Changeset 173615 in webkit

Timestamp:

Sep 15, 2014 2:12:18 AM (10 years ago)

Author:

svillar@igalia.com

Message:

[CSS Grid Layout] Crash at CSSParser::parseGridTemplateRowsAndAreas
​https://bugs.webkit.org/show_bug.cgi?id=136778

Reviewed by Darin Adler.

Source/WebCore:

An empty list of grid line names (represented by "()") does not
add anything to the list of parsed values. That's why trying to
concatenate an adjacent list of grid line names was failing,
because we were trying to concatenate a list with the last parsed
CSSValue which was not the expected grid line names list.

• css/CSSParser.cpp:

(WebCore::CSSParser::parseGridTemplateRowsAndAreas):
(WebCore::CSSParser::parseGridLineNames):

• css/CSSParser.h:

LayoutTests:

Added some new test cases to verify that we properly handle empty
lists of grid line names.

• fast/css-grid-layout/grid-template-shorthand-get-set-expected.txt:
• fast/css-grid-layout/grid-template-shorthand-get-set.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css-grid-layout/grid-template-shorthand-get-set-expected.txt (modified) (2 diffs)
• LayoutTests/fast/css-grid-layout/grid-template-shorthand-get-set.html (modified) (6 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSParser.cpp (modified) (4 diffs)
• Source/WebCore/css/CSSParser.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-09-12  Sergio Villar Senin  <svillar@igalia.com>
+
+        [CSS Grid Layout] Crash at CSSParser::parseGridTemplateRowsAndAreas
+        https://bugs.webkit.org/show_bug.cgi?id=136778
+
+        Reviewed by Darin Adler.
+
+        Added some new test cases to verify that we properly handle empty
+        lists of grid line names.
+
+        * fast/css-grid-layout/grid-template-shorthand-get-set-expected.txt:
+        * fast/css-grid-layout/grid-template-shorthand-get-set.html:
+
 2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>
 

trunk/LayoutTests/fast/css-grid-layout/grid-template-shorthand-get-set-expected.txt

@@ -41 +41 @@
 PASS window.getComputedStyle(gridTemplateComplexFormOnlyAreas, '').getPropertyValue('-webkit-grid-template-rows') is "0px"
 PASS window.getComputedStyle(gridTemplateComplexFormOnlyAreas, '').getPropertyValue('-webkit-grid-template-areas') is "\"a\""
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithEmptyTrailingLineNames, '').getPropertyValue('-webkit-grid-template-columns') is "none"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithEmptyTrailingLineNames, '').getPropertyValue('-webkit-grid-template-rows') is "(first) 0px"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithEmptyTrailingLineNames, '').getPropertyValue('-webkit-grid-template-areas') is "\"a\""
 
 Test getting wrong values for grid-template shorthand through CSS (they should resolve to the default: 'none')
@@ -103 +106 @@
 PASS window.getComputedStyle(gridTemplateComplexFormWithNoneColumns, '').getPropertyValue('-webkit-grid-template-rows') is "none"
 PASS window.getComputedStyle(gridTemplateComplexFormWithNoneColumns, '').getPropertyValue('-webkit-grid-template-areas') is "none"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithTwoEmptyTrailingLineNames, '').getPropertyValue('-webkit-grid-template-columns') is "none"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithTwoEmptyTrailingLineNames, '').getPropertyValue('-webkit-grid-template-rows') is "none"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithTwoEmptyTrailingLineNames, '').getPropertyValue('-webkit-grid-template-areas') is "none"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithEmptyTrailingLineNamesAndNonEmptyLeadingLineNames, '').getPropertyValue('-webkit-grid-template-columns') is "none"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithEmptyTrailingLineNamesAndNonEmptyLeadingLineNames, '').getPropertyValue('-webkit-grid-template-rows') is "none"
+PASS window.getComputedStyle(gridTemplateNoColumnsRowWithEmptyTrailingLineNamesAndNonEmptyLeadingLineNames, '').getPropertyValue('-webkit-grid-template-areas') is "none"
 
 Test the initial value

trunk/LayoutTests/fast/css-grid-layout/grid-template-shorthand-get-set.html

@@ -43 +43 @@
     -webkit-grid-template: "a";
 }
+#gridTemplateNoColumnsRowWithEmptyTrailingLineNames {
+    -webkit-grid-template: (first) "a" auto ();
+}
 
 /* Bad values. */
@@ -105 +108 @@
 #gridTemplateComplexFormWithNoneColumns {
     -webkit-grid-template: none / "a" (name) 10px;
+}
+#gridTemplateNoColumnsRowWithTwoEmptyTrailingLineNames {
+    -webkit-grid-template: (first) "a" auto () ();
+}
+#gridTemplateNoColumnsRowWithEmptyTrailingLineNamesAndNonEmptyLeadingLineNames {
+    -webkit-grid-template: (first) "a" auto () (tail);
 }
 
