Fix alignment issue of ContiguousContainer

third_party/WebKit/Source/platform/graphics/paint/DisplayItem.h

Index: third_party/WebKit/Source/platform/graphics/paint/DisplayItem.h
diff --git a/third_party/WebKit/Source/platform/graphics/paint/DisplayItem.h b/third_party/WebKit/Source/platform/graphics/paint/DisplayItem.h
index 94f60a12dee44e45e192353f555380960b9e3ff7..df274479efc8c7711277b79d30c911ec8aada3f9 100644
--- a/third_party/WebKit/Source/platform/graphics/paint/DisplayItem.h
+++ b/third_party/WebKit/Source/platform/graphics/paint/DisplayItem.h
@@ -198,10 +198,11 @@ public:
         TableCollapsedBorderLeft = 1 << 3,
     };
 
-    DisplayItem(const DisplayItemClient& client, Type type, size_t derivedSize)
+    DisplayItem(const DisplayItemClient& client, Type type, size_t derivedSize, unsigned derivedLog2Alignment)
         : m_client(&client)
         , m_type(type)
         , m_derivedSize(derivedSize)
+        , m_derivedLog2Alignment(derivedLog2Alignment)
         , m_skippedCache(false)
 #ifndef NDEBUG
         , m_clientDebugString(client.debugName())
@@ -209,8 +210,10 @@ public:
     {
         // derivedSize must fit in m_derivedSize.
         // If it doesn't, enlarge m_derivedSize and fix this assert.
-        ASSERT_WITH_SECURITY_IMPLICATION(derivedSize < (1 << 8));
-        ASSERT_WITH_SECURITY_IMPLICATION(derivedSize >= sizeof(*this));
+        SECURITY_CHECK(derivedSize == m_derivedSize);

[jbroman, 2016/07/04 19:21:35]

isn't the replacement for ASSERT_WITH_SECURITY_IMPLICATION SECURITY_DCHECK,
rather than CHECK? (The difference being that SECURITY_CHECK still compiles in
release builds.)

+        SECURITY_CHECK(derivedSize >= sizeof(*this));
+        // derivedLog2Alignment must fit in m_derivedLog2Alignment.
+        SECURITY_CHECK(derivedLog2Alignment == m_derivedLog2Alignment);
     }
 
     virtual ~DisplayItem() { }
@@ -261,6 +264,9 @@ public:
     // supply this to the DisplayItem constructor.
     size_t derivedSize() const { return m_derivedSize; }
 
+    // log2(alignment (in bytes)) of this object when this object is allocated in memory.
+    size_t derivedLog2Alignment() const { return m_derivedLog2Alignment; }
+
     // For PaintController only. Painters should use DisplayItemCacheSkipper instead.
     void setSkippedCache() { m_skippedCache = true; }
     bool skippedCache() const { return m_skippedCache; }
@@ -331,10 +337,11 @@ public:
     virtual bool isEndAndPairedWith(DisplayItem::Type otherType) const { return false; }
     virtual bool equals(const DisplayItem& other) const
     {
-        return m_client == other.m_client
-            && m_type == other.m_type
-            && m_derivedSize == other.m_derivedSize
-            && m_skippedCache == other.m_skippedCache;
+        if (m_type != other.m_type)
+            return false;
+        DCHECK(m_derivedSize == other.m_derivedSize);
+        DCHECK(m_derivedLog2Alignment == other.m_derivedLog2Alignment);
+        return m_client == other.m_client && m_skippedCache == other.m_skippedCache;
     }
 #endif
 
@@ -361,12 +368,13 @@ private:
     // The default DisplayItem constructor is only used by
     // ContiguousContainer::appendByMoving where an invalid DisplaItem is
     // constructed at the source location.
-    template <typename T, unsigned alignment> friend class ContiguousContainer;
+    template <typename T> friend class ContiguousContainer;
 
     DisplayItem()
         : m_client(nullptr)
         , m_type(UninitializedType)
         , m_derivedSize(sizeof(*this))
+        , m_derivedLog2Alignment(log2Alignment<DisplayItem>())
         , m_skippedCache(false)
     { }
 
@@ -374,6 +382,7 @@ private:
     static_assert(TypeLast < (1 << 16), "DisplayItem::Type should fit in 16 bits");
     const Type m_type : 16;
     const unsigned m_derivedSize : 8; // size of the actual derived class
+    const unsigned m_derivedLog2Alignment : 3; // log2(alignment of the actual derived class)
     unsigned m_skippedCache : 1;
 
 #ifndef NDEBUG
@@ -381,17 +390,28 @@ private:
 #endif
 };
 
-class PLATFORM_EXPORT PairedBeginDisplayItem : public DisplayItem {
+template <typename T>
+class DisplayItemBase : public DisplayItem {

[jbroman, 2016/07/04 19:21:35]

nit: it seems a little weird to have DisplayItemBase be a derived class of
DisplayItem, rather than its base class.

+protected:
+    DisplayItemBase(const DisplayItemClient& client, Type type)
+        : DisplayItem(client, type, sizeof(T), log2Alignment<T>()) { }
+};
+
+template <typename T>
+class PairedBeginDisplayItem : public DisplayItemBase<T> {
 protected:
-    PairedBeginDisplayItem(const DisplayItemClient& client, Type type, size_t derivedSize) : DisplayItem(client, type, derivedSize) { }
+    PairedBeginDisplayItem(const DisplayItemClient& client, DisplayItem::Type type)
+        : DisplayItemBase<T>(client, type) { }
 
 private:
     bool isBegin() const final { return true; }
 };
 
-class PLATFORM_EXPORT PairedEndDisplayItem : public DisplayItem {
+template <typename T>
+class PairedEndDisplayItem : public DisplayItemBase<T> {
 protected:
-    PairedEndDisplayItem(const DisplayItemClient& client, Type type, size_t derivedSize) : DisplayItem(client, type, derivedSize) { }
+    PairedEndDisplayItem(const DisplayItemClient& client, DisplayItem::Type type)
+        : DisplayItemBase<T>(client, type) { }
 
 #if ENABLE(ASSERT)
     bool isEndAndPairedWith(DisplayItem::Type otherType) const override = 0;