes
+ if guardMalloc is used.
+
+ * fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt: Added.
+ * fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html: Added.
+
2014-01-02 Sam Weinig <s...@webkit.org>
Update Promises to the https://github.com/domenic/promises-unwrapping spec
Added: trunk/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt (0 => 161244)
--- trunk/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt 2014-01-03 01:32:18 UTC (rev 161244)
@@ -0,0 +1 @@
+This tests for a crash that occurred in InlineTextBoxes with lots of underline breaks due to text-decoration-skip: ink. ]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R
Added: trunk/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html (0 => 161244)
--- trunk/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html (rev 0)
+++ trunk/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html 2014-01-03 01:32:18 UTC (rev 161244)
@@ -0,0 +1,11 @@
+This tests for a crash that occurred in InlineTextBoxes with lots of underline breaks due to text-decoration-skip: ink.
+<map id="map" style="-webkit-text-decoration-skip:ink; box-decoration edges;text-underline:dotted rgb(109,208,61) skip-white-space auto;"></map>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ for (i=0;i<440;i++) {
+ document.getElementById("map").appendChild(document.createTextNode(']3MmP`3R'));
+ }
+ document.normalize();
+ document.body.style.textDecoration="underline";
+</script>
Modified: trunk/Source/WebCore/ChangeLog (161243 => 161244)
--- trunk/Source/WebCore/ChangeLog 2014-01-03 01:19:50 UTC (rev 161243)
+++ trunk/Source/WebCore/ChangeLog 2014-01-03 01:32:18 UTC (rev 161244)
@@ -1,3 +1,19 @@
+2014-01-02 Myles C. Maxfield <mmaxfi...@apple.com>
+
+ Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
+ https://bugs.webkit.org/show_bug.cgi?id=126252
+
+ Reviewed by Alexey Proskuryakov.
+
+ lastIntermediate was a iterator pointing into a Vector, which was being re-used
+ even while appending to the Vector. If any of the append operators triggered
+ a realloc, the iterator would point to the old free'ed memory.
+
+ Test: fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html
+
+ * rendering/InlineTextBox.cpp:
+ (WebCore::translateIntersectionPointsToSkipInkBoundaries):
+
2014-01-02 Brent Fulgham <bfulg...@apple.com>
[WebGL] Correct symbol lookup logic to handle 1-element arrays
Modified: trunk/Source/WebCore/rendering/InlineTextBox.cpp (161243 => 161244)
--- trunk/Source/WebCore/rendering/InlineTextBox.cpp 2014-01-03 01:19:50 UTC (rev 161243)
+++ trunk/Source/WebCore/rendering/InlineTextBox.cpp 2014-01-03 01:32:18 UTC (rev 161244)
@@ -86,19 +86,16 @@
Vector<std::pair<float, float>> intermediateTuples;
if (tuples.size() >= 2) {
intermediateTuples.append(*tuples.begin());
- auto lastIntermediate = intermediateTuples.begin();
for (auto i = tuples.begin() + 1; i != tuples.end(); i++) {
- float& firstEnd = lastIntermediate->second;
+ float& firstEnd = intermediateTuples.last().second;
float secondStart = i->first;
float secondEnd = i->second;
if (secondStart <= firstEnd && secondEnd <= firstEnd) {
// Ignore this range completely
} else if (secondStart <= firstEnd)
firstEnd = secondEnd;
- else {
+ else
intermediateTuples.append(*i);
- ++lastIntermediate;
- }
}
} else
intermediateTuples = tuples;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
