[webkit-changes] [206249] trunk/Source

[ap]

Title: [206249] trunk/Source

Revision

206249

Author

a...@apple.com

Date

2016-09-21 23:01:33 -0700 (Wed, 21 Sep 2016)

Log Message

Rolling out r206244, as it caused flaky crashes on tests.
Was: Correct uses of 'safeCast'

Source/WebCore:

* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::adjustSize):
* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::destroyMetadataAndNotify):
(WebCore::BitmapImage::cacheFrame):
(WebCore::BitmapImage::didDecodeProperties):
(WebCore::BitmapImage::dataChanged):
(WebCore::BitmapImage::frameImageAtIndex):
* platform/graphics/cg/PDFDocumentImage.cpp:
(WebCore::PDFDocumentImage::decodedSizeChanged):
(WebCore::PDFDocumentImage::updateCachedImageIfNeeded):

Source/WTF:

* wtf/StdLibExtras.h:
(WTF::safeCast):

Modified Paths

• trunk/Source/WTF/ChangeLog
• trunk/Source/WTF/wtf/StdLibExtras.h
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/cache/MemoryCache.cpp
• trunk/Source/WebCore/platform/graphics/BitmapImage.cpp
• trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp

Diff

Modified: trunk/Source/WTF/ChangeLog (206248 => 206249)

--- trunk/Source/WTF/ChangeLog	2016-09-22 05:19:14 UTC (rev 206248)
+++ trunk/Source/WTF/ChangeLog	2016-09-22 06:01:33 UTC (rev 206249)
@@ -1,3 +1,11 @@
+2016-09-21  Alexey Proskuryakov  <a...@apple.com>
+
+        Rolling out r206244, as it caused flaky crashes on tests.
+        Was: Correct uses of 'safeCast'
+
+        * wtf/StdLibExtras.h:
+        (WTF::safeCast):
+
 2016-09-21  Keith Miller  <keith_mil...@apple.com>
 
         Fix build for future versions of Clang.

Modified: trunk/Source/WTF/wtf/StdLibExtras.h (206248 => 206249)

--- trunk/Source/WTF/wtf/StdLibExtras.h	2016-09-22 05:19:14 UTC (rev 206248)
+++ trunk/Source/WTF/wtf/StdLibExtras.h	2016-09-22 06:01:33 UTC (rev 206249)
@@ -159,7 +159,7 @@
 template<typename ToType, typename FromType>
 inline ToType safeCast(FromType value)
 {
-    RELEASE_ASSERT(isInBounds<ToType>(value));
+    ASSERT(isInBounds<ToType>(value));
     return static_cast<ToType>(value);
 }
 

Modified: trunk/Source/WebCore/ChangeLog (206248 => 206249)

--- trunk/Source/WebCore/ChangeLog	2016-09-22 05:19:14 UTC (rev 206248)
+++ trunk/Source/WebCore/ChangeLog	2016-09-22 06:01:33 UTC (rev 206249)
@@ -1,3 +1,20 @@
+2016-09-21  Alexey Proskuryakov  <a...@apple.com>
+
+        Rolling out r206244, as it caused flaky crashes on tests.
+        Was: Correct uses of 'safeCast'
+
+        * loader/cache/MemoryCache.cpp:
+        (WebCore::MemoryCache::adjustSize):
+        * platform/graphics/BitmapImage.cpp:
+        (WebCore::BitmapImage::destroyMetadataAndNotify):
+        (WebCore::BitmapImage::cacheFrame):
+        (WebCore::BitmapImage::didDecodeProperties):
+        (WebCore::BitmapImage::dataChanged):
+        (WebCore::BitmapImage::frameImageAtIndex):
+        * platform/graphics/cg/PDFDocumentImage.cpp:
+        (WebCore::PDFDocumentImage::decodedSizeChanged):
+        (WebCore::PDFDocumentImage::updateCachedImageIfNeeded):
+
 2016-09-21  Chris Dumez  <cdu...@apple.com>
 
         Fix serialization of bgsound, keygen and track elements

Modified: trunk/Source/WebCore/loader/cache/MemoryCache.cpp (206248 => 206249)

