- Revision
- 204791
- Author
- [email protected]
- Date
- 2016-08-23 02:57:31 -0700 (Tue, 23 Aug 2016)
Log Message
Merge r201608 - Fix a couple of mistakes in CSSParserValue memory management
https://bugs.webkit.org/show_bug.cgi?id=158307
<rdar://problem/26127225>
Source/WebCore:
Patch by Darin Adler <[email protected]> on 2016-06-02
Reviewed by Daniel Bates.
* css/CSSGrammar.y.in: Added a destructor for calc_func_term. This presumably
fixes some memory leaks in error cases. Removed an assertion about not needing
a call to destroy that was far too limited. Tweaked formatting of the percentage
ase in the key production. Indented calc_func_term to make it consistent with
other productions nearby.
* css/CSSParserValues.cpp:
(WebCore::CSSParserValueList::~CSSParserValueList): Use a modern for loop.
(WebCore::CSSParserValueList::deleteValueAt): Deleted. Unused function, and also
would have resulted in a memory leak unless the code already extracted the value
from the list.
(WebCore::CSSParserValueList::extend): Properly transfer ownership from one value
list to the other by setting the unit to 0 in the donor.
* css/CSSParserValues.h: Removed unused deleteValueAt function.
LayoutTests:
Reviewed by Darin Adler.
* fast/css/calc-with-two-variables-crash-expected.txt: Added.
* fast/css/calc-with-two-variables-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (204790 => 204791)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-08-23 09:52:09 UTC (rev 204790)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-08-23 09:57:31 UTC (rev 204791)
@@ -1,3 +1,14 @@
+2016-06-02 Daniel Bates <[email protected]>
+
+ Fix a couple of mistakes in CSSParserValue memory management
+ https://bugs.webkit.org/show_bug.cgi?id=158307
+ <rdar://problem/26127225>
+
+ Reviewed by Darin Adler.
+
+ * fast/css/calc-with-two-variables-crash-expected.txt: Added.
+ * fast/css/calc-with-two-variables-crash.html: Added.
+
2016-06-13 Dean Jackson <[email protected]>
SVG elements don't blend correctly into HTML
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/css/calc-with-two-variables-crash-expected.txt (0 => 204791)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/css/calc-with-two-variables-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/css/calc-with-two-variables-crash-expected.txt 2016-08-23 09:57:31 UTC (rev 204791)
@@ -0,0 +1,3 @@
+This test PASSED if it doesn't cause a crash, especially when run with Guard Malloc or MallocScribble enabled.
+
+
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/css/calc-with-two-variables-crash.html (0 => 204791)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/css/calc-with-two-variables-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/css/calc-with-two-variables-crash.html 2016-08-23 09:57:31 UTC (rev 204791)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+#test {
+ --baseLength: 64px;
+ --scaleFactor: 2;
+ height: calc(var(--scaleFactor) * (var(--baseLength))); /* The extra parentheses around the second operand are necessary. */
+ width: 128px;
+ background-color: blue;
+}
+</style>
+</head>
+<body>
+<p>This test PASSED if it doesn't cause a crash, especially when run with Guard Malloc or MallocScribble enabled.</p>
+<div id="test"></div>
+<script>
+// Iterating at least 100 times seems to reliably reproduce the crash when run without Guard Malloc/MallocScribble enabled.
+for (var i = 0; i < 100; ++i) {
+ var oldStyleElement = document.querySelector("style");
+ var newStyleElement = document.createElement("style");
+ newStyleElement.textContent = oldStyleElement.textContent;
+ document.head.removeChild(oldStyleElement);
+ document.head.appendChild(newStyleElement);
+}
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (204790 => 204791)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-08-23 09:52:09 UTC (rev 204790)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-08-23 09:57:31 UTC (rev 204791)
@@ -1,3 +1,27 @@
+2016-06-02 Darin Adler <[email protected]>
+
+ Fix a couple of mistakes in CSSParserValue memory management
+ https://bugs.webkit.org/show_bug.cgi?id=158307
+ <rdar://problem/26127225>
+
+ Reviewed by Daniel Bates.
+
+ * css/CSSGrammar.y.in: Added a destructor for calc_func_term. This presumably
+ fixes some memory leaks in error cases. Removed an assertion about not needing
+ a call to destroy that was far too limited. Tweaked formatting of the percentage
+ ase in the key production. Indented calc_func_term to make it consistent with
+ other productions nearby.
+
+ * css/CSSParserValues.cpp:
+ (WebCore::CSSParserValueList::~CSSParserValueList): Use a modern for loop.
+ (WebCore::CSSParserValueList::deleteValueAt): Deleted. Unused function, and also
+ would have resulted in a memory leak unless the code already extracted the value
+ from the list.
+ (WebCore::CSSParserValueList::extend): Properly transfer ownership from one value
+ list to the other by setting the unit to 0 in the donor.
