[webkit-changes] [177089] trunk

Wed, 10 Dec 2014 12:46:55 -0800

Title: [177089] trunk
Revision
177089
Author
[email protected]
Date
2014-12-10 12:46:15 -0800 (Wed, 10 Dec 2014)

Log Message

Crash when creating CSSCalcBinaryOperation
https://bugs.webkit.org/show_bug.cgi?id=134886
rdar://problem/17663561

Reviewed by Chris Dumez.

Source/WebCore:

Test: fast/css/calc-binary-operation-crash.html

* css/CSSCalculationValue.cpp:
(WebCore::determineCategory):

Ensure that both axis are within the addSubtractResult table.
Remove unneeded CalcOther test. The call site guarantees it doesn't happen and the normal cases would handle it anyway.
Also strengthen some asserts.

LayoutTests:

* fast/css/calc-binary-operation-crash-expected.txt: Added.
* fast/css/calc-binary-operation-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (177088 => 177089)


--- trunk/LayoutTests/ChangeLog	2014-12-10 20:43:18 UTC (rev 177088)
+++ trunk/LayoutTests/ChangeLog	2014-12-10 20:46:15 UTC (rev 177089)
@@ -1,3 +1,14 @@
+2014-12-10  Antti Koivisto  <[email protected]>
+
+        Crash when creating CSSCalcBinaryOperation
+        https://bugs.webkit.org/show_bug.cgi?id=134886
+        rdar://problem/17663561
+
+        Reviewed by Chris Dumez.
+
+        * fast/css/calc-binary-operation-crash-expected.txt: Added.
+        * fast/css/calc-binary-operation-crash.html: Added.
+
 2014-12-10  Joanmarie Diggs  <[email protected]>
 
         AX: [ATK] MathML tokens with text fail to expose their text content via AtkText

Added: trunk/LayoutTests/fast/css/calc-binary-operation-crash-expected.txt (0 => 177089)


--- trunk/LayoutTests/fast/css/calc-binary-operation-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/calc-binary-operation-crash-expected.txt	2014-12-10 20:46:15 UTC (rev 177089)
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+X

Added: trunk/LayoutTests/fast/css/calc-binary-operation-crash.html (0 => 177089)


--- trunk/LayoutTests/fast/css/calc-binary-operation-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/calc-binary-operation-crash.html	2014-12-10 20:46:15 UTC (rev 177089)
@@ -0,0 +1,6 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<p>This test passes if it doesn't crash.</p>
+<p style="text-indent: calc(25s - 3px + 12.5%*2)">X</p>

Modified: trunk/Source/WebCore/ChangeLog (177088 => 177089)


--- trunk/Source/WebCore/ChangeLog	2014-12-10 20:43:18 UTC (rev 177088)
+++ trunk/Source/WebCore/ChangeLog	2014-12-10 20:46:15 UTC (rev 177089)
@@ -1,3 +1,20 @@
+2014-12-10  Antti Koivisto  <[email protected]>
+
+        Crash when creating CSSCalcBinaryOperation
+        https://bugs.webkit.org/show_bug.cgi?id=134886
+        rdar://problem/17663561
+
+        Reviewed by Chris Dumez.
+
+        Test: fast/css/calc-binary-operation-crash.html
+
+        * css/CSSCalculationValue.cpp:
+        (WebCore::determineCategory):
+
+        Ensure that both axis are within the addSubtractResult table.
+        Remove unneeded CalcOther test. The call site guarantees it doesn't happen and the normal cases would handle it anyway.
+        Also strengthen some asserts.
+
 2014-12-10  Anders Carlsson  <[email protected]>
 
         Add WebStorageNamespaceProvider::closeLocalStorage

Modified: trunk/Source/WebCore/css/CSSCalculationValue.cpp (177088 => 177089)


--- trunk/Source/WebCore/css/CSSCalculationValue.cpp	2014-12-10 20:43:18 UTC (rev 177088)
+++ trunk/Source/WebCore/css/CSSCalculationValue.cpp	2014-12-10 20:46:15 UTC (rev 177089)
@@ -242,6 +242,7 @@
         case CalcOther:
             ASSERT_NOT_REACHED();
         }
+        ASSERT_NOT_REACHED();
         return nullptr;
     }
 
@@ -311,14 +312,13 @@
 {
     CalculationCategory leftCategory = leftSide.category();
     CalculationCategory rightCategory = rightSide.category();
+    ASSERT(leftCategory < CalcOther);
+    ASSERT(rightCategory < CalcOther);
 
-    if (leftCategory == CalcOther || rightCategory == CalcOther)
-        return CalcOther;
-
     switch (op) {
     case CalcAdd:
     case CalcSubtract:
-        if (leftCategory < CalcAngle || rightCategory < CalcAngle)
+        if (leftCategory < CalcAngle && rightCategory < CalcAngle)
             return addSubtractResult[leftCategory][rightCategory];
         if (leftCategory == rightCategory)
             return leftCategory;
@@ -349,7 +349,8 @@
 public:
     static PassRefPtr<CSSCalcBinaryOperation> create(CalcOperator op, PassRefPtr<CSSCalcExpressionNode> leftSide, PassRefPtr<CSSCalcExpressionNode> rightSide)
     {
-        ASSERT(leftSide->category() != CalcOther && rightSide->category() != CalcOther);
+        ASSERT(leftSide->category() < CalcOther);
+        ASSERT(rightSide->category() < CalcOther);
 
         CalculationCategory newCategory = determineCategory(*leftSide, *rightSide, op);
 
@@ -363,7 +364,8 @@
     {
         CalculationCategory leftCategory = leftSide->category();
         CalculationCategory rightCategory = rightSide->category();
-        ASSERT(leftCategory != CalcOther && rightCategory != CalcOther);
+        ASSERT(leftCategory < CalcOther);
+        ASSERT(rightCategory < CalcOther);
 
         bool isInteger = isIntegerResult(op, *leftSide, *rightSide);
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to