--- trunk/Source/WebCore/loader/cache/MemoryCache.cpp	2016-09-22 05:19:14 UTC (rev 206248)
+++ trunk/Source/WebCore/loader/cache/MemoryCache.cpp	2016-09-22 06:01:33 UTC (rev 206249)
@@ -644,10 +644,10 @@
 void MemoryCache::adjustSize(bool live, int delta)
 {
     if (live) {
-        RELEASE_ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));
+        ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));
         m_liveSize += delta;
     } else {
-        RELEASE_ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));
+        ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));
         m_deadSize += delta;
     }
 }

Modified: trunk/Source/WebCore/platform/graphics/BitmapImage.cpp (206248 => 206249)

--- trunk/Source/WebCore/platform/graphics/BitmapImage.cpp	2016-09-22 05:19:14 UTC (rev 206248)
+++ trunk/Source/WebCore/platform/graphics/BitmapImage.cpp	2016-09-22 06:01:33 UTC (rev 206249)
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Samuel Weinig (sam.wei...@gmail.com)
- * Copyright (C) 2004-2006, 2008, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2005, 2006, 2008, 2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -36,7 +36,6 @@
 #include "MIMETypeRegistry.h"
 #include "TextStream.h"
 #include "Timer.h"
-#include <wtf/CheckedArithmetic.h>
 #include <wtf/CurrentTime.h>
 #include <wtf/Vector.h>
 #include <wtf/text/WTFString.h>
@@ -143,20 +142,17 @@
     m_solidColor = Nullopt;
     invalidatePlatformData();
 
-    if (!WTF::safeSub(m_decodedSize, frameBytesCleared, m_decodedSize))
-        CRASH_WITH_SECURITY_IMPLICATION();
+    ASSERT(m_decodedSize >= frameBytesCleared);
+    m_decodedSize -= frameBytesCleared;
 
     // Clearing the ImageSource destroys the extra decoded data used for determining image properties.
-    long long adjustedFrameBytesCleared = frameBytesCleared;
     if (clearedSource == ClearedSource::Yes) {
-        adjustedFrameBytesCleared += m_decodedPropertiesSize;
+        frameBytesCleared += m_decodedPropertiesSize;
         m_decodedPropertiesSize = 0;
     }
 
-    if (adjustedFrameBytesCleared && imageObserver()) {
-        Checked<int> checkedDelta = adjustedFrameBytesCleared;
-        imageObserver()->decodedSizeChanged(this, -checkedDelta.unsafeGet());
-    }
+    if (frameBytesCleared && imageObserver())
+        imageObserver()->decodedSizeChanged(this, -safeCast<int>(frameBytesCleared));
 }
 
 void BitmapImage::cacheFrame(size_t index, SubsamplingLevel subsamplingLevel, ImageFrame::Caching caching)
@@ -176,26 +172,14 @@
     LOG(Images, "BitmapImage %p cacheFrame %lu (%s%u bytes, complete %d)", this, index, caching == ImageFrame::Caching::Metadata ? "metadata only, " : "", m_frames[index].frameBytes(), m_frames[index].isComplete());
 
     if (m_frames[index].hasNativeImage()) {
-        if (!WTF::safeAdd(m_decodedSize, m_frames[index].frameBytes(), m_decodedSize)) {
-            LOG(Images, "BitmapImage %p cacheFrame m_decodedSize overflowed unsigned.", this);
-            destroyDecodedData(false);
-            return;
-        }
-
+        int deltaBytes = safeCast<int>(m_frames[index].frameBytes());
+        m_decodedSize += deltaBytes;
         // The fully-decoded frame will subsume the partially decoded data used
         // to determine image properties.
-        long long deltaBytes = m_frames[index].frameBytes() - m_decodedPropertiesSize;
+        deltaBytes -= m_decodedPropertiesSize;
         m_decodedPropertiesSize = 0;
-
-        Checked<int, RecordOverflow> checkedDeltaBytes = deltaBytes;
-        if (checkedDeltaBytes.hasOverflowed()) {
-            LOG(Images, "BitmapImage %p cacheFrame deltaBytes=%lld overflowed integer.", this, deltaBytes);
-            destroyDecodedData(false);
-            return;
-        }
-
         if (imageObserver())
-            imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet());
+            imageObserver()->decodedSizeChanged(this, deltaBytes);
     }
 }
 
