Title: [92944] branches/safari-534.51-branch
- Revision
- 92944
- Author
- [email protected]
- Date
- 2011-08-11 23:27:36 -0700 (Thu, 11 Aug 2011)
Log Message
Merge r92389.
Modified Paths
Added Paths
Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (92943 => 92944)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 06:25:39 UTC (rev 92943)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 06:27:36 UTC (rev 92944)
@@ -1,5 +1,21 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 92389
+
+ 2011-08-03 Adam Roben <[email protected]>
+
+ Test that a 2^25x2^25 pixel layer doesn't cause a crash
+
+ Test for <http://webkit.org/b/65637> <rdar://problem/9784849> Crash beneath
+ PlatformCALayerWinInternal::updateTiles when zooming on Google Maps
+
+ Reviewed by Sam Weinig.
+
+ * compositing/tiling/crash-huge-layer-expected.txt: Added.
+ * compositing/tiling/crash-huge-layer.html: Added.
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 92132
2011-07-28 Abhishek Arya <[email protected]>
Copied: branches/safari-534.51-branch/LayoutTests/compositing/tiling/crash-huge-layer-expected.txt (from rev 92389, trunk/LayoutTests/compositing/tiling/crash-huge-layer-expected.txt) (0 => 92944)
--- branches/safari-534.51-branch/LayoutTests/compositing/tiling/crash-huge-layer-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/compositing/tiling/crash-huge-layer-expected.txt 2011-08-12 06:27:36 UTC (rev 92944)
@@ -0,0 +1,3 @@
+This is a test for Bug 65637: Crash beneath PlatformCALayerWinInternal::updateTiles when zooming on Google Maps. The test passes if the browser does not crash.
+
+Did you crash?
Copied: branches/safari-534.51-branch/LayoutTests/compositing/tiling/crash-huge-layer.html (from rev 92389, trunk/LayoutTests/compositing/tiling/crash-huge-layer.html) (0 => 92944)
--- branches/safari-534.51-branch/LayoutTests/compositing/tiling/crash-huge-layer.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/compositing/tiling/crash-huge-layer.html 2011-08-12 06:27:36 UTC (rev 92944)
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<p>This is a test for <a href="" 65637: Crash beneath PlatformCALayerWinInternal::updateTiles when zooming on Google Maps</a>. The test passes if the browser does not crash.</p>
+<div style="width: 33554432px; height: 33554432px; -webkit-transform: translateZ(0);">Did you crash?</div>
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (92943 => 92944)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 06:25:39 UTC (rev 92943)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 06:27:36 UTC (rev 92944)
@@ -1,5 +1,31 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 92389
+
+ 2011-08-03 Adam Roben <[email protected]>
+
+ Detect and handle overflow in PlatformCALayerWinInternal::constrainedSize
+
+ Google Maps sometimes requests very large (i.e., 2^50 pixels or greater) layers when
+ zooming. PlatformCALayerWinInternal has code to limit tiled layers to 2^27 pixels, but it
+ was not correctly handling overflow. In some cases, this would lead to creating a tiled
+ layer with 0 tiles, which was the cause of this crash.
+
+ Fixes <http://webkit.org/b/65637> <rdar://problem/9784849> Crash beneath
+ PlatformCALayerWinInternal::updateTiles when zooming on Google Maps
+
+ Reviewed by Sam Weinig.
+
+ Test: compositing/tiling/crash-huge-layer.html
+
+ * platform/graphics/ca/win/PlatformCALayerWinInternal.cpp:
+ (PlatformCALayerWinInternal::constrainedSize): Check for overflow before seeing if the
+ number of required tiles is larger than the maximum number of allowed tiles.
+ (PlatformCALayerWinInternal::updateTiles): Added an assertion to catch cases where we have a
+ non-empty tiled layer that contains 0 tiles, which would cause the crash in this bug report.
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 92384
2011-08-01 Brian Weinstein <[email protected]>
Modified: branches/safari-534.51-branch/Source/WebCore/platform/graphics/ca/win/PlatformCALayerWinInternal.cpp (92943 => 92944)
--- branches/safari-534.51-branch/Source/WebCore/platform/graphics/ca/win/PlatformCALayerWinInternal.cpp 2011-08-12 06:25:39 UTC (rev 92943)
+++ branches/safari-534.51-branch/Source/WebCore/platform/graphics/ca/win/PlatformCALayerWinInternal.cpp 2011-08-12 06:27:36 UTC (rev 92944)
@@ -347,13 +347,14 @@
int tileColumns = ceilf(constrainedSize.width / m_tileSize.width);
int tileRows = ceilf(constrainedSize.height / m_tileSize.height);
- int numTiles = tileColumns * tileRows;
+ bool tooManyTiles = tileColumns && numeric_limits<int>::max() / tileColumns < tileRows || tileColumns * tileRows > cMaxTileCount;
+
// If number of tiles vertically or horizontally is < sqrt(cMaxTileCount)
// just shorten the longer dimension. Otherwise shorten both dimensions
// according to the ratio of width to height
- if (numTiles > cMaxTileCount) {
+ if (tooManyTiles) {
if (tileRows < cSqrtMaxTileCount)
tileColumns = floorf(cMaxTileCount / tileRows);
else if (tileColumns < cSqrtMaxTileCount)
@@ -420,6 +421,7 @@
int numTilesHorizontal = ceil(m_constrainedSize.width / m_tileSize.width);
int numTilesVertical = ceil(m_constrainedSize.height / m_tileSize.height);
int numTilesTotal = numTilesHorizontal * numTilesVertical;
+ ASSERT(!m_constrainedSize.height || !m_constrainedSize.width || numTilesTotal > 0);
int numTilesToChange = numTilesTotal - tileCount();
if (numTilesToChange >= 0) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
