https://bugs.webkit.org/show_bug.cgi?id=77996
Patch by Dana Jansens <danakj@chromium.org> on 2012-02-07
Reviewed by James Robinson.
We're holding onto the last element in the Vector and then calling
append(). If append() reallocates the Vector's buffer, the pointer
is no longer valid.
* platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
(WebCore::enterTargetRenderSurface):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106969
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-02-07 Dana Jansens <danakj@chromium.org>
+
+ [Chromium] Memory bug during occlusion tracking if Vector::append() needs to reallocate the buffer
+ https://bugs.webkit.org/show_bug.cgi?id=77996
+
+ Reviewed by James Robinson.
+
+ We're holding onto the last element in the Vector and then calling
+ append(). If append() reallocates the Vector's buffer, the pointer
+ is no longer valid.
+
+ * platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
+ (WebCore::enterTargetRenderSurface):
+
2012-02-07 Abhishek Arya <inferno@chromium.org>
Crash due to column style not updated on post block
stack.append(RenderSurfaceRegion());
stack.last().surface = newTarget;
} else if (stack.last().surface != newTarget) {
- const RenderSurfaceRegion& previous = stack.last();
stack.append(RenderSurfaceRegion());
stack.last().surface = newTarget;
- stack.last().occludedInScreen = previous.occludedInScreen;
+ int lastIndex = stack.size() - 1;
+ stack[lastIndex].occludedInScreen = stack[lastIndex - 1].occludedInScreen;
}
}
projects / profile / ivi / webkit-efl.git / commitdiff