+
+ * css/CSSParserValues.h: Removed unused deleteValueAt function.
+
2016-06-13 Dean Jackson <[email protected]>
SVG elements don't blend correctly into HTML
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSGrammar.y.in (204790 => 204791)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSGrammar.y.in 2016-08-23 09:52:09 UTC (rev 204790)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSGrammar.y.in 2016-08-23 09:57:31 UTC (rev 204791)
@@ -294,12 +294,12 @@
%type <keyframeRuleList> keyframes_rule
%destructor { delete $$; } keyframes_rule
-// These parser values never need to be destroyed because they are never functions or value lists.
-%type <value> calc_func_term key unary_term
+// These parser values never need to be destroyed because they are never functions, value lists, or variables.
+%type <value> key unary_term
-// These parser values need to be destroyed because they might be functions.
-%type <value> calc_function function variable_function min_or_max_function term
-%destructor { destroy($$); } calc_function function variable_function min_or_max_function term
+// These parser values need to be destroyed because they might be functions, value lists, or variables.
+%type <value> calc_func_term calc_function function min_or_max_function term variable_function
+%destructor { destroy($$); } calc_func_term calc_function function min_or_max_function term variable_function
%type <id> property
@@ -823,7 +823,6 @@
}
| key_list maybe_space ',' maybe_space key {
$$ = $1;
- ASSERT($5.unit != CSSParserValue::Function); // No need to call destroy.
if ($$)
$$->addValue($5);
}
@@ -830,7 +829,12 @@
;
key:
- maybe_unary_operator PERCENTAGE { $$.id = CSSValueInvalid; $$.isInt = false; $$.fValue = $1 * $2; $$.unit = CSSPrimitiveValue::CSS_NUMBER; }
+ maybe_unary_operator PERCENTAGE {
+ $$.id = CSSValueInvalid;
+ $$.isInt = false;
+ $$.fValue = $1 * $2;
+ $$.unit = CSSPrimitiveValue::CSS_NUMBER;
+ }
| IDENT {
$$.id = CSSValueInvalid;
$$.isInt = false;
@@ -1838,10 +1842,10 @@
'!' | ';';
calc_func_term:
- unary_term
- | variable_function { $$ = $1; }
- | unary_operator unary_term { $$ = $2; $$.fValue *= $1; }
- ;
+ unary_term
+ | unary_operator unary_term { $$ = $2; $$.fValue *= $1; }
+ | variable_function
+ ;
/*
* The grammar requires spaces around binary ‘+’ and ‘-’ operators.
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSParserValues.cpp (204790 => 204791)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSParserValues.cpp 2016-08-23 09:52:09 UTC (rev 204790)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSParserValues.cpp 2016-08-23 09:57:31 UTC (rev 204791)
@@ -46,31 +46,28 @@
CSSParserValueList::~CSSParserValueList()
{
- for (size_t i = 0, size = m_values.size(); i < size; i++)
- destroy(m_values[i]);
+ for (auto& value : m_values)
+ destroy(value);
}
-void CSSParserValueList::addValue(const CSSParserValue& v)
+void CSSParserValueList::addValue(const CSSParserValue& value)
{
- m_values.append(v);
+ m_values.append(value);
}
-void CSSParserValueList::insertValueAt(unsigned i, const CSSParserValue& v)
+void CSSParserValueList::insertValueAt(unsigned i, const CSSParserValue& value)
{
- m_values.insert(i, v);
+ m_values.insert(i, value);
}
-void CSSParserValueList::deleteValueAt(unsigned i)
+void CSSParserValueList::extend(CSSParserValueList& other)
{
- m_values.remove(i);
+ for (auto& value : other.m_values) {
+ m_values.append(value);
+ value.unit = 0; // We moved the CSSParserValue from the other list; this acts like std::move.
+ }
}
-void CSSParserValueList::extend(CSSParserValueList& valueList)
-{
- for (unsigned int i = 0; i < valueList.size(); ++i)
- m_values.append(*(valueList.valueAt(i)));
-}
-
bool CSSParserValueList::containsVariables() const
{
for (unsigned i = 0; i < size(); i++) {
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSParserValues.h (204790 => 204791)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSParserValues.h 2016-08-23 09:52:09 UTC (rev 204790)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/css/CSSParserValues.h 2016-08-23 09:57:31 UTC (rev 204791)
@@ -18,8 +18,7 @@
* Boston, MA 02110-1301, USA.
*/
-#ifndef CSSParserValues_h
-#define CSSParserValues_h
+#pragma once
#include "CSSSelector.h"
#include "CSSValueKeywords.h"
@@ -140,7 +139,6 @@
void addValue(const CSSParserValue&);
void insertValueAt(unsigned, const CSSParserValue&);
- void deleteValueAt(unsigned);
void extend(CSSParserValueList&);
unsigned size() const { return m_values.size(); }
@@ -274,5 +272,3 @@
}
}
-
-#endif
