[webkit-changes] [WebKit/WebKit] 00b74e: CSS TypedOM crash under BuilderFunctions::applyVal...

Mon, 23 Jun 2025 15:31:50 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 00b74e1a7b8cb148b8500e731132c1d881c21ab4
      
https://github.com/WebKit/WebKit/commit/00b74e1a7b8cb148b8500e731132c1d881c21ab4
  Author: Antti Koivisto <[email protected]>
  Date:   2025-06-23 (Mon, 23 Jun 2025)

  Changed paths:
    A LayoutTests/fast/css/cssom-translate-crash-expected.txt
    A LayoutTests/fast/css/cssom-translate-crash.html
    M Source/WebCore/css/DOMMatrixReadOnly.cpp
    M Source/WebCore/css/parser/CSSPropertyParser.cpp
    M Source/WebCore/css/parser/CSSPropertyParserConsumer+Transform.cpp
    M Source/WebCore/css/parser/CSSPropertyParserConsumer+Transform.h
    M Source/WebCore/css/query/ContainerQueryFeatures.cpp
    M Source/WebCore/style/StyleBuilderConverter.h
    M Source/WebCore/style/StyleBuilderState.cpp
    M Source/WebCore/style/StyleBuilderState.h
    M Source/WebCore/style/StyleCustomPropertyRegistry.cpp
    M Source/WebCore/style/StyleResolver.cpp
    M Source/WebCore/style/StyleTreeResolver.cpp
    M Source/WebCore/style/TransformOperationsBuilder.cpp
    M Source/WebCore/style/TransformOperationsBuilder.h

  Log Message:
  -----------
  CSS TypedOM crash under BuilderFunctions::applyValueTranslate
https://bugs.webkit.org/show_bug.cgi?id=294670
rdar://146650025

Reviewed by Darin Adler.

Use BuilderConverter::requiredDowncast<> to check for correct types when 
building transforms.

* LayoutTests/fast/css/cssom-translate-crash-expected.txt: Added.
* LayoutTests/fast/css/cssom-translate-crash.html: Added.
* Source/WebCore/css/DOMMatrixReadOnly.cpp:
(WebCore::DOMMatrixReadOnly::parseStringIntoAbstractMatrix):
* Source/WebCore/css/parser/CSSPropertyParser.cpp:
(WebCore::consumeTypedCustomPropertyValue):
* Source/WebCore/css/parser/CSSPropertyParserConsumer+Transform.cpp:
(WebCore::CSSPropertyParserHelpers::parseTransformRaw):
* Source/WebCore/css/parser/CSSPropertyParserConsumer+Transform.h:
* Source/WebCore/css/query/ContainerQueryFeatures.cpp:
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::convertTransform):
* Source/WebCore/style/StyleBuilderState.h:
(WebCore::Style::BuilderState::parentStyle const):
(WebCore::Style::BuilderState::document const):
(WebCore::Style::BuilderState::protectedDocument const):

Make it simpler to construct a dummy BuilderState without Builder.

* Source/WebCore/style/StyleCustomPropertyRegistry.cpp:
(WebCore::Style::CustomPropertyRegistry::parseInitialValue):
* Source/WebCore/style/StyleResolver.cpp:
(WebCore::Style::Resolver::builderContext):
* Source/WebCore/style/StyleTreeResolver.cpp:
(WebCore::Style::TreeResolver::resolveAgainInDifferentContext):
(WebCore::Style::TreeResolver::applyCascadeAfterAnimation):
* Source/WebCore/style/TransformOperationsBuilder.cpp:
(WebCore::Style::createMatrixTransformOperation):
(WebCore::Style::createMatrix3dTransformOperation):
(WebCore::Style::createRotateTransformOperation):
(WebCore::Style::createRotate3dTransformOperation):
(WebCore::Style::createRotateXTransformOperation):
(WebCore::Style::createRotateYTransformOperation):
(WebCore::Style::createRotateZTransformOperation):
(WebCore::Style::createSkewTransformOperation):
(WebCore::Style::createSkewXTransformOperation):
(WebCore::Style::createSkewYTransformOperation):
(WebCore::Style::createScaleTransformOperation):
(WebCore::Style::createScale3dTransformOperation):
(WebCore::Style::createScaleXTransformOperation):
(WebCore::Style::createScaleYTransformOperation):
(WebCore::Style::createScaleZTransformOperation):
(WebCore::Style::createTranslateTransformOperation):
(WebCore::Style::createTranslate3dTransformOperation):
(WebCore::Style::createTranslateXTransformOperation):
(WebCore::Style::createTranslateYTransformOperation):
(WebCore::Style::createTranslateZTransformOperation):
(WebCore::Style::createPerspectiveTransformOperation):

Pass BuilderState to various create* functions and use 
requiredFunctionDowncast<> for checked safe downcasts.
Return a RefPtr instead of a Ref.

(WebCore::Style::createTransformOperation):
(WebCore::Style::createTransformOperations):
(WebCore::Style::resolveAsNumberAtIndex): Deleted.
* Source/WebCore/style/TransformOperationsBuilder.h:

Canonical link: https://commits.webkit.org/296528@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to