Title: [92389] trunk
- Revision
- 92389
- Author
- [email protected]
- Date
- 2011-08-04 11:11:22 -0700 (Thu, 04 Aug 2011)
Log Message
Detect and handle overflow in PlatformCALayerWinInternal::constrainedSize
Google Maps sometimes requests very large (i.e., 2^50 pixels or greater) layers when
zooming. PlatformCALayerWinInternal has code to limit tiled layers to 2^27 pixels, but it
was not correctly handling overflow. In some cases, this would lead to creating a tiled
layer with 0 tiles, which was the cause of this crash.
Fixes <http://webkit.org/b/65637> <rdar://problem/9784849> Crash beneath
PlatformCALayerWinInternal::updateTiles when zooming on Google Maps
Reviewed by Sam Weinig.
Source/WebCore:
* platform/graphics/ca/win/PlatformCALayerWinInternal.cpp:
(PlatformCALayerWinInternal::constrainedSize): Check for overflow before seeing if the
number of required tiles is larger than the maximum number of allowed tiles.
(PlatformCALayerWinInternal::updateTiles): Added an assertion to catch cases where we have a
non-empty tiled layer that contains 0 tiles, which would cause the crash in this bug report.
LayoutTests:
Test that a 2^25x2^25 pixel layer doesn't cause a crash
* compositing/tiling/crash-huge-layer-expected.txt: Added.
* compositing/tiling/crash-huge-layer.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (92388 => 92389)
--- trunk/LayoutTests/ChangeLog 2011-08-04 18:00:41 UTC (rev 92388)
+++ trunk/LayoutTests/ChangeLog 2011-08-04 18:11:22 UTC (rev 92389)
@@ -1,3 +1,15 @@
+2011-08-03 Adam Roben <[email protected]>
+
+ Test that a 2^25x2^25 pixel layer doesn't cause a crash
+
+ Test for <http://webkit.org/b/65637> <rdar://problem/9784849> Crash beneath
+ PlatformCALayerWinInternal::updateTiles when zooming on Google Maps
+
+ Reviewed by Sam Weinig.
+
+ * compositing/tiling/crash-huge-layer-expected.txt: Added.
+ * compositing/tiling/crash-huge-layer.html: Added.
+
2011-08-04 Jian Li <[email protected]>
Unreviewed, mark gain.html as flaky on Linux chromium.
Added: trunk/LayoutTests/compositing/tiling/crash-huge-layer-expected.txt (0 => 92389)
--- trunk/LayoutTests/compositing/tiling/crash-huge-layer-expected.txt (rev 0)
+++ trunk/LayoutTests/compositing/tiling/crash-huge-layer-expected.txt 2011-08-04 18:11:22 UTC (rev 92389)
@@ -0,0 +1,3 @@
+This is a test for Bug 65637: Crash beneath PlatformCALayerWinInternal::updateTiles when zooming on Google Maps. The test passes if the browser does not crash.
+
+Did you crash?
Added: trunk/LayoutTests/compositing/tiling/crash-huge-layer.html (0 => 92389)
--- trunk/LayoutTests/compositing/tiling/crash-huge-layer.html (rev 0)
+++ trunk/LayoutTests/compositing/tiling/crash-huge-layer.html 2011-08-04 18:11:22 UTC (rev 92389)
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<p>This is a test for <a href="" 65637: Crash beneath PlatformCALayerWinInternal::updateTiles when zooming on Google Maps</a>. The test passes if the browser does not crash.</p>
+<div style="width: 33554432px; height: 33554432px; -webkit-transform: translateZ(0);">Did you crash?</div>
Modified: trunk/Source/WebCore/ChangeLog (92388 => 92389)
--- trunk/Source/WebCore/ChangeLog 2011-08-04 18:00:41 UTC (rev 92388)
+++ trunk/Source/WebCore/ChangeLog 2011-08-04 18:11:22 UTC (rev 92389)
@@ -1,3 +1,25 @@
+2011-08-03 Adam Roben <[email protected]>
+
+ Detect and handle overflow in PlatformCALayerWinInternal::constrainedSize
+
+ Google Maps sometimes requests very large (i.e., 2^50 pixels or greater) layers when
+ zooming. PlatformCALayerWinInternal has code to limit tiled layers to 2^27 pixels, but it
+ was not correctly handling overflow. In some cases, this would lead to creating a tiled
+ layer with 0 tiles, which was the cause of this crash.
+
+ Fixes <http://webkit.org/b/65637> <rdar://problem/9784849> Crash beneath
+ PlatformCALayerWinInternal::updateTiles when zooming on Google Maps
+
+ Reviewed by Sam Weinig.
+
+ Test: compositing/tiling/crash-huge-layer.html
+
+ * platform/graphics/ca/win/PlatformCALayerWinInternal.cpp:
+ (PlatformCALayerWinInternal::constrainedSize): Check for overflow before seeing if the
+ number of required tiles is larger than the maximum number of allowed tiles.
+ (PlatformCALayerWinInternal::updateTiles): Added an assertion to catch cases where we have a
+ non-empty tiled layer that contains 0 tiles, which would cause the crash in this bug report.
+
2011-08-04 Stephen White <[email protected]>
Set graphics context current before canvas.toDataURL().
Modified: trunk/Source/WebCore/platform/graphics/ca/win/PlatformCALayerWinInternal.cpp (92388 => 92389)
--- trunk/Source/WebCore/platform/graphics/ca/win/PlatformCALayerWinInternal.cpp 2011-08-04 18:00:41 UTC (rev 92388)
+++ trunk/Source/WebCore/platform/graphics/ca/win/PlatformCALayerWinInternal.cpp 2011-08-04 18:11:22 UTC (rev 92389)
@@ -350,13 +350,14 @@
int tileColumns = ceilf(constrainedSize.width / m_tileSize.width);
int tileRows = ceilf(constrainedSize.height / m_tileSize.height);
- int numTiles = tileColumns * tileRows;
+ bool tooManyTiles = tileColumns && numeric_limits<int>::max() / tileColumns < tileRows || tileColumns * tileRows > cMaxTileCount;
+
// If number of tiles vertically or horizontally is < sqrt(cMaxTileCount)
// just shorten the longer dimension. Otherwise shorten both dimensions
// according to the ratio of width to height
- if (numTiles > cMaxTileCount) {
+ if (tooManyTiles) {
if (tileRows < cSqrtMaxTileCount)
tileColumns = floorf(cMaxTileCount / tileRows);
else if (tileColumns < cSqrtMaxTileCount)
@@ -423,6 +424,7 @@
int numTilesHorizontal = ceil(m_constrainedSize.width / m_tileSize.width);
int numTilesVertical = ceil(m_constrainedSize.height / m_tileSize.height);
int numTilesTotal = numTilesHorizontal * numTilesVertical;
+ ASSERT(!m_constrainedSize.height || !m_constrainedSize.width || numTilesTotal > 0);
int numTilesToChange = numTilesTotal - tileCount();
if (numTilesToChange >= 0) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