@@ -123 +132 @@
 <div class="grid" id="gridTemplateComplexFormWithAuto"></div>
 <div class="grid" id="gridTemplateComplexFormOnlyAreas"></div>
+<div class="grid" id="gridTemplateNoColumnsRowWithEmptyTrailingLineNames"></div>
+<div class="grid" id="gridTemplateNoColumnsRowWithEmptyTrailingLineNamesAndNonEmptyLeadingLineNames"></div>
+<div class="grid" id="gridTemplateNoColumnsRowWithNonEmptyLeadingLineNamesAndEmptyTrailingLineNames"></div>
 <div class="grid" id="gridTemplateMultipleSlash"></div>
 <div class="grid" id="gridTemplateSimpleFormJustColumns"></div>
@@ -143 +155 @@
 <div class="grid" id="gridTemplateComplexFormColumnsNotParsing2"></div>
 <div class="grid" id="gridTemplateComplexFormWithNoneColumns"></div>
+<div class="grid" id="gridTemplateNoColumnsRowWithTwoEmptyTrailingLineNames"></div>
 <script src="resources/grid-template-shorthand-parsing-utils.js"></script>
 <script>
@@ -160 +173 @@
     testGridDefinitionsValues(document.getElementById("gridTemplateComplexFormWithAuto"), "10px", "0px", '"a"');
     testGridDefinitionsValues(document.getElementById("gridTemplateComplexFormOnlyAreas"), "none", "0px", '"a"');
+    testGridDefinitionsValues(document.getElementById("gridTemplateNoColumnsRowWithEmptyTrailingLineNames"), "none", "(first) 0px", '"a"');
 
     debug("");
@@ -183 +197 @@
     testGridDefinitionsValues(document.getElementById("gridTemplateComplexFormColumnsNotParsing2"), "none", "none", "none");
     testGridDefinitionsValues(document.getElementById("gridTemplateComplexFormWithNoneColumns"), "none", "none", "none");
+    testGridDefinitionsValues(document.getElementById("gridTemplateNoColumnsRowWithTwoEmptyTrailingLineNames"), "none", "none", "none");
+    testGridDefinitionsValues(document.getElementById("gridTemplateNoColumnsRowWithEmptyTrailingLineNamesAndNonEmptyLeadingLineNames"), "none", "none", "none");
 
     debug("");

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-09-12  Sergio Villar Senin  <svillar@igalia.com>
+
+        [CSS Grid Layout] Crash at CSSParser::parseGridTemplateRowsAndAreas
+        https://bugs.webkit.org/show_bug.cgi?id=136778
+
+        Reviewed by Darin Adler.
+
+        An empty list of grid line names (represented by "()") does not
+        add anything to the list of parsed values. That's why trying to
+        concatenate an adjacent list of grid line names was failing,
+        because we were trying to concatenate a list with the last parsed
+        CSSValue which was not the expected grid line names list.
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseGridTemplateRowsAndAreas):
+        (WebCore::CSSParser::parseGridLineNames):
+        * css/CSSParser.h:
+
 2014-09-15  Andres Gomez  <agomez@igalia.com>
 

trunk/Source/WebCore/css/CSSParser.cpp

@@ -5016 +5016 @@
         // This will handle the trailing/leading <custom-ident>* in the grammar.
         trailingIdentWasAdded = false;
-        if (m_valueList->current() && m_valueList->current()->unit == CSSParserValue::ValueList) {
-            parseGridLineNames(*m_valueList, *templateRows);
-            trailingIdentWasAdded = true;
-        }
+        if (m_valueList->current() && m_valueList->current()->unit == CSSParserValue::ValueList)
+            trailingIdentWasAdded = parseGridLineNames(*m_valueList, *templateRows);
     } while (m_valueList->current());
 
@@ -5195 +5193 @@
 }
 
-void CSSParser::parseGridLineNames(CSSParserValueList& inputList, CSSValueList& valueList, CSSGridLineNamesValue* previousNamedAreaTrailingLineNames)
+bool CSSParser::parseGridLineNames(CSSParserValueList& inputList, CSSValueList& valueList, CSSGridLineNamesValue* previousNamedAreaTrailingLineNames)
 {
     ASSERT(inputList.current() && inputList.current()->unit == CSSParserValue::ValueList);
@@ -5202 +5200 @@
     if (!identList->size()) {
         inputList.next();
-        return;
+        return false;
     }
 
@@ -5218 +5216 @@
 
     inputList.next();
+    return true;
 }
 

trunk/Source/WebCore/css/CSSParser.h

@@ -172 +172 @@
     bool parseGridTemplateAreasRow(NamedGridAreaMap&, const unsigned, unsigned&);
     PassRefPtr<CSSValue> parseGridTemplateAreas();
-    void parseGridLineNames(CSSParserValueList&, CSSValueList&, CSSGridLineNamesValue* = nullptr);
+    bool parseGridLineNames(CSSParserValueList&, CSSValueList&, CSSGridLineNamesValue* = nullptr);
     PassRefPtr<CSSValue> parseGridAutoFlow(CSSParserValueList&);
 #endif