Title: [184394] trunk/Source/WebCore
- Revision
- 184394
- Author
- [email protected]
- Date
- 2015-05-15 10:15:16 -0700 (Fri, 15 May 2015)
Log Message
Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count
https://bugs.webkit.org/show_bug.cgi?id=145042
Reviewed by David Hyatt.
RenderFlowThread previously used a ListHashSet to store its stack of active objects. This
is problematic because, if the same object is pushed twice, only a single entry of that
object is added to the stack. After this occurs, a matching number of pushes will pop too
many items off the stack, causing a crash when popping a stack with zero items. This
specifically happens in FrameView::layout(), which will push its root renderer on the stack
of active items, and then ask the root to layout(), which will attempt to push itself on the
stack of active items.
Instead of a ListHashSet, use a Vector, which has similar memory characteristics and no
uniqueness requirements.
* rendering/RenderFlowThread.cpp:
(WebCore::RenderFlowThread::pushFlowThreadLayoutState):
(WebCore::RenderFlowThread::popFlowThreadLayoutState):
* rendering/RenderFlowThread.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (184393 => 184394)
--- trunk/Source/WebCore/ChangeLog 2015-05-15 16:46:46 UTC (rev 184393)
+++ trunk/Source/WebCore/ChangeLog 2015-05-15 17:15:16 UTC (rev 184394)
@@ -1,3 +1,26 @@
+2015-05-15 Jer Noble <[email protected]>
+
+ Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count
+ https://bugs.webkit.org/show_bug.cgi?id=145042
+
+ Reviewed by David Hyatt.
+
+ RenderFlowThread previously used a ListHashSet to store its stack of active objects. This
+ is problematic because, if the same object is pushed twice, only a single entry of that
+ object is added to the stack. After this occurs, a matching number of pushes will pop too
+ many items off the stack, causing a crash when popping a stack with zero items. This
+ specifically happens in FrameView::layout(), which will push its root renderer on the stack
+ of active items, and then ask the root to layout(), which will attempt to push itself on the
+ stack of active items.
+
+ Instead of a ListHashSet, use a Vector, which has similar memory characteristics and no
+ uniqueness requirements.
+
+ * rendering/RenderFlowThread.cpp:
+ (WebCore::RenderFlowThread::pushFlowThreadLayoutState):
+ (WebCore::RenderFlowThread::popFlowThreadLayoutState):
+ * rendering/RenderFlowThread.h:
+
2015-05-15 Per Arne Vollan <[email protected]>
[Curl] WebSocket platform part is not implemented.
Modified: trunk/Source/WebCore/rendering/RenderFlowThread.cpp (184393 => 184394)
--- trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2015-05-15 16:46:46 UTC (rev 184393)
+++ trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2015-05-15 17:15:16 UTC (rev 184394)
@@ -1193,7 +1193,7 @@
void RenderFlowThread::pushFlowThreadLayoutState(const RenderObject& object)
{
- m_activeObjectsStack.add(&object);
+ m_activeObjectsStack.append(&object);
if (const RenderBox* currentBoxDescendant = currentActiveRenderBox()) {
LayoutState* layoutState = currentBoxDescendant->view().layoutState();
Modified: trunk/Source/WebCore/rendering/RenderFlowThread.h (184393 => 184394)
--- trunk/Source/WebCore/rendering/RenderFlowThread.h 2015-05-15 16:46:46 UTC (rev 184393)
+++ trunk/Source/WebCore/rendering/RenderFlowThread.h 2015-05-15 17:15:16 UTC (rev 184394)
@@ -351,7 +351,7 @@
RenderBoxToRegionMap m_breakBeforeToRegionMap;
RenderBoxToRegionMap m_breakAfterToRegionMap;
- typedef ListHashSet<const RenderObject*> RenderObjectStack;
+ typedef Vector<const RenderObject*> RenderObjectStack;
RenderObjectStack m_activeObjectsStack;
typedef HashMap<const RenderBox*, LayoutUnit> RenderBoxToOffsetMap;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
