[webkit-changes] [135434] trunk

Wed, 21 Nov 2012 14:23:16 -0800

Title: [135434] trunk
Revision
135434
Author
[email protected]
Date
2012-11-21 14:24:56 -0800 (Wed, 21 Nov 2012)

Log Message

REGRESSION(r135212): Fix crash due to an infinite rect.
https://bugs.webkit.org/show_bug.cgi?id=102891

Patch by Huang Dongsung <[email protected]> on 2012-11-21
Reviewed by Noam Rosenthal.

Source/WebKit2:

When CoordinatedGraphicsLayer has a 3D transform, tiledBackingStoreVisibleRect()
can calculate an infinite rect. However, TiledBackingStore cannot handle the
infinite rect. This patch clamps the infinite rect to avoid crash in
TiledBackingStore.

* WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:
(WebCore::clampToContentsRectIfRectIsInfinite):
(WebCore):
(WebCore::CoordinatedGraphicsLayer::tiledBackingStoreVisibleRect):

LayoutTests:

fast/multicol/span/positioned-child-not-removed-crash.html now passes on
EFL.

* platform/efl-wk2/TestExpectations:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (135433 => 135434)


--- trunk/LayoutTests/ChangeLog	2012-11-21 22:24:07 UTC (rev 135433)
+++ trunk/LayoutTests/ChangeLog	2012-11-21 22:24:56 UTC (rev 135434)
@@ -1,3 +1,15 @@
+2012-11-21  Huang Dongsung  <[email protected]>
+
+        REGRESSION(r135212): Fix crash due to an infinite rect.
+        https://bugs.webkit.org/show_bug.cgi?id=102891
+
+        Reviewed by Noam Rosenthal.
+
+        fast/multicol/span/positioned-child-not-removed-crash.html now passes on
+        EFL.
+
+        * platform/efl-wk2/TestExpectations:
+
 2012-11-21  Jian Li  <[email protected]>
 
         Unreviewed. Updated chromium test expectations to resolve lint failures.

Modified: trunk/LayoutTests/platform/efl-wk2/TestExpectations (135433 => 135434)


--- trunk/LayoutTests/platform/efl-wk2/TestExpectations	2012-11-21 22:24:07 UTC (rev 135433)
+++ trunk/LayoutTests/platform/efl-wk2/TestExpectations	2012-11-21 22:24:56 UTC (rev 135434)
@@ -43,9 +43,6 @@
 #////////////////////////////////////////////////////////////////////////////////////////
 # CRASHES
 #////////////////////////////////////////////////////////////////////////////////////////
-
-webkit.org/b/102313 fast/multicol/span/positioned-child-not-removed-crash.html [ Crash ]
-
 webkit.org/b/92726 fast/dom/register-protocol-handler.html [ Crash ]
 webkit.org/b/92726 fast/dom/unregister-protocol-handler.html [ Crash ]

Modified: trunk/Source/WebKit2/ChangeLog (135433 => 135434)


--- trunk/Source/WebKit2/ChangeLog	2012-11-21 22:24:07 UTC (rev 135433)
+++ trunk/Source/WebKit2/ChangeLog	2012-11-21 22:24:56 UTC (rev 135434)
@@ -1,3 +1,20 @@
+2012-11-21  Huang Dongsung  <[email protected]>
+
+        REGRESSION(r135212): Fix crash due to an infinite rect.
+        https://bugs.webkit.org/show_bug.cgi?id=102891
+
+        Reviewed by Noam Rosenthal.
+
+        When CoordinatedGraphicsLayer has a 3D transform, tiledBackingStoreVisibleRect()
+        can calculate an infinite rect. However, TiledBackingStore cannot handle the
+        infinite rect. This patch clamps the infinite rect to avoid crash in
+        TiledBackingStore.
+
+        * WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:
+        (WebCore::clampToContentsRectIfRectIsInfinite):
+        (WebCore):
+        (WebCore::CoordinatedGraphicsLayer::tiledBackingStoreVisibleRect):
+
 2012-11-21  Allan Sandfeld Jensen  <[email protected]>
 
         Disambiguate innerNodeFramePoint and mainFramePoint

Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp (135433 => 135434)


--- trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp	2012-11-21 22:24:07 UTC (rev 135433)
+++ trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp	2012-11-21 22:24:56 UTC (rev 135434)
@@ -699,6 +699,19 @@
     return IntRect(0, 0, size().width(), size().height());
 }
 
+static void clampToContentsRectIfRectIsInfinite(FloatRect& rect, const IntRect& contentsRect)
+{
+    if (rect.width() >= LayoutUnit::nearlyMax() || rect.width() <= LayoutUnit::nearlyMin()) {
+        rect.setX(contentsRect.x());
+        rect.setWidth(contentsRect.width());
+    }
+
+    if (rect.height() >= LayoutUnit::nearlyMax() || rect.height() <= LayoutUnit::nearlyMin()) {
+        rect.setY(contentsRect.y());
+        rect.setHeight(contentsRect.height());
+    }
+}
+
 IntRect CoordinatedGraphicsLayer::tiledBackingStoreVisibleRect()
 {
     // Non-invertible layers are not visible.
@@ -709,7 +722,9 @@
     // The resulting quad might be squewed and the visible rect is the bounding box of this quad,
     // so it might spread further than the real visible area (and then even more amplified by the cover rect multiplier).
     ASSERT(m_cachedInverseTransform == m_layerTransform.combined().inverse());
-    return enclosingIntRect(m_cachedInverseTransform.clampedBoundsOfProjectedQuad(FloatQuad(FloatRect(m_coordinator->visibleContentsRect()))));
+    FloatRect rect = m_cachedInverseTransform.clampedBoundsOfProjectedQuad(FloatQuad(FloatRect(m_coordinator->visibleContentsRect())));
+    clampToContentsRectIfRectIsInfinite(rect, tiledBackingStoreContentsRect());
+    return enclosingIntRect(rect);
 }
 
 Color CoordinatedGraphicsLayer::tiledBackingStoreBackgroundColor() const

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to