@@ -208,7 +192,7 @@
     if (m_decodedPropertiesSize == updatedSize)
         return;
 
-    long long deltaBytes = updatedSize - m_decodedPropertiesSize;
+    int deltaBytes = updatedSize - m_decodedPropertiesSize;
 #if !ASSERT_DISABLED
     bool overflow = updatedSize > m_decodedPropertiesSize && deltaBytes < 0;
     bool underflow = updatedSize < m_decodedPropertiesSize && deltaBytes > 0;
@@ -215,10 +199,8 @@
     ASSERT(!overflow && !underflow);
 #endif
     m_decodedPropertiesSize = updatedSize;
-    if (imageObserver()) {
-        Checked<int> checkedDeltaBytes = deltaBytes;
-        imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet());
-    }
+    if (imageObserver())
+        imageObserver()->decodedSizeChanged(this, deltaBytes);
 }
 
 void BitmapImage::updateSize() const
@@ -274,7 +256,7 @@
     // start of the frame data), and any or none of them might be the particular
     // frame affected by appending new data here. Thus we have to clear all the
     // incomplete frames to be safe.
-    Checked<unsigned> frameBytesCleared = 0;
+    unsigned frameBytesCleared = 0;
     for (auto& frame : m_frames) {
         // NOTE: Don't call frameIsCompleteAtIndex() here, that will try to
         // decode any uncached (i.e. never-decoded or
@@ -282,10 +264,10 @@
         if (frame.hasMetadata() && !frame.isComplete())
             frameBytesCleared += frame.clear();
     }
-    destroyMetadataAndNotify(frameBytesCleared.unsafeGet(), ClearedSource::No);
+    destroyMetadataAndNotify(frameBytesCleared, ClearedSource::No);
 #else
     // FIXME: why is this different for iOS?
-    Checked<int> deltaBytes = 0;
+    int deltaBytes = 0;
     if (!m_frames.isEmpty()) {
         if (int bytes = m_frames[m_frames.size() - 1].clear()) {
             deltaBytes += bytes;
@@ -293,7 +275,7 @@
             m_decodedPropertiesSize = 0;
         }
     }
-    destroyMetadataAndNotify(deltaBytes.unsafeGet(), ClearedSource::No);
+    destroyMetadataAndNotify(deltaBytes, ClearedSource::No);
 #endif
     
     // Feed all the data we've seen so far to the image decoder.
@@ -374,24 +356,11 @@
         LOG(Images, "  subsamplingLevel was %d, resampling", m_frames[index].subsamplingLevel());
 
         // If the image is already cached, but at too small a size, re-decode a larger version.
-        unsigned sizeChange = m_frames[index].clear();
+        int sizeChange = -m_frames[index].clear();
         invalidatePlatformData();
-
-        if (WTF::safeSub(m_decodedSize, sizeChange, m_decodedSize)) {
-            LOG(Images, "BitmapImage %p frameImageAtIndex m_decodedSize overflowed unsigned.", this);
-            destroyDecodedData(false);
-            return nullptr;
-        }
-
-        Checked<int, RecordOverflow> checkedSizeChange = -sizeChange;
-        if (checkedSizeChange.hasOverflowed()) {
-            LOG(Images, "BitmapImage %p frameImageAtIndex sizeChange=%u overflowed integer.", this, -sizeChange);
-            destroyDecodedData(false);
-            return nullptr;
-        }
-
+        m_decodedSize += sizeChange;
         if (imageObserver())
-            imageObserver()->decodedSizeChanged(this, checkedSizeChange.unsafeGet());
+            imageObserver()->decodedSizeChanged(this, sizeChange);
     }
 
     // If we haven't fetched a frame yet, do so.

