112157 – [CSS Exclusions] Specifying polygonal -webkit-shape-inside value can crash browser (debug mode)

RESOLVED FIXED 112157

[CSS Exclusions] Specifying polygonal -webkit-shape-inside value can crash browser (debug mode)

https://bugs.webkit.org/show_bug.cgi?id=112157

Summary [CSS Exclusions] Specifying polygonal -webkit-shape-inside value can crash br...

Hans Muller

Reported 2013-03-12 09:13:23 PDT

Created attachment 192749 [details] Test case. Pressing the button in the attached HTML file will crash a debug build of Safari. The crash is caused by the following ASSERT fail, from line 1306 of RenderBlockLineLayout.cpp: const SegmentRangeList& segmentRanges = exclusionShapeInsideInfo->segmentRanges(); ASSERT(segmentRanges.size()); for (size_t i = 0; i < segmentRanges.size(); i++) { InlineIterator segmentStart = segmentRanges[i].start; InlineIterator segmentEnd = segmentRanges[i].end; if (i) { ASSERT(segmentStart.m_obj); // FAIL BidiRun* segmentMarker = createRun(segmentStart.m_pos, segmentStart.m_pos, segmentStart.m_obj, topResolver); segmentMarker->m_startsSegment = true; bidiRuns.addRun(segmentMarker); // Do not collapse midpoints between segments topResolver.midpointState().betweenMidpoints = false; } topResolver.setPosition(segmentStart, numberOfIsolateAncestors(segmentStart)); constructBidiRunsForSegment(topResolver, bidiRuns, segmentEnd, override, previousLineBrokeCleanly); }

Attachments
Test case. (830 bytes, text/html) 2013-03-12 09:13 PDT, Hans Muller	no flags	Details
Patch (8.50 KB, patch) 2013-03-13 12:38 PDT, Hans Muller	no flags	Details Formatted Diff Diff
Patch (10.03 KB, patch) 2013-03-13 16:15 PDT, Hans Muller	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Hans Muller

Comment 1 2013-03-13 12:38:37 PDT

Created attachment 192966 [details] Patch

Hans Muller

Comment 2 2013-03-13 16:15:16 PDT

Created attachment 193017 [details] Patch Refactored the logic per feedback from Bear, and added trailing whitespace variations to the tests.

Dave Hyatt

Comment 3 2013-03-18 09:43:16 PDT

Comment on attachment 193017 [details] Patch r=me

WebKit Review Bot

Comment 4 2013-03-18 09:56:28 PDT

Comment on attachment 193017 [details] Patch Clearing flags on attachment: 193017 Committed r146073: <http://trac.webkit.org/changeset/146073>

WebKit Review Bot

Comment 5 2013-03-18 09:56:32 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component CSS

Assignee

Hans Muller

Reported

2013-03-12 09:13 PDT

Modified

2013-03-18 09:56 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks