Title: [208691] trunk
- Revision
- 208691
- Author
- [email protected]
- Date
- 2016-11-14 10:20:35 -0800 (Mon, 14 Nov 2016)
Log Message
Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104
<https://webkit.org/b/164702>
<rdar://problem/29236368>
Reviewed by Darin Adler.
Source/WebCore:
Test: inspector/layers/layers-compositing-reasons.html
* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::requiresCompositingForCanvas):
Don't composite if the canvas area overflows.
LayoutTests:
* inspector/layers/layers-compositing-reasons-expected.txt:
Update results.
* inspector/layers/layers-compositing-reasons.html: Update to
reproduce the crash. This does not reproduce the original crash
stack, but does exercise the same crashing code.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (208690 => 208691)
--- trunk/LayoutTests/ChangeLog 2016-11-14 18:04:06 UTC (rev 208690)
+++ trunk/LayoutTests/ChangeLog 2016-11-14 18:20:35 UTC (rev 208691)
@@ -1,3 +1,17 @@
+2016-11-14 David Kilzer <[email protected]>
+
+ Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104
+ <https://webkit.org/b/164702>
+ <rdar://problem/29236368>
+
+ Reviewed by Darin Adler.
+
+ * inspector/layers/layers-compositing-reasons-expected.txt:
+ Update results.
+ * inspector/layers/layers-compositing-reasons.html: Update to
+ reproduce the crash. This does not reproduce the original crash
+ stack, but does exercise the same crashing code.
+
2016-11-14 Joanmarie Diggs <[email protected]>
AX: [ATK] Expose STATE_SINGLE_LINE and STATE_MULTI_LINE for ARIA searchbox role
Modified: trunk/LayoutTests/inspector/layers/layers-compositing-reasons-expected.txt (208690 => 208691)
--- trunk/LayoutTests/inspector/layers/layers-compositing-reasons-expected.txt 2016-11-14 18:04:06 UTC (rev 208690)
+++ trunk/LayoutTests/inspector/layers/layers-compositing-reasons-expected.txt 2016-11-14 18:20:35 UTC (rev 208691)
@@ -1,4 +1,4 @@
-
+
=== Enable the LayerTree agent ===
PASS
@@ -15,4 +15,5 @@
PASS: <div id="opacity-container"> is composited due to having an opacity style and a composited child.
PASS: <div id="child"> is composited due to having "backface-visibility: hidden" and a 3D transform.
+PASS: <canvas id="canvas"> is composited due to having a 3D transform.
Modified: trunk/LayoutTests/inspector/layers/layers-compositing-reasons.html (208690 => 208691)
--- trunk/LayoutTests/inspector/layers/layers-compositing-reasons.html 2016-11-14 18:04:06 UTC (rev 208690)
+++ trunk/LayoutTests/inspector/layers/layers-compositing-reasons.html 2016-11-14 18:20:35 UTC (rev 208691)
@@ -73,6 +73,11 @@
"<div id=\"child\"> is composited due to having \"backface-visibility: hidden\" and a 3D transform",
compositingReasons.transform3D && compositingReasons.backfaceVisibilityHidden,
true);
+ } else if (hasId(node, "canvas")) {
+ assert(
+ "<canvas id=\"canvas\"> is composited due to having a 3D transform",
+ compositingReasons.transform3D,
+ true);
}
if (++count === layers.length)
@@ -152,6 +157,10 @@
-webkit-transform: translateZ(0);
}
+ #canvas {
+ transform: translate3D(0,0,0);
+ }
+
</style>
</head>
<body>
@@ -162,5 +171,7 @@
<div id="child"></div>
</div>
+ <canvas id="canvas" width="65537" height="65537"></canvas>
+
</body>
</html>
Modified: trunk/Source/WebCore/ChangeLog (208690 => 208691)
--- trunk/Source/WebCore/ChangeLog 2016-11-14 18:04:06 UTC (rev 208690)
+++ trunk/Source/WebCore/ChangeLog 2016-11-14 18:20:35 UTC (rev 208691)
@@ -1,3 +1,17 @@
+2016-11-14 David Kilzer <[email protected]>
+
+ Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104
+ <https://webkit.org/b/164702>
+ <rdar://problem/29236368>
+
+ Reviewed by Darin Adler.
+
+ Test: inspector/layers/layers-compositing-reasons.html
+
+ * rendering/RenderLayerCompositor.cpp:
+ (WebCore::RenderLayerCompositor::requiresCompositingForCanvas):
+ Don't composite if the canvas area overflows.
+
2016-11-14 Chris Dumez <[email protected]>
Fix the !ENABLE(FETCH_API) build after r208613
Modified: trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp (208690 => 208691)
--- trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp 2016-11-14 18:04:06 UTC (rev 208690)
+++ trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp 2016-11-14 18:20:35 UTC (rev 208691)
@@ -2537,7 +2537,8 @@
bool isCanvasLargeEnoughToForceCompositing = true;
#else
HTMLCanvasElement* canvas = downcast<HTMLCanvasElement>(renderer.element());
- bool isCanvasLargeEnoughToForceCompositing = canvas->size().area().unsafeGet() >= canvasAreaThresholdRequiringCompositing;
+ auto canvasArea = canvas->size().area<RecordOverflow>();
+ bool isCanvasLargeEnoughToForceCompositing = !canvasArea.hasOverflowed() && canvasArea.unsafeGet() >= canvasAreaThresholdRequiringCompositing;
#endif
CanvasCompositingStrategy compositingStrategy = canvasCompositingStrategy(renderer);
return compositingStrategy == CanvasAsLayerContents || (compositingStrategy == CanvasPaintedToLayer && isCanvasLargeEnoughToForceCompositing);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
