Bug 118369

Summary: REGRESSION(r125294): A style rule with more than 8192 selectors can cause style corruption.
Product: WebKit Reporter: Andreas Kling <kling>
Component: CSSAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: allan.jensen, commit-queue, esprehn+autocc, glenn, jberlin, koivisto, macpherson, menard
Priority: P2 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Snack for EWS
none
Proposed patch
koivisto: review+
Land for patching none

Description Andreas Kling 2013-07-03 13:15:48 PDT 
<rdar://problem/14291428>

Overflowing the RuleData::m_selectorIndex bitfield can cause nasty rendering errors.

After <http://trac.webkit.org/changeset/125294>, the limit was 4096 selectors.
It was then bumped to 8192 in <http://trac.webkit.org/changeset/145034>.

I am working on a patch to split huge selector lists into chunks so we can support arbitrarily large numbers of selectors.
Comment 1 Andreas Kling 2013-07-04 04:20:40 PDT 
Created attachment 206074 [details]
Snack for EWS

Here's a first stab at this; let's see what EWS thinks.
Comment 2 Andreas Kling 2013-07-08 05:56:01 PDT 
Created attachment 206235 [details]
Proposed patch

Patch introducing 8192 selector cap. Includes layout test documenting the behavior.
Comment 3 Antti Koivisto 2013-07-08 06:04:53 PDT 
Comment on attachment 206235 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=206235&action=review

> Source/WebCore/css/StyleRule.cpp:275
> +Vector<RefPtr<StyleRule> > StyleRule::splitIntoMultipleRulesWithMaximumSelectorCount(unsigned maxSelectorCount) const

max -> maximum

> Source/WebCore/css/StyleRule.cpp:284
> +    for (const CSSSelector* s = selectorList().first(); s; s = CSSSelectorList::next(s)) {

s?!

> Source/WebCore/css/StyleRule.cpp:285
> +        for (const CSSSelector* subSelector = s; subSelector; subSelector = subSelector->tagHistory())

component or selectorComponent would be a better name. We use "subSelector" specifically to mean components that match a single element (relation == SubSelector).
Comment 4 Antti Koivisto 2013-07-08 06:05:13 PDT 
r=me
Comment 5 Andreas Kling 2013-07-08 06:12:38 PDT 
Created attachment 206237 [details]
Land for patching
Comment 6 WebKit Commit Bot 2013-07-08 08:54:46 PDT 
Comment on attachment 206237 [details]
Land for patching

Clearing flags on attachment: 206237

Committed r152453: <http://trac.webkit.org/changeset/152453>
Comment 7 WebKit Commit Bot 2013-07-08 08:54:49 PDT 
All reviewed patches have been landed.  Closing bug.