- Revision
- 164743
- Author
- bjone...@adobe.com
- Date
- 2014-02-26 13:27:10 -0800 (Wed, 26 Feb 2014)
Log Message
[CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
https://bugs.webkit.org/show_bug.cgi?id=129060
Reviewed by Simon Fraser.
Source/WebCore:
A bounds check was omitted when computing the width and height for inset
rectangles, making it possible for the width or height to end up being
negative. This patch adds in that check for both. It seems that only
replaced elements like iframe and img trigger this problem.
Tests: fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html
fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html
* rendering/shapes/Shape.cpp:
(WebCore::Shape::createShape):
LayoutTests:
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (164742 => 164743)
--- trunk/LayoutTests/ChangeLog 2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/LayoutTests/ChangeLog 2014-02-26 21:27:10 UTC (rev 164743)
@@ -1,3 +1,15 @@
+2014-02-26 Bem Jones-Bey <bjone...@adobe.com>
+
+ [CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
+ https://bugs.webkit.org/show_bug.cgi?id=129060
+
+ Reviewed by Simon Fraser.
+
+ * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt: Added.
+ * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html: Added.
+ * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt: Added.
+ * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html: Added.
+
2014-02-26 Myles C. Maxfield <mmaxfi...@apple.com>
Underlines are too thick when zoomed in
Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt (0 => 164743)
--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt 2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1 @@
+This test should not crash in a debug build.
Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html (0 => 164743)
--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html 2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+ img {
+ width: 10px;
+ height: 10px;
+ float: right;
+ -webkit-shape-outside: inset(0 125% 0 0);
+ }
+</style>
+This test should not crash in a debug build.
+<img></img>
Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt (0 => 164743)
--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt 2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1 @@
+This test should not crash in a debug build.
Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html (0 => 164743)
--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html 2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+ img {
+ width: 10px;
+ height: 10px;
+ float: right;
+ -webkit-shape-outside: inset-rectangle(0, 125%, 0, 0);
+ }
+</style>
+This test should not crash in a debug build.
+<img></img>
Modified: trunk/Source/WebCore/ChangeLog (164742 => 164743)
--- trunk/Source/WebCore/ChangeLog 2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/Source/WebCore/ChangeLog 2014-02-26 21:27:10 UTC (rev 164743)
@@ -1,3 +1,21 @@
+2014-02-26 Bem Jones-Bey <bjone...@adobe.com>
+
+ [CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
+ https://bugs.webkit.org/show_bug.cgi?id=129060
+
+ Reviewed by Simon Fraser.
+
+ A bounds check was omitted when computing the width and height for inset
+ rectangles, making it possible for the width or height to end up being
+ negative. This patch adds in that check for both. It seems that only
+ replaced elements like iframe and img trigger this problem.
+
+ Tests: fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html
+ fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html
+
+ * rendering/shapes/Shape.cpp:
+ (WebCore::Shape::createShape):
+
2014-02-26 Myles C. Maxfield <mmaxfi...@apple.com>
Underlines are too thick when zoomed in
Modified: trunk/Source/WebCore/rendering/shapes/Shape.cpp (164742 => 164743)
--- trunk/Source/WebCore/rendering/shapes/Shape.cpp 2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/Source/WebCore/rendering/shapes/Shape.cpp 2014-02-26 21:27:10 UTC (rev 164743)
@@ -210,8 +210,8 @@
FloatRect bounds(
left,
top,
- boxWidth - left - floatValueForLength(rectangle.right(), boxWidth),
- boxHeight - top - floatValueForLength(rectangle.bottom(), boxHeight));
+ std::max<float>(boxWidth - left - floatValueForLength(rectangle.right(), boxWidth), 0),
+ std::max<float>(boxHeight - top - floatValueForLength(rectangle.bottom(), boxHeight), 0));
FloatSize cornerRadii(
floatValueForLength(rectangle.cornerRadiusX(), boxWidth),
floatValueForLength(rectangle.cornerRadiusY(), boxHeight));
@@ -228,8 +228,8 @@
float top = floatValueForLength(inset.top(), boxHeight);
FloatRect rect(left,
top,
- boxWidth - left - floatValueForLength(inset.right(), boxWidth),
- boxHeight - top - floatValueForLength(inset.bottom(), boxHeight));
+ std::max<float>(boxWidth - left - floatValueForLength(inset.right(), boxWidth), 0),
+ std::max<float>(boxHeight - top - floatValueForLength(inset.bottom(), boxHeight), 0));
FloatRect logicalRect = physicalRectToLogical(rect, logicalBoxSize.height(), writingMode);
FloatSize boxSize(boxWidth, boxHeight);