Diff
Modified: trunk/LayoutTests/ChangeLog (127932 => 127933)
--- trunk/LayoutTests/ChangeLog 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/ChangeLog 2012-09-07 23:16:39 UTC (rev 127933)
@@ -1,3 +1,28 @@
+2012-09-07 Emil A Eklund <e...@chromium.org>
+
+ Prevent overflows in FractionalLayoutUnit
+ https://bugs.webkit.org/show_bug.cgi?id=95883
+
+ Reviewed by Eric Seidel.
+
+ Add test for handling of large values.
+
+ * fast/sub-pixel/large-sizes-expected.txt: Added.
+ * fast/sub-pixel/large-sizes.html: Added.
+ * platform/chromium-win/media/video-zoom-controls-expected.txt:
+ * platform/chromium/fast/css/large-number-round-trip-expected.txt: Added.
+ * platform/mac-lion/Skipped:
+ * platform/mac-snowleopard/Skipped:
+ * platform/mac-wk2/Skipped:
+ * platform/mac/Skipped:
+ * platform/qt-4.8/Skipped:
+ * platform/qt/Skipped:
+ * platform/win-wk2/Skipped:
+ * platform/win-xp/Skipped:
+ * platform/win/Skipped:
+ * platform/wincairo/Skipped:
+ * platform/wk2/Skipped:
+
2012-09-07 Sheriff Bot <webkit.review....@gmail.com>
Unreviewed, rolling out r127920 and r127926.
Added: trunk/LayoutTests/fast/sub-pixel/large-sizes-expected.txt (0 => 127933)
--- trunk/LayoutTests/fast/sub-pixel/large-sizes-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/sub-pixel/large-sizes-expected.txt 2012-09-07 23:16:39 UTC (rev 127933)
@@ -0,0 +1,12 @@
+PASS element.width = 5000px, returns offsetWidth 5000, rect.width 5000 and computed width 5000px as expected.
+PASS element.width = 50000px, returns offsetWidth 50000, rect.width 50000 and computed width 50000px as expected.
+PASS element.width = 500000px, returns offsetWidth 500000, rect.width 500000 and computed width 500000px as expected.
+PASS element.width = 5000000px, returns offsetWidth 5000000, rect.width 5000000 and computed width 5000000px as expected.
+PASS element.width = 50000000px, returns offsetWidth 0, rect.width 0 and computed width 0px as expected.
+PASS element.width = 35791388px, returns offsetWidth 35791388, rect.width 35791388 and computed width 35791388px as expected.
+PASS element.width = 35791390px, returns offsetWidth 35791392, rect.width 35791392 and computed width 35791392px as expected.
+PASS element.width = 35791392px, returns offsetWidth 35791392, rect.width 35791392 and computed width 35791392px as expected.
+PASS element.width = 35791394px, returns offsetWidth 35791392, rect.width 35791392 and computed width 35791392px as expected.
+PASS element.width = 35791395px, returns offsetWidth 0, rect.width 0 and computed width 0px as expected.
+PASS element.width = 35791396px, returns offsetWidth 0, rect.width 0 and computed width 0px as expected.
+Test handling of sizes exceeding the maximum supported value.
Added: trunk/LayoutTests/fast/sub-pixel/large-sizes.html (0 => 127933)
--- trunk/LayoutTests/fast/sub-pixel/large-sizes.html (rev 0)
+++ trunk/LayoutTests/fast/sub-pixel/large-sizes.html 2012-09-07 23:16:39 UTC (rev 127933)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script src=""
+ </head>
+ <body>
+ <p>
+ Test handling of sizes exceeding the maximum supported value.
+ </p>
+ <script>
+ function testSize(width, expectedWidth)
+ {
+ el.style.width = width + 'px';
+ var style = window.getComputedStyle(el, null);
+ var rect = el.getBoundingClientRect();
+ if (el.offsetWidth == expectedWidth && rect.width == expectedWidth && style.width == expectedWidth + 'px')
+ //testPassed('Element given a width of ' + width + ' returns
+ testPassed('element.width = ' + width + 'px, returns offsetWidth ' + el.offsetWidth + ', rect.width ' + rect.width + ' and computed width ' + style.width + ' as expected.');
+ else
+ testFailed('element.width = ' + width + 'px, returns offsetWidth ' + el.offsetWidth + ', rect.width ' + rect.width + ' and computed width ' + style.width + ', expected ' + expectedWidth + '.');
+ }
+
+ var el = document.createElement('div');
+ document.body.appendChild(el);
+
+ testSize(5000, 5000);
+ testSize(50000, 50000);
+ testSize(500000, 500000);
+ testSize(5000000, 5000000);
+ testSize(50000000, 0);
+ testSize(35791388, 35791388);
+ testSize(35791390, 35791392); // float impression
+ testSize(35791392, 35791392);
+ testSize(35791394, 35791392); // float impression
+ testSize(35791395, 0);
+ testSize(35791396, 0);
+
+ document.body.removeChild(el);
+ </script>
+ </body>
+</html>
Added: trunk/LayoutTests/platform/chromium/fast/css/large-number-round-trip-expected.txt (0 => 127933)
--- trunk/LayoutTests/platform/chromium/fast/css/large-number-round-trip-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/chromium/fast/css/large-number-round-trip-expected.txt 2012-09-07 23:16:39 UTC (rev 127933)
@@ -0,0 +1 @@
+PASS: read 90010000px back as 0px, read again as 0px
Modified: trunk/LayoutTests/platform/chromium-win/media/video-zoom-controls-expected.txt (127932 => 127933)
--- trunk/LayoutTests/platform/chromium-win/media/video-zoom-controls-expected.txt 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/chromium-win/media/video-zoom-controls-expected.txt 2012-09-07 23:16:39 UTC (rev 127933)
@@ -28,7 +28,7 @@
RenderBlock {DIV} at (1,1) size 6x36
RenderBlock {DIV} at (-4,1) size 36x36
RenderButton {INPUT} at (284,0) size 46x45
-layer at (127,217) size 49x36
+layer at (127,217) size 48x36
RenderBlock (relative positioned) {DIV} at (-11,-12) size 49x36
layer at (57,310) size 240x180
RenderVideo {VIDEO} at (45,298) size 240x180
@@ -52,5 +52,5 @@
RenderBlock {DIV} at (1,1) size 6x36
RenderBlock {DIV} at (-4,1) size 36x36
RenderButton {INPUT} at (284,0) size 46x45
-layer at (127,442) size 49x36 backgroundClip at (60,417) size 225x45 clip at (60,417) size 225x45 outlineClip at (60,417) size 225x45
+layer at (127,442) size 48x36 backgroundClip at (60,417) size 225x45 clip at (60,417) size 225x45 outlineClip at (60,417) size 225x45
RenderBlock (relative positioned) {DIV} at (-11,-12) size 49x36
Modified: trunk/LayoutTests/platform/mac/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/mac/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/mac/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -817,6 +817,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/mac-lion/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/mac-lion/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/mac-lion/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -111,6 +111,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/mac-snowleopard/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/mac-snowleopard/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/mac-snowleopard/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -205,6 +205,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/mac-wk2/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/mac-wk2/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/mac-wk2/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -209,6 +209,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/qt/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/qt/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/qt/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -300,6 +300,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/qt-4.8/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/qt-4.8/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/qt-4.8/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -98,6 +98,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/win/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/win/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/win/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -1737,6 +1737,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/win-wk2/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/win-wk2/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/win-wk2/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -942,6 +942,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/win-xp/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/win-xp/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/win-xp/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -41,6 +41,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/wincairo/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/wincairo/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/wincairo/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -2127,6 +2127,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/LayoutTests/platform/wk2/Skipped (127932 => 127933)
--- trunk/LayoutTests/platform/wk2/Skipped 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/LayoutTests/platform/wk2/Skipped 2012-09-07 23:16:39 UTC (rev 127933)
@@ -90,6 +90,7 @@
fast/sub-pixel/inline-block-should-not-wrap.html
fast/sub-pixel/inline-block-with-margin.html
fast/sub-pixel/inline-block-with-padding.html
+fast/sub-pixel/large-sizes.html
fast/sub-pixel/layout-boxes-with-zoom.html
fast/sub-pixel/position-right-aligns-with-container.html
fast/sub-pixel/selection/selection-gaps-at-fractional-offsets.html
Modified: trunk/Source/WebCore/ChangeLog (127932 => 127933)
--- trunk/Source/WebCore/ChangeLog 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/Source/WebCore/ChangeLog 2012-09-07 23:16:39 UTC (rev 127933)
@@ -1,3 +1,45 @@
+2012-09-07 Emil A Eklund <e...@chromium.org>
+
+ Prevent overflows in FractionalLayoutUnit
+ https://bugs.webkit.org/show_bug.cgi?id=95883
+
+ Reviewed by Eric Seidel.
+
+ Avoid overflow in snapSizeToPixel by using the fraction of the
+ location instead of the full value.
+
+ Add safe versions of min/max, adjusted by half a pixel to allow
+ round to allow rounding without overflowing.
+
+ Avoid overflow when snapping a FractionalLayoutRect by using the
+ safe versions of min/max in infiniteRect.
+
+ Avoid overflow when converting from a Length to a LayoutUnit by
+ limiting the value to FractionalLayoutUnit min/max. This matches
+ the behavior of the non-subpixel code path where the values are
+ similarly limited.
+
+ Test: fast/sub-pixel/large-sizes.html
+
+ * css/CSSPrimitiveValue.cpp:
+ (WebCore::CSSPrimitiveValue::computeLength):
+ Limit to FractionalLayoutUnit min/max.
+
+ * platform/FractionalLayoutUnit.h:
+ (FractionalLayoutUnit):
+ (WebCore::FractionalLayoutUnit::nearlyMax):
+ (WebCore::FractionalLayoutUnit::nearlyMin):
+ Reduce max/increase min by 1/2 to allow round to operate
+ without overflowing.
