Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Jan 2014 01:32:18 +0000 (01:32 +0000)
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Jan 2014 01:32:18 +0000 (01:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=126252

Reviewed by Alexey Proskuryakov.

Source/WebCore:

lastIntermediate was a iterator pointing into a Vector, which was being re-used
even while appending to the Vector. If any of the append operators triggered
a realloc, the iterator would point to the old free'ed memory.

Test: fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html

* rendering/InlineTextBox.cpp:
(WebCore::translateIntersectionPointsToSkipInkBoundaries):

LayoutTests:

This test causes intermediateTuples, a Vector of tuples of floats, to have enough
entries to cause a realloc. In my tests, the realloc seems to always allocate the
next area of memory (without unmapping any old pages), so this test only crashes
if guardMalloc is used.

* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt: Added.
* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@161244 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt [new file with mode: 0644]
LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/InlineTextBox.cpp

index b8a68e765711ff5fd018b452d333ea49a14fd66e..1cd5e0d73c58d15f010bb210fbd84e4d9b6a2bb3 100644 (file)
@@ -1,3 +1,18 @@
+2014-01-02  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
+        https://bugs.webkit.org/show_bug.cgi?id=126252
+
+        Reviewed by Alexey Proskuryakov.
+
+        This test causes intermediateTuples, a Vector of tuples of floats, to have enough
+        entries to cause a realloc. In my tests, the realloc seems to always allocate the 
+        next area of memory (without unmapping any old pages), so this test only crashes
+        if guardMalloc is used.
+
+        * fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt: Added.
+        * fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html: Added.
+
 2014-01-02  Sam Weinig  <sam@webkit.org>
 
         Update Promises to the https://github.com/domenic/promises-unwrapping spec
 2014-01-02  Sam Weinig  <sam@webkit.org>
 
         Update Promises to the https://github.com/domenic/promises-unwrapping spec
diff --git a/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt b/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt
new file mode 100644 (file)
index 0000000..98b216a
--- /dev/null
@@ -0,0 +1 @@
+This tests for a crash that occurred in InlineTextBoxes with lots of underline breaks due to text-decoration-skip: ink. ]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R]3MmP`3R
diff --git a/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html b/LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html
new file mode 100644 (file)
index 0000000..af935d6
--- /dev/null
@@ -0,0 +1,11 @@
+This tests for a crash that occurred in InlineTextBoxes with lots of underline breaks due to text-decoration-skip: ink.
+<map id="map" style="-webkit-text-decoration-skip:ink; box-decoration edges;text-underline:dotted rgb(109,208,61) skip-white-space auto;"></map>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    for (i=0;i<440;i++) {
+        document.getElementById("map").appendChild(document.createTextNode(']3MmP`3R'));
+    }
+    document.normalize();
+    document.body.style.textDecoration="underline";
+</script>
index 7a61969b21de700cf8665e202faca3ba0ec1e793..f49964be6b0d4083f05cab6cbbe0928986ff76ee 100644 (file)
@@ -1,3 +1,19 @@
+2014-01-02  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
+        https://bugs.webkit.org/show_bug.cgi?id=126252
+
+        Reviewed by Alexey Proskuryakov.
+
+        lastIntermediate was a iterator pointing into a Vector, which was being re-used
+        even while appending to the Vector. If any of the append operators triggered
+        a realloc, the iterator would point to the old free'ed memory.
+
+        Test: fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html
+
+        * rendering/InlineTextBox.cpp:
+        (WebCore::translateIntersectionPointsToSkipInkBoundaries):
+
 2014-01-02  Brent Fulgham  <bfulgham@apple.com>
 
         [WebGL] Correct symbol lookup logic to handle 1-element arrays
 2014-01-02  Brent Fulgham  <bfulgham@apple.com>
 
         [WebGL] Correct symbol lookup logic to handle 1-element arrays
index f2522d90d926914d88d1bf7b0d1e2555a39be28f..857cace8a4521b700dcfeabf59a68d0e75c97734 100644 (file)
@@ -86,19 +86,16 @@ static DashArray translateIntersectionPointsToSkipInkBoundaries(const DashArray&
     Vector<std::pair<float, float>> intermediateTuples;
     if (tuples.size() >= 2) {
         intermediateTuples.append(*tuples.begin());
     Vector<std::pair<float, float>> intermediateTuples;
     if (tuples.size() >= 2) {
         intermediateTuples.append(*tuples.begin());
-        auto lastIntermediate = intermediateTuples.begin();
         for (auto i = tuples.begin() + 1; i != tuples.end(); i++) {
         for (auto i = tuples.begin() + 1; i != tuples.end(); i++) {
-            float& firstEnd = lastIntermediate->second;
+            float& firstEnd = intermediateTuples.last().second;
             float secondStart = i->first;
             float secondEnd = i->second;
             if (secondStart <= firstEnd && secondEnd <= firstEnd) {
                 // Ignore this range completely
             } else if (secondStart <= firstEnd)
                 firstEnd = secondEnd;
             float secondStart = i->first;
             float secondEnd = i->second;
             if (secondStart <= firstEnd && secondEnd <= firstEnd) {
                 // Ignore this range completely
             } else if (secondStart <= firstEnd)
                 firstEnd = secondEnd;
-            else {
+            else
                 intermediateTuples.append(*i);
                 intermediateTuples.append(*i);
-                ++lastIntermediate;
-            }
         }
     } else
         intermediateTuples = tuples;
         }
     } else
         intermediateTuples = tuples;