Bug 179777

Summary: Clean up KeyframeEffect
Product: WebKit Reporter: Antoine Quint <graouts>
Component: New BugsAssignee: Antoine Quint <graouts>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, cdumez, cmarcelo, commit-queue, dbates, esprehn+autocc, kangil.han, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=179707
Attachments:
Description Flags
Patch
none
Patch for landing
none
Patch for landing none

Antoine Quint
Reported 2017-11-16 09:29:16 PST
Clean up KeyframeEffect
Attachments
Patch (4.45 KB, patch)
2017-11-16 09:31 PST, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.44 KB, patch)
2017-11-16 09:57 PST, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.43 KB, patch)
2017-11-16 10:04 PST, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Antoine Quint
Comment 1 2017-11-16 09:31:49 PST
Created attachment 327069 [details] Patch
Daniel Bates
Comment 2 2017-11-16 09:46:03 PST
Comment on attachment 327069 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=327069&action=review > Source/WebCore/animation/KeyframeEffect.cpp:111 > + Vector<CSSPropertyID> properties(numberOfCSSProperties); > for (unsigned k = 0; k < numberOfCSSProperties; ++k) { > - properties.append(styleProperties->propertyAt(k).id()); > + properties.uncheckedAppend(styleProperties->propertyAt(k).id()); This is not correct. This will allocate numberOfCSSProperties CSSPropertyID default constructed objects; => we are both allocating capacity and changing the size of the Vector. Then we are using unchecked append to append new elements outside the bounds of the Vector. If we allocate up-front then we should be modifying the existing elements in the Vector. That is, we should not using uncheckedAppend. Alternatively, we should use Vector::reserveInitialCapacity() and Vector::uncheckedAppend() to allocate the underlying buffer without object construction and then safely construct new objects in the first free position in the buffer (increasing the size of the Vector).
Antoine Quint
Comment 3 2017-11-16 09:57:49 PST
Created attachment 327072 [details] Patch for landing
Daniel Bates
Comment 4 2017-11-16 10:02:26 PST
Comment on attachment 327072 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=327072&action=review > Source/WebCore/animation/KeyframeEffect.cpp:111 > + properties[k] = WTFMove(styleProperties->propertyAt(k).id()); This is bad programming practice. We should not be moving this value as we are using it below. In practice, this code will work because CSSPropertyID is a POD type and is always copied.
Antoine Quint
Comment 5 2017-11-16 10:04:57 PST
Created attachment 327074 [details] Patch for landing
WebKit Commit Bot
Comment 6 2017-11-16 12:38:28 PST
Comment on attachment 327074 [details] Patch for landing Clearing flags on attachment: 327074 Committed r224934: <https://trac.webkit.org/changeset/224934>
WebKit Commit Bot
Comment 7 2017-11-16 12:38:30 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 8 2017-11-16 12:39:47 PST
<rdar://problem/35595728>
Note You need to log in before you can comment on or make changes to this bug.