<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[184394] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184394">184394</a></dd>
<dt>Author</dt> <dd>jer.noble@apple.com</dd>
<dt>Date</dt> <dd>2015-05-15 10:15:16 -0700 (Fri, 15 May 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count
https://bugs.webkit.org/show_bug.cgi?id=145042
Reviewed by David Hyatt.
RenderFlowThread previously used a ListHashSet to store its stack of active objects. This
is problematic because, if the same object is pushed twice, only a single entry of that
object is added to the stack. After this occurs, a matching number of pushes will pop too
many items off the stack, causing a crash when popping a stack with zero items. This
specifically happens in FrameView::layout(), which will push its root renderer on the stack
of active items, and then ask the root to layout(), which will attempt to push itself on the
stack of active items.
Instead of a ListHashSet, use a Vector, which has similar memory characteristics and no
uniqueness requirements.
* rendering/RenderFlowThread.cpp:
(WebCore::RenderFlowThread::pushFlowThreadLayoutState):
(WebCore::RenderFlowThread::popFlowThreadLayoutState):
* rendering/RenderFlowThread.h:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderFlowThreadcpp">trunk/Source/WebCore/rendering/RenderFlowThread.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderFlowThreadh">trunk/Source/WebCore/rendering/RenderFlowThread.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (184393 => 184394)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-05-15 16:46:46 UTC (rev 184393)
+++ trunk/Source/WebCore/ChangeLog 2015-05-15 17:15:16 UTC (rev 184394)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2015-05-15 Jer Noble <jer.noble@apple.com>
+
+ Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count
+ https://bugs.webkit.org/show_bug.cgi?id=145042
+
+ Reviewed by David Hyatt.
+
+ RenderFlowThread previously used a ListHashSet to store its stack of active objects. This
+ is problematic because, if the same object is pushed twice, only a single entry of that
+ object is added to the stack. After this occurs, a matching number of pushes will pop too
+ many items off the stack, causing a crash when popping a stack with zero items. This
+ specifically happens in FrameView::layout(), which will push its root renderer on the stack
+ of active items, and then ask the root to layout(), which will attempt to push itself on the
+ stack of active items.
+
+ Instead of a ListHashSet, use a Vector, which has similar memory characteristics and no
+ uniqueness requirements.
+
+ * rendering/RenderFlowThread.cpp:
+ (WebCore::RenderFlowThread::pushFlowThreadLayoutState):
+ (WebCore::RenderFlowThread::popFlowThreadLayoutState):
+ * rendering/RenderFlowThread.h:
+
</ins><span class="cx"> 2015-05-15 Per Arne Vollan <peavo@outlook.com>
</span><span class="cx">
</span><span class="cx"> [Curl] WebSocket platform part is not implemented.
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderFlowThreadcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderFlowThread.cpp (184393 => 184394)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2015-05-15 16:46:46 UTC (rev 184393)
+++ trunk/Source/WebCore/rendering/RenderFlowThread.cpp 2015-05-15 17:15:16 UTC (rev 184394)
</span><span class="lines">@@ -1193,7 +1193,7 @@
</span><span class="cx">
</span><span class="cx"> void RenderFlowThread::pushFlowThreadLayoutState(const RenderObject& object)
</span><span class="cx"> {
</span><del>- m_activeObjectsStack.add(&object);
</del><ins>+ m_activeObjectsStack.append(&object);
</ins><span class="cx">
</span><span class="cx"> if (const RenderBox* currentBoxDescendant = currentActiveRenderBox()) {
</span><span class="cx"> LayoutState* layoutState = currentBoxDescendant->view().layoutState();
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderFlowThreadh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderFlowThread.h (184393 => 184394)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderFlowThread.h 2015-05-15 16:46:46 UTC (rev 184393)
+++ trunk/Source/WebCore/rendering/RenderFlowThread.h 2015-05-15 17:15:16 UTC (rev 184394)
</span><span class="lines">@@ -351,7 +351,7 @@
</span><span class="cx"> RenderBoxToRegionMap m_breakBeforeToRegionMap;
</span><span class="cx"> RenderBoxToRegionMap m_breakAfterToRegionMap;
</span><span class="cx">
</span><del>- typedef ListHashSet<const RenderObject*> RenderObjectStack;
</del><ins>+ typedef Vector<const RenderObject*> RenderObjectStack;
</ins><span class="cx"> RenderObjectStack m_activeObjectsStack;
</span><span class="cx">
</span><span class="cx"> typedef HashMap<const RenderBox*, LayoutUnit> RenderBoxToOffsetMap;
</span></span></pre>
</div>
</div>
</body>
</html>