Modified: trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp (206248 => 206249)

--- trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp	2016-09-22 05:19:14 UTC (rev 206248)
+++ trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp	2016-09-22 06:01:33 UTC (rev 206249)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2016 Apple Inc.  All rights reserved.
+ * Copyright (C) 2004, 2005, 2006, 2013 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -38,12 +38,10 @@
 #include "ImageObserver.h"
 #include "IntRect.h"
 #include "Length.h"
-#include "Logging.h"
 #include "SharedBuffer.h"
 #include "TextStream.h"
 #include <CoreGraphics/CGContext.h>
 #include <CoreGraphics/CGPDFDocument.h>
-#include <wtf/CheckedArithmetic.h>
 #include <wtf/MathExtras.h>
 #include <wtf/RAMSize.h>
 #include <wtf/RetainPtr.h>
@@ -183,20 +181,14 @@
     if (!m_cachedBytes && !newCachedBytes)
         return;
 
-    long long deltaBytes = m_cachedBytes - newCachedBytes;
-
-    Checked<int> checkedDeltaBytes = deltaBytes;
     if (imageObserver())
-        imageObserver()->decodedSizeChanged(this, -checkedDeltaBytes.unsafeGet());
+        imageObserver()->decodedSizeChanged(this, -safeCast<int>(m_cachedBytes) + newCachedBytes);
 
     ASSERT(s_allDecodedDataSize >= m_cachedBytes);
     // Update with the difference in two steps to avoid unsigned underflow subtraction.
-    if (!WTF::safeSub(s_allDecodedDataSize, m_cachedBytes, s_allDecodedDataSize))
-        CRASH_WITH_SECURITY_IMPLICATION();
+    s_allDecodedDataSize -= m_cachedBytes;
+    s_allDecodedDataSize += newCachedBytes;
 
-    if (!WTF::safeAdd(s_allDecodedDataSize, newCachedBytes, s_allDecodedDataSize))
-        CRASH_WITH_SECURITY_IMPLICATION();
-
     m_cachedBytes = newCachedBytes;
 }
 
@@ -243,20 +235,10 @@
     // Cache the PDF image only if the size of the new image won't exceed the cache threshold.
     if (m_pdfImageCachingPolicy == PDFImageCachingBelowMemoryLimit) {
         IntSize scaledSize = ImageBuffer::compatibleBufferSize(cachedImageSize, context);
-        Checked<size_t, RecordOverflow> scaledBytes = scaledSize.area() * 4;
-
-        if (scaledBytes.hasOverflowed()) {
-            LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this);
+        if (s_allDecodedDataSize + safeCast<size_t>(scaledSize.width()) * scaledSize.height() * 4 - m_cachedBytes > s_maxDecodedDataSize) {
             destroyDecodedData();
             return;
         }
-
-        Checked<size_t, RecordOverflow> potentialDecodedDataSize = s_allDecodedDataSize + scaledBytes - m_cachedBytes;
-        if (potentialDecodedDataSize.hasOverflowed() || potentialDecodedDataSize.unsafeGet() > s_maxDecodedDataSize) {
-            LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded potentialDecodedDataSize overflowed size_t.", this);
-            destroyDecodedData();
-            return;
-        }
     }
 
     m_cachedImageBuffer = ImageBuffer::createCompatibleBuffer(cachedImageSize, context);
@@ -277,14 +259,7 @@
     m_cachedSourceRect = srcRect;
 
     IntSize internalSize = m_cachedImageBuffer->internalSize();
-    Checked<size_t, RecordOverflow> scaledBytes = internalSize.area() * 4;
-    if (scaledBytes.hasOverflowed()) {
-        LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this);
-        destroyDecodedData();
-        return;
-    }
-
-    decodedSizeChanged(scaledBytes.unsafeGet());
+    decodedSizeChanged(safeCast<size_t>(internalSize.width()) * internalSize.height() * 4);
 }
 
 void PDFDocumentImage::draw(GraphicsContext& context, const FloatRect& dstRect, const FloatRect& srcRect, CompositeOperator op, BlendMode, ImageOrientationDescription)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes