Title: [192235] releases/WebKitGTK/webkit-2.10
- Revision
- 192235
- Author
- carlo...@webkit.org
- Date
- 2015-11-10 05:34:48 -0800 (Tue, 10 Nov 2015)
Log Message
Merge r191938 - Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
https://bugs.webkit.org/show_bug.cgi?id=150211
<rdar://problem/23137321>
Reviewed by Alex Christensen.
Source/WebCore:
This is a merge of Blink r188842:
https://codereview.chromium.org/846933002
By setting the backgroundRepeatY property to null it can
happen that accessing that CSS value returns a null pointer.
In that case simply bail out early.
Test: fast/css/background-repeat-null-y-crash.html
* css/StyleProperties.cpp:
(WebCore::StyleProperties::getLayeredShorthandValue):
LayoutTests:
* fast/css/background-repeat-null-y-crash-expected.txt: Added.
* fast/css/background-repeat-null-y-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog (192234 => 192235)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2015-11-10 13:33:44 UTC (rev 192234)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2015-11-10 13:34:48 UTC (rev 192235)
@@ -1,3 +1,14 @@
+2015-11-02 Jiewen Tan <jiewen_...@apple.com>
+
+ Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=150211
+ <rdar://problem/23137321>
+
+ Reviewed by Alex Christensen.
+
+ * fast/css/background-repeat-null-y-crash-expected.txt: Added.
+ * fast/css/background-repeat-null-y-crash.html: Added.
+
2015-10-29 Michael Saboff <msab...@apple.com>
Crash making a tail call from a getter to a host function
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/css/background-repeat-null-y-crash-expected.txt (0 => 192235)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/css/background-repeat-null-y-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/css/background-repeat-null-y-crash-expected.txt 2015-11-10 13:34:48 UTC (rev 192235)
@@ -0,0 +1 @@
+PASS, WebKit didn't crash.
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/css/background-repeat-null-y-crash.html (0 => 192235)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/css/background-repeat-null-y-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/css/background-repeat-null-y-crash.html 2015-11-10 13:34:48 UTC (rev 192235)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<body>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document.body.style.backgroundRepeat = 'repeat';
+ document.body.style.backgroundRepeatY = '';
+ var tmp = document.body.style.background;
+ document.write("PASS, WebKit didn't crash.")
+</script>
+</body>
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (192234 => 192235)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-11-10 13:33:44 UTC (rev 192234)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-11-10 13:34:48 UTC (rev 192235)
@@ -1,3 +1,23 @@
+2015-11-02 Jiewen Tan <jiewen_...@apple.com>
+
+ Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=150211
+ <rdar://problem/23137321>
+
+ Reviewed by Alex Christensen.
+
+ This is a merge of Blink r188842:
+ https://codereview.chromium.org/846933002
+
+ By setting the backgroundRepeatY property to null it can
+ happen that accessing that CSS value returns a null pointer.
+ In that case simply bail out early.
+
+ Test: fast/css/background-repeat-null-y-crash.html
+
+ * css/StyleProperties.cpp:
+ (WebCore::StyleProperties::getLayeredShorthandValue):
+
2015-11-02 Zalan Bujtas <za...@apple.com>
hasOverflowClip() does not necessarily mean valid layer().
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/css/StyleProperties.cpp (192234 => 192235)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/css/StyleProperties.cpp 2015-11-10 13:33:44 UTC (rev 192234)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/css/StyleProperties.cpp 2015-11-10 13:34:48 UTC (rev 192235)
@@ -414,27 +414,29 @@
|| (j < size - 1 && shorthand.properties()[j + 1] == CSSPropertyWebkitMaskRepeatY && value)) {
RefPtr<CSSValue> yValue;
RefPtr<CSSValue> nextValue = values[j + 1];
- if (is<CSSValueList>(*nextValue))
- yValue = downcast<CSSValueList>(*nextValue).itemWithoutBoundsCheck(i);
- else
- yValue = nextValue;
+ if (nextValue) {
+ if (is<CSSValueList>(*nextValue))
+ yValue = downcast<CSSValueList>(*nextValue).itemWithoutBoundsCheck(i);
+ else
+ yValue = nextValue;
- if (!is<CSSPrimitiveValue>(*value) || !is<CSSPrimitiveValue>(*yValue))
- continue;
+ if (!is<CSSPrimitiveValue>(*value) || !is<CSSPrimitiveValue>(*yValue))
+ continue;
- CSSValueID xId = downcast<CSSPrimitiveValue>(*value).getValueID();
- CSSValueID yId = downcast<CSSPrimitiveValue>(*yValue).getValueID();
- if (xId != yId) {
- if (xId == CSSValueRepeat && yId == CSSValueNoRepeat) {
- useRepeatXShorthand = true;
+ CSSValueID xId = downcast<CSSPrimitiveValue>(*value).getValueID();
+ CSSValueID yId = downcast<CSSPrimitiveValue>(*yValue).getValueID();
+ if (xId != yId) {
+ if (xId == CSSValueRepeat && yId == CSSValueNoRepeat) {
+ useRepeatXShorthand = true;
+ ++j;
+ } else if (xId == CSSValueNoRepeat && yId == CSSValueRepeat) {
+ useRepeatYShorthand = true;
+ continue;
+ }
+ } else {
+ useSingleWordShorthand = true;
++j;
- } else if (xId == CSSValueNoRepeat && yId == CSSValueRepeat) {
- useRepeatYShorthand = true;
- continue;
}
- } else {
- useSingleWordShorthand = true;
- ++j;
}
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
