[webkit-changes] [199785] trunk/Source/WebCore

[cdumez]

Title: [199785] trunk/Source/WebCore

Revision

199785

Author

cdu...@apple.com

Date

2016-04-20 14:07:37 -0700 (Wed, 20 Apr 2016)

Log Message

Use Optional<size_t> for OrderIterator::m_orderIndex instead of int
https://bugs.webkit.org/show_bug.cgi?id=156796

Reviewed by Anders Carlsson.

Use Optional<size_t> for OrderIterator::m_orderIndex instead of int
(with invalid value of -1). m_orderIndex a vector index and therefore
is in the range of an unsigned (type used internally by Vector, even
though the index is exposed as size_t). Therefore, assigning it to an
int is unsafe as it may overflow.

This may fix <rdar://problem/23410338> which is a top crasher.

* rendering/OrderIterator.cpp:
(WebCore::OrderIterator::next):
(WebCore::OrderIterator::reset):
* rendering/OrderIterator.h:

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/OrderIterator.cpp
• trunk/Source/WebCore/rendering/OrderIterator.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (199784 => 199785)

--- trunk/Source/WebCore/ChangeLog	2016-04-20 21:07:02 UTC (rev 199784)
+++ trunk/Source/WebCore/ChangeLog	2016-04-20 21:07:37 UTC (rev 199785)
@@ -1,5 +1,25 @@
 2016-04-20  Chris Dumez  <cdu...@apple.com>
 
+        Use Optional<size_t> for OrderIterator::m_orderIndex instead of int
+        https://bugs.webkit.org/show_bug.cgi?id=156796
+
+        Reviewed by Anders Carlsson.
+
+        Use Optional<size_t> for OrderIterator::m_orderIndex instead of int
+        (with invalid value of -1). m_orderIndex a vector index and therefore
+        is in the range of an unsigned (type used internally by Vector, even
+        though the index is exposed as size_t). Therefore, assigning it to an
+        int is unsafe as it may overflow.
+
+        This may fix <rdar://problem/23410338> which is a top crasher.
+
+        * rendering/OrderIterator.cpp:
+        (WebCore::OrderIterator::next):
+        (WebCore::OrderIterator::reset):
+        * rendering/OrderIterator.h:
+
+2016-04-20  Chris Dumez  <cdu...@apple.com>
+
         Crash under needsAppleMailPaginationQuirk()
         https://bugs.webkit.org/show_bug.cgi?id=156806
         <rdar://problem/23323479>

Modified: trunk/Source/WebCore/rendering/OrderIterator.cpp (199784 => 199785)

--- trunk/Source/WebCore/rendering/OrderIterator.cpp	2016-04-20 21:07:02 UTC (rev 199784)
+++ trunk/Source/WebCore/rendering/OrderIterator.cpp	2016-04-20 21:07:37 UTC (rev 199785)
@@ -36,8 +36,6 @@
 
 namespace WebCore {
 
-static const int cInvalidIndex = -1;
-
 OrderIterator::OrderIterator(RenderBox& containerBox)
     : m_containerBox(containerBox)
 {
@@ -52,23 +50,22 @@
 
 RenderBox* OrderIterator::next()
 {
-    int endIndex = m_orderValues.size();
     do {
         if (m_currentChild) {
             m_currentChild = m_currentChild->nextSiblingBox();
             continue;
         }
 
-        if (m_orderIndex != cInvalidIndex)
-            ++m_orderIndex;
+        if (m_orderIndex)
+            ++m_orderIndex.value();
         else
             m_orderIndex = 0;
 
-        if (m_orderIndex == endIndex)
+        if (m_orderIndex.value() >= m_orderValues.size())
             return nullptr;
 
         m_currentChild = m_containerBox.firstChildBox();
-    } while (!m_currentChild || m_currentChild->style().order() != m_orderValues[m_orderIndex]);
+    } while (!m_currentChild || m_currentChild->style().order() != m_orderValues[m_orderIndex.value()]);
 
     return m_currentChild;
 }
@@ -76,7 +73,7 @@
 void OrderIterator::reset()
 {
     m_currentChild = nullptr;
-    m_orderIndex = cInvalidIndex;
+    m_orderIndex = Nullopt;
 }
 
 OrderIteratorPopulator::OrderIteratorPopulator(OrderIterator& iterator)

Modified: trunk/Source/WebCore/rendering/OrderIterator.h (199784 => 199785)

--- trunk/Source/WebCore/rendering/OrderIterator.h	2016-04-20 21:07:02 UTC (rev 199784)
+++ trunk/Source/WebCore/rendering/OrderIterator.h	2016-04-20 21:07:37 UTC (rev 199785)
@@ -33,6 +33,7 @@
 #define OrderIterator_h
 
 #include <wtf/Noncopyable.h>
+#include <wtf/Optional.h>
 #include <wtf/Vector.h>
 
 namespace WebCore {
@@ -56,7 +57,7 @@
     RenderBox* m_currentChild;
 
     Vector<int, 1> m_orderValues;
-    int m_orderIndex;
+    Optional<size_t> m_orderIndex;
 };
 
 class OrderIteratorPopulator {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes