https://bugs.webkit.org/show_bug.cgi?id=150211
<rdar://problem/
23137321>
Reviewed by Alex Christensen.
Source/WebCore:
This is a merge of Blink r188842:
https://codereview.chromium.org/
846933002
By setting the backgroundRepeatY property to null it can
happen that accessing that CSS value returns a null pointer.
In that case simply bail out early.
Test: fast/css/background-repeat-null-y-crash.html
* css/StyleProperties.cpp:
(WebCore::StyleProperties::getLayeredShorthandValue):
LayoutTests:
* fast/css/background-repeat-null-y-crash-expected.txt: Added.
* fast/css/background-repeat-null-y-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191938
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2015-11-02 Jiewen Tan <jiewen_tan@apple.com>
+
+ Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=150211
+ <rdar://problem/23137321>
+
+ Reviewed by Alex Christensen.
+
+ * fast/css/background-repeat-null-y-crash-expected.txt: Added.
+ * fast/css/background-repeat-null-y-crash.html: Added.
+
2015-11-02 Michael Saboff <msaboff@apple.com>
WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
--- /dev/null
+PASS, WebKit didn't crash.
--- /dev/null
+<!DOCTYPE html>
+<body>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document.body.style.backgroundRepeat = 'repeat';
+ document.body.style.backgroundRepeatY = '';
+ var tmp = document.body.style.background;
+ document.write("PASS, WebKit didn't crash.")
+</script>
+</body>
+2015-11-02 Jiewen Tan <jiewen_tan@apple.com>
+
+ Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=150211
+ <rdar://problem/23137321>
+
+ Reviewed by Alex Christensen.
+
+ This is a merge of Blink r188842:
+ https://codereview.chromium.org/846933002
+
+ By setting the backgroundRepeatY property to null it can
+ happen that accessing that CSS value returns a null pointer.
+ In that case simply bail out early.
+
+ Test: fast/css/background-repeat-null-y-crash.html
+
+ * css/StyleProperties.cpp:
+ (WebCore::StyleProperties::getLayeredShorthandValue):
+
2015-11-02 Myles C. Maxfield <mmaxfield@apple.com>
[Vertical Writing Mode] Rename "vertical-right" CSS value to match spec
|| (j < size - 1 && shorthand.properties()[j + 1] == CSSPropertyWebkitMaskRepeatY && value)) {
RefPtr<CSSValue> yValue;
RefPtr<CSSValue> nextValue = values[j + 1];
- if (is<CSSValueList>(*nextValue))
- yValue = downcast<CSSValueList>(*nextValue).itemWithoutBoundsCheck(i);
- else
- yValue = nextValue;
+ if (nextValue) {
+ if (is<CSSValueList>(*nextValue))
+ yValue = downcast<CSSValueList>(*nextValue).itemWithoutBoundsCheck(i);
+ else
+ yValue = nextValue;
- if (!is<CSSPrimitiveValue>(*value) || !is<CSSPrimitiveValue>(*yValue))
- continue;
+ if (!is<CSSPrimitiveValue>(*value) || !is<CSSPrimitiveValue>(*yValue))
+ continue;
- CSSValueID xId = downcast<CSSPrimitiveValue>(*value).getValueID();
- CSSValueID yId = downcast<CSSPrimitiveValue>(*yValue).getValueID();
- if (xId != yId) {
- if (xId == CSSValueRepeat && yId == CSSValueNoRepeat) {
- useRepeatXShorthand = true;
+ CSSValueID xId = downcast<CSSPrimitiveValue>(*value).getValueID();
+ CSSValueID yId = downcast<CSSPrimitiveValue>(*yValue).getValueID();
+ if (xId != yId) {
+ if (xId == CSSValueRepeat && yId == CSSValueNoRepeat) {
+ useRepeatXShorthand = true;
+ ++j;
+ } else if (xId == CSSValueNoRepeat && yId == CSSValueRepeat) {
+ useRepeatYShorthand = true;
+ continue;
+ }
+ } else {
+ useSingleWordShorthand = true;
++j;
- } else if (xId == CSSValueNoRepeat && yId == CSSValueRepeat) {
- useRepeatYShorthand = true;
- continue;
}
- } else {
- useSingleWordShorthand = true;
- ++j;
}
}
}
git://git.webkit.org / WebKit-https.git / commitdiff