+
+ (WebCore::snapSizeToPixel):
+ * platform/graphics/FractionalLayoutRect.h:
+ (WebCore::FractionalLayoutRect::infiniteRect):
+ Use nearlyMin/nearlyMax.
+
+ (WebCore::pixelSnappedIntRect):
+ Change pixelSnappedIntRect to use snapSizeToPixel.
+
2012-09-07 Sheriff Bot <webkit.review....@gmail.com>
Unreviewed, rolling out r127920 and r127926.
Modified: trunk/Source/WebCore/css/CSSPrimitiveValue.cpp (127932 => 127933)
--- trunk/Source/WebCore/css/CSSPrimitiveValue.cpp 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/Source/WebCore/css/CSSPrimitiveValue.cpp 2012-09-07 23:16:39 UTC (rev 127933)
@@ -479,7 +479,8 @@
template<> Length CSSPrimitiveValue::computeLength(RenderStyle* style, RenderStyle* rootStyle, float multiplier, bool computingFontSize)
{
#if ENABLE(SUBPIXEL_LAYOUT)
- return Length(static_cast<float>(computeLengthDouble(style, rootStyle, multiplier, computingFontSize)), Fixed);
+ double value = computeLengthDouble(style, rootStyle, multiplier, computingFontSize);
+ return Length(static_cast<float>(value > intMaxForLayoutUnit || value < intMinForLayoutUnit ? 0.0 : value), Fixed);
#else
return Length(roundForImpreciseConversion<float>(computeLengthDouble(style, rootStyle, multiplier, computingFontSize)), Fixed);
#endif
Modified: trunk/Source/WebCore/platform/FractionalLayoutUnit.h (127932 => 127933)
--- trunk/Source/WebCore/platform/FractionalLayoutUnit.h 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/Source/WebCore/platform/FractionalLayoutUnit.h 2012-09-07 23:16:39 UTC (rev 127933)
@@ -244,6 +244,21 @@
m.m_value = std::numeric_limits<int>::min();
return m;
}
+
+ // Versions of max/min that are slightly smaller/larger than max/min() to allow for roinding without overflowing.
+ static const FractionalLayoutUnit nearlyMax()
+ {
+ FractionalLayoutUnit m;
+ m.m_value = std::numeric_limits<int>::max() - kFixedPointDenominator / 2;
+ return m;
+ }
+ static const FractionalLayoutUnit nearlyMin()
+ {
+ FractionalLayoutUnit m;
+ m.m_value = std::numeric_limits<int>::min() + kFixedPointDenominator / 2;
+ return m;
+ }
+
static FractionalLayoutUnit clamp(double value)
{
return clampTo<FractionalLayoutUnit>(value, FractionalLayoutUnit::min(), FractionalLayoutUnit::max());
@@ -792,7 +807,8 @@
inline int snapSizeToPixel(FractionalLayoutUnit size, FractionalLayoutUnit location)
{
- return (location + size).round() - location.round();
+ FractionalLayoutUnit fraction = location - location.floor();
+ return (fraction + size).round() - fraction.round();
}
#if PLATFORM(QT)
Modified: trunk/Source/WebCore/platform/graphics/FractionalLayoutRect.h (127932 => 127933)
--- trunk/Source/WebCore/platform/graphics/FractionalLayoutRect.h 2012-09-07 22:58:56 UTC (rev 127932)
+++ trunk/Source/WebCore/platform/graphics/FractionalLayoutRect.h 2012-09-07 23:16:39 UTC (rev 127933)
@@ -165,7 +165,11 @@
FractionalLayoutRect transposedRect() const { return FractionalLayoutRect(m_location.transposedPoint(), m_size.transposedSize()); }
- static FractionalLayoutRect infiniteRect() {return FractionalLayoutRect(FractionalLayoutUnit::min() / 2, FractionalLayoutUnit::min() / 2, FractionalLayoutUnit::max(), FractionalLayoutUnit::max()); }
+ static FractionalLayoutRect infiniteRect()
+ {
+ // Return a rect that is slightly smaller than the true max rect to allow pixelSnapping to round up to the nearest IntRect without overflowing.
+ return FractionalLayoutRect(FractionalLayoutUnit::nearlyMin() / 2, FractionalLayoutUnit::nearlyMin() / 2, FractionalLayoutUnit::nearlyMax(), FractionalLayoutUnit::nearlyMax());
+ }
#if PLATFORM(QT)
explicit FractionalLayoutRect(const QRect&);
@@ -207,9 +211,9 @@
inline IntRect pixelSnappedIntRect(const FractionalLayoutRect& rect)
{
#if ENABLE(SUBPIXEL_LAYOUT)
- IntPoint roundedLocation = roundedIntPoint(rect.location());
- return IntRect(roundedLocation, IntSize((rect.x() + rect.width()).round() - roundedLocation.x(),
- (rect.y() + rect.height()).round() - roundedLocation.y()));
+ return IntRect(roundedIntPoint(rect.location()), IntSize(snapSizeToPixel(rect.width(), rect.x()),
+ snapSizeToPixel(rect.height(), rect.y())));
+
#else
return IntRect(rect);
#endif
