Diff
Modified: trunk/LayoutTests/ChangeLog (120256 => 120257)
--- trunk/LayoutTests/ChangeLog 2012-06-13 23:25:13 UTC (rev 120256)
+++ trunk/LayoutTests/ChangeLog 2012-06-13 23:30:22 UTC (rev 120257)
@@ -1,3 +1,18 @@
+2012-06-13 Jeffrey Pfau <[email protected]>
+
+ Padding and borders can cause integer overflow in block layouts
+ https://bugs.webkit.org/show_bug.cgi?id=88820
+ <rdar://problem/11328762>
+
+ Reviewed by Tony Chang.
+
+ * fast/block/block-size-integer-overflow-expected.txt: Added.
+ * fast/block/block-size-integer-overflow.html: Added.
+ * fast/flexbox/box-size-integer-overflow-expected.txt: Added.
+ * fast/flexbox/box-size-integer-overflow.html: Added.
+ * fast/table/table-size-integer-overflow-expected.txt: Added.
+ * fast/table/table-size-integer-overflow.html: Added.
+
2012-06-13 Dirk Pranke <[email protected]>
Unreviewed, expectations changes.
Added: trunk/LayoutTests/fast/block/block-size-integer-overflow-expected.txt (0 => 120257)
--- trunk/LayoutTests/fast/block/block-size-integer-overflow-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/block-size-integer-overflow-expected.txt 2012-06-13 23:30:22 UTC (rev 120257)
@@ -0,0 +1,2 @@
+This test passes if there is a green box that stretches the width of the page.
+PASS
Added: trunk/LayoutTests/fast/block/block-size-integer-overflow.html (0 => 120257)
--- trunk/LayoutTests/fast/block/block-size-integer-overflow.html (rev 0)
+++ trunk/LayoutTests/fast/block/block-size-integer-overflow.html 2012-06-13 23:30:22 UTC (rev 120257)
@@ -0,0 +1,37 @@
+<html>
+<head>
+<style>
+.fail, .pass, #spacer {
+ display: table-cell;
+}
+
+.pass {
+ visibility: hidden;
+}
+</style>
+<script>
+window._onload_ = function() {
+ if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+
+ var spacer = document.getElementById("spacer");
+ if (spacer.offsetWidth > 0) {
+ var fail = document.getElementsByClassName("fail");
+ fail[1].className = "pass";
+ fail[0].className = "pass";
+ spacer.innerText = "PASS";
+ }
+}
+</script>
+</head>
+<body>
+<div style="display: -webkit-box; -webkit-box-orient: horizontal">
+ This test passes if there is a green box that stretches the width of the page.
+ <div style="padding-left: 1px">
+ <div class="fail">FA</div>
+ <div id="spacer" style="color: green; width: 100%; background-color: green"></div>
+ <div class="fail">IL</div>
+ </div>
+</div>
+</body>
+</html>
Added: trunk/LayoutTests/fast/flexbox/box-size-integer-overflow-expected.txt (0 => 120257)
--- trunk/LayoutTests/fast/flexbox/box-size-integer-overflow-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/flexbox/box-size-integer-overflow-expected.txt 2012-06-13 23:30:22 UTC (rev 120257)
@@ -0,0 +1,2 @@
+PASS
+The green box should be the full width of the page.
Added: trunk/LayoutTests/fast/flexbox/box-size-integer-overflow.html (0 => 120257)
--- trunk/LayoutTests/fast/flexbox/box-size-integer-overflow.html (rev 0)
+++ trunk/LayoutTests/fast/flexbox/box-size-integer-overflow.html 2012-06-13 23:30:22 UTC (rev 120257)
@@ -0,0 +1,32 @@
+<html>
+<head>
+<script>
+window._onload_ = function() {
+ if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+
+ var cell = document.getElementById("cell");
+ var text = cell.firstElementChild;
+ var wdiff = cell.offsetWidth - text.offsetWidth - (parseInt(window.getComputedStyle(cell).getPropertyValue('padding-right')) +
+ parseInt(window.getComputedStyle(cell).getPropertyValue('padding-left')));
+ if (wdiff > 0)
+ text.innerText = "PASS";
+}
+</script>
+</head>
+<body>
+<div style="float: left;">
+ <div style="display: -webkit-box; border: 1px solid">
+ <table>
+ <tr>
+ <td></td>
+ <td id="cell" style="background-color: green; width: 100%; height: 30px">
+ <span>FAIL</span>
+ </td>
+ </tr>
+ </table>
+ </div>
+</div>
+<div style="clear: left;">The green box should be the full width of the page.</div>
+</body>
+</html>
\ No newline at end of file
Added: trunk/LayoutTests/fast/table/table-size-integer-overflow-expected.txt (0 => 120257)
--- trunk/LayoutTests/fast/table/table-size-integer-overflow-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/table/table-size-integer-overflow-expected.txt 2012-06-13 23:30:22 UTC (rev 120257)
@@ -0,0 +1,2 @@
+PASS
+The green box should be the full width of the page.
Added: trunk/LayoutTests/fast/table/table-size-integer-overflow.html (0 => 120257)
--- trunk/LayoutTests/fast/table/table-size-integer-overflow.html (rev 0)
+++ trunk/LayoutTests/fast/table/table-size-integer-overflow.html 2012-06-13 23:30:22 UTC (rev 120257)
@@ -0,0 +1,30 @@
+<html>
+<head>
+<script>
+window._onload_ = function() {
+ if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+
+ var cell = document.getElementById("cell");
+ var text = cell.firstElementChild;
+ var wdiff = cell.offsetWidth - text.offsetWidth - (parseInt(window.getComputedStyle(cell).getPropertyValue('padding-right')) +
+ parseInt(window.getComputedStyle(cell).getPropertyValue('padding-left')));
+ if (wdiff > 0)
+ text.innerText = "PASS";
+}
+</script>
+</head>
+<body>
+<div style="float: left;">
+ <table style="margin: 1px">
+ <tr>
+ <td></td>
+ <td id="cell" style="background-color: green; width: 100%; height: 30px">
+ <span>FAIL</span>
+ </td>
+ </tr>
+ </table>
+</div>
+<div style="clear: left;">The green box should be the full width of the page.</div>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (120256 => 120257)
--- trunk/Source/WebCore/ChangeLog 2012-06-13 23:25:13 UTC (rev 120256)
+++ trunk/Source/WebCore/ChangeLog 2012-06-13 23:30:22 UTC (rev 120257)
@@ -1,3 +1,23 @@
+2012-06-13 Jeffrey Pfau <[email protected]>
+
+ Padding and borders can cause integer overflow in block layouts
+ https://bugs.webkit.org/show_bug.cgi?id=88820
+ <rdar://problem/11328762>
+
+ Reviewed by Tony Chang.
+
+ Tests: fast/block/block-size-integer-overflow.html
+ fast/flexbox/box-size-integer-overflow.html
+ fast/table/table-size-integer-overflow.html
+
+ * rendering/AutoTableLayout.cpp: Decreased max int.
+ (WebCore::AutoTableLayout::computePreferredLogicalWidths):
+ * rendering/FixedTableLayout.cpp: Use shared constant.
+ (WebCore::FixedTableLayout::computePreferredLogicalWidths):
+ * rendering/RenderBlock.cpp: Removed unused constant.
+ * rendering/TableLayout.h: Add shared constant.
+ (TableLayout):
+
2012-06-13 Gregg Tavares <[email protected]>
Refactor WebGLFramebuffer to handle texture attachments
Modified: trunk/Source/WebCore/rendering/AutoTableLayout.cpp (120256 => 120257)
--- trunk/Source/WebCore/rendering/AutoTableLayout.cpp 2012-06-13 23:25:13 UTC (rev 120256)
+++ trunk/Source/WebCore/rendering/AutoTableLayout.cpp 2012-06-13 23:30:22 UTC (rev 120257)
@@ -244,8 +244,8 @@
if (scaleColumns) {
maxNonPercent = maxNonPercent * 100 / max(remainingPercent, epsilon);
- maxWidth = max<int>(maxWidth, static_cast<int>(min(maxNonPercent, MAX_LAYOUT_UNIT / 2.0f)));
- maxWidth = max<int>(maxWidth, static_cast<int>(min(maxPercent, MAX_LAYOUT_UNIT / 2.0f)));
+ maxWidth = max<int>(maxWidth, static_cast<int>(min(maxNonPercent, static_cast<float>(tableMaxWidth))));
+ maxWidth = max<int>(maxWidth, static_cast<int>(min(maxPercent, static_cast<float>(tableMaxWidth))));
}
maxWidth = max<int>(maxWidth, spanMaxLogicalWidth);
@@ -260,7 +260,7 @@
maxWidth = minWidth;
} else if (!remainingPercent && maxNonPercent) {
// if there was no remaining percent, maxWidth is invalid
- maxWidth = MAX_LAYOUT_UNIT;
+ maxWidth = tableMaxWidth;
}
Length tableLogicalMinWidth = m_table->style()->logicalMinWidth();
Modified: trunk/Source/WebCore/rendering/FixedTableLayout.cpp (120256 => 120257)
--- trunk/Source/WebCore/rendering/FixedTableLayout.cpp 2012-06-13 23:25:13 UTC (rev 120256)
+++ trunk/Source/WebCore/rendering/FixedTableLayout.cpp 2012-06-13 23:30:22 UTC (rev 120257)
@@ -166,11 +166,6 @@
return usedWidth;
}
-// Use a very large value (in effect infinite). But not too large!
-// numeric_limits<int>::max() will too easily overflow widths.
-// Keep this in synch with BLOCK_MAX_WIDTH in RenderBlock.cpp
-#define TABLE_MAX_WIDTH 15000
-
void FixedTableLayout::computePreferredLogicalWidths(LayoutUnit& minWidth, LayoutUnit& maxWidth)
{
// FIXME: This entire calculation is incorrect for both minwidth and maxwidth.
@@ -204,8 +199,8 @@
// In this example, the two inner tables should be as large as the outer table.
// We can achieve this effect by making the maxwidth of fixed tables with percentage
// widths be infinite.
- if (m_table->document()->inQuirksMode() && m_table->style()->logicalWidth().isPercent() && maxWidth < TABLE_MAX_WIDTH)
- maxWidth = TABLE_MAX_WIDTH;
+ if (m_table->document()->inQuirksMode() && m_table->style()->logicalWidth().isPercent() && maxWidth < tableMaxWidth)
+ maxWidth = tableMaxWidth;
}
void FixedTableLayout::layout()
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (120256 => 120257)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-06-13 23:25:13 UTC (rev 120256)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-06-13 23:30:22 UTC (rev 120257)
@@ -5693,9 +5693,6 @@
updatePreferredWidth(m_maxPreferredLogicalWidth, inlineMax);
}
-// Use a very large value (in effect infinite).
-#define BLOCK_MAX_WIDTH 15000
-
void RenderBlock::computeBlockPreferredLogicalWidths()
{
RenderStyle* styleToUse = style();
Modified: trunk/Source/WebCore/rendering/TableLayout.h (120256 => 120257)
--- trunk/Source/WebCore/rendering/TableLayout.h 2012-06-13 23:25:13 UTC (rev 120256)
+++ trunk/Source/WebCore/rendering/TableLayout.h 2012-06-13 23:30:22 UTC (rev 120257)
@@ -42,6 +42,8 @@
virtual void layout() = 0;
protected:
+ const static int tableMaxWidth = 15000;
+
RenderTable* m_table;
};
