[webkit-changes] [106969] trunk/Source/WebCore

[commit-queue]

Title: [106969] trunk/Source/WebCore

Revision

106969

Author

commit-qu...@webkit.org

Date

2012-02-07 11:46:49 -0800 (Tue, 07 Feb 2012)

Log Message

[Chromium] Memory bug during occlusion tracking if Vector::append() needs to reallocate the buffer
https://bugs.webkit.org/show_bug.cgi?id=77996

Patch by Dana Jansens <dan...@chromium.org> on 2012-02-07
Reviewed by James Robinson.

We're holding onto the last element in the Vector and then calling
append(). If append() reallocates the Vector's buffer, the pointer
is no longer valid.

* platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
(WebCore::enterTargetRenderSurface):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (106968 => 106969)

--- trunk/Source/WebCore/ChangeLog	2012-02-07 19:37:26 UTC (rev 106968)
+++ trunk/Source/WebCore/ChangeLog	2012-02-07 19:46:49 UTC (rev 106969)
@@ -1,3 +1,17 @@
+2012-02-07  Dana Jansens  <dan...@chromium.org>
+
+        [Chromium] Memory bug during occlusion tracking if Vector::append() needs to reallocate the buffer
+        https://bugs.webkit.org/show_bug.cgi?id=77996
+
+        Reviewed by James Robinson.
+
+        We're holding onto the last element in the Vector and then calling
+        append(). If append() reallocates the Vector's buffer, the pointer
+        is no longer valid.
+
+        * platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
+        (WebCore::enterTargetRenderSurface):
+
 2012-02-07  Abhishek Arya  <infe...@chromium.org>
 
         Crash due to column style not updated on post block

Modified: trunk/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp (106968 => 106969)

--- trunk/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp	2012-02-07 19:37:26 UTC (rev 106968)
+++ trunk/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp	2012-02-07 19:46:49 UTC (rev 106969)
@@ -495,10 +495,10 @@
         stack.append(RenderSurfaceRegion());
         stack.last().surface = newTarget;
     } else if (stack.last().surface != newTarget) {
-        const RenderSurfaceRegion& previous = stack.last();
         stack.append(RenderSurfaceRegion());
         stack.last().surface = newTarget;
-        stack.last().occludedInScreen = previous.occludedInScreen;
+        int lastIndex = stack.size() - 1;
+        stack[lastIndex].occludedInScreen = stack[lastIndex - 1].occludedInScreen;
     }
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes