112157 – [CSS Exclusions] Specifying polygonal -webkit-shape-inside value can crash browser (debug mode)

Bug 112157 - [CSS Exclusions] Specifying polygonal -webkit-shape-inside value can crash browser (debug mode)

Summary: [CSS Exclusions] Specifying polygonal -webkit-shape-inside value can crash br...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Hans Muller

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-03-12 09:13 PDT by Hans Muller
Modified:	2013-03-18 09:56 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Test case. (830 bytes, text/html) 2013-03-12 09:13 PDT, Hans Muller	no flags	Details
Patch (8.50 KB, patch) 2013-03-13 12:38 PDT, Hans Muller	no flags	Details \| Formatted Diff \| Diff
Patch (10.03 KB, patch) 2013-03-13 16:15 PDT, Hans Muller	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans Muller 2013-03-12 09:13:23 PDT

Created attachment 192749 [details]
Test case.

Pressing the button in the attached HTML file will crash a debug build of Safari.  The crash is caused by the following ASSERT fail, from line 1306 of RenderBlockLineLayout.cpp:

    const SegmentRangeList& segmentRanges = exclusionShapeInsideInfo->segmentRanges();
    ASSERT(segmentRanges.size());

    for (size_t i = 0; i < segmentRanges.size(); i++) {
        InlineIterator segmentStart = segmentRanges[i].start;
        InlineIterator segmentEnd = segmentRanges[i].end;
        if (i) {
            ASSERT(segmentStart.m_obj); // FAIL
            BidiRun* segmentMarker = createRun(segmentStart.m_pos, segmentStart.m_pos, segmentStart.m_obj, topResolver);
            segmentMarker->m_startsSegment = true;
            bidiRuns.addRun(segmentMarker);
            // Do not collapse midpoints between segments
            topResolver.midpointState().betweenMidpoints = false;
        }
        topResolver.setPosition(segmentStart, numberOfIsolateAncestors(segmentStart));
        constructBidiRunsForSegment(topResolver, bidiRuns, segmentEnd, override, previousLineBrokeCleanly);
    }

Comment 1 Hans Muller 2013-03-13 12:38:37 PDT

Created attachment 192966 [details]
Patch

Comment 2 Hans Muller 2013-03-13 16:15:16 PDT

Created attachment 193017 [details]
Patch

Refactored the logic per feedback from Bear,  and added trailing whitespace variations to the tests.

Comment 3 Dave Hyatt 2013-03-18 09:43:16 PDT

Comment on attachment 193017 [details]
Patch

r=me

Comment 4 WebKit Review Bot 2013-03-18 09:56:28 PDT

Comment on attachment 193017 [details]
Patch

Clearing flags on attachment: 193017

Committed r146073: <http://trac.webkit.org/changeset/146073>

Comment 5 WebKit Review Bot 2013-03-18 09:56:32 PDT

All reviewed patches have been landed.  Closing bug.