Bug 112157

Summary: [CSS Exclusions] Specifying polygonal -webkit-shape-inside value can crash browser (debug mode)
Product: WebKit Reporter: Hans Muller <giles_joplin>
Component: CSSAssignee: Hans Muller <giles_joplin>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, esprehn+autocc, ojan.autocc, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case.
none
Patch
none
Patch none

Hans Muller
Reported 2013-03-12 09:13:23 PDT
Created attachment 192749 [details] Test case. Pressing the button in the attached HTML file will crash a debug build of Safari. The crash is caused by the following ASSERT fail, from line 1306 of RenderBlockLineLayout.cpp: const SegmentRangeList& segmentRanges = exclusionShapeInsideInfo->segmentRanges(); ASSERT(segmentRanges.size()); for (size_t i = 0; i < segmentRanges.size(); i++) { InlineIterator segmentStart = segmentRanges[i].start; InlineIterator segmentEnd = segmentRanges[i].end; if (i) { ASSERT(segmentStart.m_obj); // FAIL BidiRun* segmentMarker = createRun(segmentStart.m_pos, segmentStart.m_pos, segmentStart.m_obj, topResolver); segmentMarker->m_startsSegment = true; bidiRuns.addRun(segmentMarker); // Do not collapse midpoints between segments topResolver.midpointState().betweenMidpoints = false; } topResolver.setPosition(segmentStart, numberOfIsolateAncestors(segmentStart)); constructBidiRunsForSegment(topResolver, bidiRuns, segmentEnd, override, previousLineBrokeCleanly); }
Attachments
Test case. (830 bytes, text/html)
2013-03-12 09:13 PDT, Hans Muller 		no flags
Details
Patch (8.50 KB, patch)
2013-03-13 12:38 PDT, Hans Muller 		no flags
DetailsFormatted DiffDiff
Patch (10.03 KB, patch)
2013-03-13 16:15 PDT, Hans Muller 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Hans Muller
Comment 1 2013-03-13 12:38:37 PDT
Created attachment 192966 [details] Patch
Hans Muller
Comment 2 2013-03-13 16:15:16 PDT
Created attachment 193017 [details] Patch Refactored the logic per feedback from Bear, and added trailing whitespace variations to the tests.
Dave Hyatt
Comment 3 2013-03-18 09:43:16 PDT
Comment on attachment 193017 [details] Patch r=me
WebKit Review Bot
Comment 4 2013-03-18 09:56:28 PDT
Comment on attachment 193017 [details] Patch Clearing flags on attachment: 193017 Committed r146073: <http://trac.webkit.org/changeset/146073>
WebKit Review Bot
Comment 5 2013-03-18 09:56:32 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.