Fix crash in ObjectPainter::paintOutline in flipped blocks

Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
it did not properly handle when non-empty outline becomes empty by the
transform.

BUG=561053, 491454
Committed: https://crrev.com/5c70b66b1b9b5488460c8c048ff7c32542d4c36f
Cr-Commit-Position: refs/heads/master@{#361790}

[kojii, 2015-11-25 03:54:08]

Description was changed from

==========
outline-crash

BUG=
==========

to

==========
Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
did not properly handle when transformed outline becomes empty.

BUG=561053, 491454
==========

[kojii, 2015-11-25 03:56:31]

Description was changed from

==========
Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
did not properly handle when transformed outline becomes empty.

BUG=561053, 491454
==========

to

==========
Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
it did not properly handle when non-empty outline becomes empty by the
transform.

BUG=561053, 491454
==========

[kojii, 2015-11-25 03:57:44]

kojii@chromium.org changed reviewers:
+ eae@chromium.org, wkorman@chromium.org

[kojii, 2015-11-25 03:57:45]

PTAL.

[wkorman, 2015-11-25 07:02:45]

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
File
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html
(right):

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html:1:
<style>
<!DOCTYPE html> at top?

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html:3:
margin-top: inherit;
4-indent here and rest of indentation below

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html:13:
<text class="CLASS0 CLASS4" font-variant="small-caps"</metadata>
Does the test require the strange tags (unclosed text, ending metadata without a
begin tag, textPath below), and the margin-top and border-top-style above?

clusterfuzz is so crazy.

We should add a comment or text re: "this test passes if it does not crash."

[kojii, 2015-11-25 07:23:23]

PTAL, thank you for reviewing this so promptly.

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
File
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html
(right):

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html:1:
<style>
On 2015/11/25 07:02:44, wkorman wrote:
> <!DOCTYPE html> at top?

Done.

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html:3:
margin-top: inherit;
On 2015/11/25 07:02:44, wkorman wrote:
> 4-indent here and rest of indentation below

Done. Looks like we prefer 2 for layout tests these days but either seems to be
fine.
http://www.chromium.org/developers/coding-style#TOC-Web-languages-JavaScript-...

https://codereview.chromium.org/1481483002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/fast/writing-mode/flipped-blocks-outline-crash.html:13:
<text class="CLASS0 CLASS4" font-variant="small-caps"</metadata>
On 2015/11/25 07:02:44, wkorman wrote:
> Does the test require the strange tags (unclosed text, ending metadata without
a
> begin tag, textPath below), and the margin-top and border-top-style above?
> 
> clusterfuzz is so crazy.
> 
> We should add a comment or text re: "this test passes if it does not crash."

Done.

Since we have been having a code to remove empty bounds, there should be other
cases to make it happen, but at least in this case, closing tags properly stops
hitting this bug.

But the fix looks proper to me, so it's good (although I agree we should have
better test case ;)

[wkorman, 2015-11-25 07:24:38]

lgtm

[kojii, 2015-11-26 01:00:41]

The CQ bit was checked by kojii@chromium.org

[kojii, 2015-11-26 01:00:41]

The patchset sent to the CQ was uploaded after l-g-t-m from wkorman@chromium.org
Link to the patchset: https://codereview.chromium.org/1481483002/#ps40001
(title: "Rebaseline")

[commit-bot: I haz the power, 2015-11-26 01:04:40]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1481483002/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1481483002/40001

[commit-bot: I haz the power, 2015-11-26 01:17:19]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2015-11-26 01:17:20]

Try jobs failed on following builders:
  chromium_presubmit on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)

[kojii, 2015-11-26 01:25:16]

eae@, PTAL.

[eae, 2015-11-26 01:26:25]

LGTM

[kojii, 2015-11-26 02:01:05]

The CQ bit was checked by kojii@chromium.org

[commit-bot: I haz the power, 2015-11-26 02:03:43]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1481483002/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1481483002/40001

[commit-bot: I haz the power, 2015-11-26 02:10:14]

Description was changed from

==========
Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
it did not properly handle when non-empty outline becomes empty by the
transform.

BUG=561053, 491454
==========

to

==========
Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
it did not properly handle when non-empty outline becomes empty by the
transform.

BUG=561053, 491454
==========

[commit-bot: I haz the power, 2015-11-26 02:10:14]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2015-11-26 02:11:20]

Description was changed from

==========
Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
it did not properly handle when non-empty outline becomes empty by the
transform.

BUG=561053, 491454
==========

to

==========
Fix crash in ObjectPainter::paintOutline in flipped blocks

This patch fixes an out-of-bounds access to a Vector, when the CSS
outline property is applied to an inline element in flipped blocks
writing mode.

crbug.com/491454 fixed the positioning of the outline in the case, but
it did not properly handle when non-empty outline becomes empty by the
transform.

BUG=561053, 491454

Committed: https://crrev.com/5c70b66b1b9b5488460c8c048ff7c32542d4c36f
Cr-Commit-Position: refs/heads/master@{#361790}
==========

[commit-bot: I haz the power, 2015-11-26 02:11:21]

Patchset 3 (id:??) landed as
https://crrev.com/5c70b66b1b9b5488460c8c048ff7c32542d4c36f
Cr-Commit-Position: refs/heads/master@{#361790}