Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>,...
authormikelawther@chromium.org <mikelawther@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 May 2012 03:30:46 +0000 (03:30 +0000)
committermikelawther@chromium.org <mikelawther@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 May 2012 03:30:46 +0000 (03:30 +0000)
commit779255c18a9b9876157b5091d3369118066f87a3
tree626f1d69768f63c8a52f7cbaed83bbb6e85b96eb
parent0e43d7defca6181dedd975892499507b4643f452
Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait
https://bugs.webkit.org/show_bug.cgi?id=85195

Source/WebCore:

This bug was caused by Length not understanding that calc expressions shouldn't be
blended - a Length with a calc expression handle was created without incrementing
the ref count of the expression. Length no longer attempts to blend calc expressions,
http://webkit.org/b/86160 has been filed to track expression blending. Fixing this fixed
the crash.

Once this was fixed, the RenderStyle diff checker thought the style was changing,
as Length didn't know how to compare calc expressions, resulting in an infinite
loop of style recalcs. Expressions can now compare themselves.

Reviewed by Darin Adler.

Tests: css3/calc/transition-crash.html
       css3/calc/transition-crash2.html

* platform/CalculationValue.h:
(WebCore::CalcExpressionNode::CalcExpressionNode):
(CalcExpressionNode):
(WebCore::CalcExpressionNode::type):
(CalculationValue):
(WebCore::CalculationValue::operator==):
(WebCore::CalcExpressionNumber::CalcExpressionNumber):
(WebCore::CalcExpressionNumber::operator==):
(CalcExpressionNumber):
(WebCore::CalcExpressionLength::CalcExpressionLength):
(WebCore::CalcExpressionLength::operator==):
(CalcExpressionLength):
(WebCore::CalcExpressionBinaryOperation::CalcExpressionBinaryOperation):
(WebCore::CalcExpressionBinaryOperation::operator==):
(CalcExpressionBinaryOperation):
* platform/Length.cpp:
(WebCore::Length::isCalculatedEqual):
(WebCore):
* platform/Length.h:
(WebCore::Length::operator==):
(Length):
(WebCore::Length::blend):

LayoutTests:

Reviewed by Darin Adler.

* css3/calc/transition-crash-expected.txt: Added.
* css3/calc/transition-crash.html: Added.
* css3/calc/transition-crash2-expected.txt: Added.
* css3/calc/transition-crash2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@116914 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/css3/calc/transition-crash-expected.txt [new file with mode: 0644]
LayoutTests/css3/calc/transition-crash.html [new file with mode: 0644]
LayoutTests/css3/calc/transition-crash2-expected.txt [new file with mode: 0644]
LayoutTests/css3/calc/transition-crash2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/CalculationValue.h
Source/WebCore/platform/Length.cpp
Source/WebCore/platform/Length.h