Skip to site navigation (Press enter)

[webkit-changes] [248722] trunk

antti Thu, 15 Aug 2019 10:22:37 -0700

Title: [248722] trunk

Revision: 248722
Author: an...@apple.com
Date: 2019-08-15 10:20:20 -0700 (Thu, 15 Aug 2019)

Log Message

Negative size box with border radius causes hang under WebCore::approximateAsRegion
https://bugs.webkit.org/show_bug.cgi?id=200769
<rdar://problem/53380674>


Reviewed by Alex Christensen.

Source/WebCore:

If a box's width or height computes negative the rounded border rect will also be negative.
This caused near-infinite loop during rounded border region approximation.

Test: fast/css/border-radius-negative-size.html

* platform/graphics/RoundedRect.cpp:
(WebCore::approximateAsRegion):

Bail out if the region is empty (which includes negative sizes).
For safety also limit the number of rectangles we generate for corner arc approximation.

LayoutTests:

* fast/css/border-radius-negative-size-expected.txt: Added.
* fast/css/border-radius-negative-size.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/graphics/RoundedRect.cpp

Added Paths

trunk/LayoutTests/fast/css/border-radius-negative-size-expected.txt
trunk/LayoutTests/fast/css/border-radius-negative-size.html

Diff

Modified: trunk/LayoutTests/ChangeLog (248721 => 248722)


--- trunk/LayoutTests/ChangeLog	2019-08-15 17:17:52 UTC (rev 248721)
+++ trunk/LayoutTests/ChangeLog	2019-08-15 17:20:20 UTC (rev 248722)
@@ -1,3 +1,14 @@
+2019-08-15  Antti Koivisto  <an...@apple.com>
+
+        Negative size box with border radius causes hang under WebCore::approximateAsRegion
+        https://bugs.webkit.org/show_bug.cgi?id=200769
+        <rdar://problem/53380674>
+
+        Reviewed by Alex Christensen.
+
+        * fast/css/border-radius-negative-size-expected.txt: Added.
+        * fast/css/border-radius-negative-size.html: Added.
+
 2019-08-15  Youenn Fablet  <you...@apple.com>
 
         Make mock libwebrtc tests run with unified plan

Added: trunk/LayoutTests/fast/css/border-radius-negative-size-expected.txt (0 => 248722)


--- trunk/LayoutTests/fast/css/border-radius-negative-size-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/border-radius-negative-size-expected.txt	2019-08-15 17:20:20 UTC (rev 248722)
@@ -0,0 +1 @@
+This test passes if it doesn't hang.

Added: trunk/LayoutTests/fast/css/border-radius-negative-size.html (0 => 248722)


--- trunk/LayoutTests/fast/css/border-radius-negative-size.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/border-radius-negative-size.html	2019-08-15 17:20:20 UTC (rev 248722)
@@ -0,0 +1,28 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+.test {
+    position: absolute;
+    box-sizing: border-box;
+    left: 0px;
+    right: 0px;
+    margin-left: 200px;
+    border-radius: 10px;
+    border: 2px solid red;
+    height: 10px;
+}
+.container {
+    position: relative;
+    width: 100px;
+    height: 100px;
+    border: 2px solid blue;
+    will-change:transform;
+}
+</style>
+<div class="container">
+<div class="test">
+This test passes if it doesn't hang.
+</div>
+</div>

Modified: trunk/Source/WebCore/ChangeLog (248721 => 248722)


--- trunk/Source/WebCore/ChangeLog	2019-08-15 17:17:52 UTC (rev 248721)
+++ trunk/Source/WebCore/ChangeLog	2019-08-15 17:20:20 UTC (rev 248722)
@@ -1,3 +1,22 @@
+2019-08-15  Antti Koivisto  <an...@apple.com>
+
+        Negative size box with border radius causes hang under WebCore::approximateAsRegion
+        https://bugs.webkit.org/show_bug.cgi?id=200769
+        <rdar://problem/53380674>
+
+        Reviewed by Alex Christensen.
+
+        If a box's width or height computes negative the rounded border rect will also be negative.
+        This caused near-infinite loop during rounded border region approximation.
+
+        Test: fast/css/border-radius-negative-size.html
+
+        * platform/graphics/RoundedRect.cpp:
+        (WebCore::approximateAsRegion):
+
+        Bail out if the region is empty (which includes negative sizes).
+        For safety also limit the number of rectangles we generate for corner arc approximation.
+
 2019-08-15  Thibault Saunier  <tsaun...@igalia.com>
 
         [GStreamer] Deal with slow buffer consumption in GStreamerMediaStreamSource

Modified: trunk/Source/WebCore/platform/graphics/RoundedRect.cpp (248721 => 248722)


--- trunk/Source/WebCore/platform/graphics/RoundedRect.cpp	2019-08-15 17:17:52 UTC (rev 248721)
+++ trunk/Source/WebCore/platform/graphics/RoundedRect.cpp	2019-08-15 17:20:20 UTC (rev 248722)
@@ -310,6 +310,9 @@
 {
     Region region;
 
+    if (roundedRect.isEmpty())
+        return region;
+
     auto& rect = roundedRect.rect();
     region.unite(enclosingIntRect(rect));
 
@@ -332,6 +335,9 @@
         auto arcLengthFactor = roundToInt(std::min(axes.width(), axes.height()));
         auto count = (arcLengthFactor + (stepLength / 2)) / stepLength;
 
+        constexpr auto maximumCount = 20u;
+        count = std::min(maximumCount, count);
+
         for (auto i = 0u; i < count; ++i) {
             auto angle = fromAngle + (i + 1) * (toAngle - fromAngle) / (count + 1);
             auto ellipsisPoint = LayoutPoint { axes.width() * cos(angle), axes.height() * sin(angle) };

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes