[webkit-changes] [241567] trunk/Source/WebCore

Thu, 14 Feb 2019 15:41:11 -0800

Title: [241567] trunk/Source/WebCore
Revision
241567
Author
commit-qu...@webkit.org
Date
2019-02-14 15:39:59 -0800 (Thu, 14 Feb 2019)

Log Message

Web Inspector: Occasional crash under WebCore::CSSStyleSheet::item called from Inspector
https://bugs.webkit.org/show_bug.cgi?id=194671
<rdar://problem/47628191>

Patch by Joseph Pecoraro <pecor...@apple.com> on 2019-02-14
Reviewed by Devin Rousso.

* css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::item):
A crash may happen if the m_childRuleCSSOMWrappers Vector gets out of
sync with the m_contents list of rules. In particular if the wrappers
vector is shorter than the rule list. We tried exercising code paths
that modify these lists but were not able to reproduce the crash.
To avoid a crash we can make this access safer and avoid the original
overflow. At the same time we will keep and promote the assertion that
would catch the lists getting out of sync in debug builds.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (241566 => 241567)


--- trunk/Source/WebCore/ChangeLog	2019-02-14 23:06:06 UTC (rev 241566)
+++ trunk/Source/WebCore/ChangeLog	2019-02-14 23:39:59 UTC (rev 241567)
@@ -1,3 +1,21 @@
+2019-02-14  Joseph Pecoraro  <pecor...@apple.com>
+
+        Web Inspector: Occasional crash under WebCore::CSSStyleSheet::item called from Inspector
+        https://bugs.webkit.org/show_bug.cgi?id=194671
+        <rdar://problem/47628191>
+
+        Reviewed by Devin Rousso.
+
+        * css/CSSStyleSheet.cpp:
+        (WebCore::CSSStyleSheet::item):
+        A crash may happen if the m_childRuleCSSOMWrappers Vector gets out of
+        sync with the m_contents list of rules. In particular if the wrappers
+        vector is shorter than the rule list. We tried exercising code paths
+        that modify these lists but were not able to reproduce the crash.
+        To avoid a crash we can make this access safer and avoid the original
+        overflow. At the same time we will keep and promote the assertion that
+        would catch the lists getting out of sync in debug builds.
+
 2019-02-14  Ross Kirsling  <ross.kirsl...@sony.com>
 
         Unreviewed build fix for WinCairo Debug after r241559.

Modified: trunk/Source/WebCore/css/CSSStyleSheet.cpp (241566 => 241567)


--- trunk/Source/WebCore/css/CSSStyleSheet.cpp	2019-02-14 23:06:06 UTC (rev 241566)
+++ trunk/Source/WebCore/css/CSSStyleSheet.cpp	2019-02-14 23:39:59 UTC (rev 241567)
@@ -228,12 +228,12 @@
 {
     unsigned ruleCount = length();
     if (index >= ruleCount)
-        return 0;
+        return nullptr;
 
-    if (m_childRuleCSSOMWrappers.isEmpty())
+    ASSERT(m_childRuleCSSOMWrappers.isEmpty() || m_childRuleCSSOMWrappers.size() == ruleCount);
+    if (m_childRuleCSSOMWrappers.size() < ruleCount)
         m_childRuleCSSOMWrappers.grow(ruleCount);
-    ASSERT(m_childRuleCSSOMWrappers.size() == ruleCount);
-    
+
     RefPtr<CSSRule>& cssRule = m_childRuleCSSOMWrappers[index];
     if (!cssRule)
         cssRule = m_contents->ruleAt(index)->createCSSOMWrapper(this);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to