Title: [136742] trunk/Source/WebCore
- Revision
- 136742
- Author
- ju...@google.com
- Date
- 2012-12-05 12:53:24 -0800 (Wed, 05 Dec 2012)
Log Message
Use of uninitialized variable in WebCore::RenderBox::paintFillLayers
https://bugs.webkit.org/show_bug.cgi?id=104154
Reviewed by Stephen White.
Method FillLayer::clipOccludesNextLayers performs an internal
initialization when called on the first layer of a list of layers.
Without this initialization, calls to clipOccludesNextLayers on
subsequent layers will use uninitialized data. In some cases, the
call to clipOccludesNextLayers was being short-circuited in
RenderBox::paintFillLayers.
Fix: Predicate was permuted to ensure that clipOccludesNextLayers
is never short-circuited.
Test: fast/backgrounds/size/contain-and-cover-zoomed.html
Running with valgrind reveals the error.
* rendering/RenderBox.cpp:
(WebCore::RenderBox::paintFillLayers):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (136741 => 136742)
--- trunk/Source/WebCore/ChangeLog 2012-12-05 20:49:21 UTC (rev 136741)
+++ trunk/Source/WebCore/ChangeLog 2012-12-05 20:53:24 UTC (rev 136742)
@@ -1,3 +1,25 @@
+2012-12-05 Justin Novosad <ju...@google.com>
+
+ Use of uninitialized variable in WebCore::RenderBox::paintFillLayers
+ https://bugs.webkit.org/show_bug.cgi?id=104154
+
+ Reviewed by Stephen White.
+
+ Method FillLayer::clipOccludesNextLayers performs an internal
+ initialization when called on the first layer of a list of layers.
+ Without this initialization, calls to clipOccludesNextLayers on
+ subsequent layers will use uninitialized data. In some cases, the
+ call to clipOccludesNextLayers was being short-circuited in
+ RenderBox::paintFillLayers.
+ Fix: Predicate was permuted to ensure that clipOccludesNextLayers
+ is never short-circuited.
+
+ Test: fast/backgrounds/size/contain-and-cover-zoomed.html
+ Running with valgrind reveals the error.
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::paintFillLayers):
+
2012-12-05 Elliott Sprehn <espr...@gmail.com>
Encapsulate ElementRareData for possible future sharing
Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (136741 => 136742)
--- trunk/Source/WebCore/rendering/RenderBox.cpp 2012-12-05 20:49:21 UTC (rev 136741)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2012-12-05 20:53:24 UTC (rev 136742)
@@ -1056,10 +1056,12 @@
// FIXME : It would be possible for the following occlusion culling test to be more aggressive
// on layers with no repeat by testing whether the image covers the layout rect.
// Testing that here would imply duplicating a lot of calculations that are currently done in
- // RenderBoxModelOBject::paintFillLayerExtended. A more efficient solution might be to move
+ // RenderBoxModelObject::paintFillLayerExtended. A more efficient solution might be to move
// the layer recursion into paintFillLayerExtended, or to compute the layer geometry here
// and pass it down.
- if (curLayer->hasOpaqueImage(this) && curLayer->clipOccludesNextLayers(curLayer == fillLayer) && curLayer->image()->canRender(this, style()->effectiveZoom()) && curLayer->hasRepeatXY())
+
+ // The clipOccludesNextLayers condition must be evaluated first to avoid short-circuiting.
+ if (curLayer->clipOccludesNextLayers(curLayer == fillLayer) && curLayer->hasOpaqueImage(this) && curLayer->image()->canRender(this, style()->effectiveZoom()) && curLayer->hasRepeatXY())
break;
curLayer = curLayer->next();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes