Title: [166114] trunk
- Revision
- 166114
- Author
- da...@apple.com
- Date
- 2014-03-22 08:16:42 -0700 (Sat, 22 Mar 2014)
Log Message
ASSERTION FAILED: std::isfinite(num) in WebCore::CSSPrimitiveValue::CSSPrimitiveValue
https://bugs.webkit.org/show_bug.cgi?id=127361
Source/WebCore:
Huge numbers represented by the 'INF' value can not be used
in CSS rules, so they make the assert fail. We have to make
sure that the parsed property value is finite, otherwise
the property will be dropped.
Test: fast/css/infinite-floating-value.html
Patch by Martin Hodovan <mhodo...@inf.u-szeged.hu> on 2014-03-22
* css/CSSValuePool.cpp:
(WebCore::CSSValuePool::createValue):
LayoutTests:
Added test shows that CSS rules containing huge numbers
(which are transformed into 'INF' values after parsing)
are dropped.
Patch by Martin Hodovan <mhodo...@inf.u-szeged.hu> on 2014-03-22
Reviewed by Darin Adler.
* fast/css/infinite-floating-value-expected.txt: Added.
* fast/css/infinite-floating-value.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (166113 => 166114)
--- trunk/LayoutTests/ChangeLog 2014-03-22 14:31:08 UTC (rev 166113)
+++ trunk/LayoutTests/ChangeLog 2014-03-22 15:16:42 UTC (rev 166114)
@@ -1,3 +1,17 @@
+2014-03-22 Martin Hodovan <mhodo...@inf.u-szeged.hu>
+
+ ASSERTION FAILED: std::isfinite(num) in WebCore::CSSPrimitiveValue::CSSPrimitiveValue
+ https://bugs.webkit.org/show_bug.cgi?id=127361
+
+ Added test shows that CSS rules containing huge numbers
+ (which are transformed into 'INF' values after parsing)
+ are dropped.
+
+ Reviewed by Darin Adler.
+
+ * fast/css/infinite-floating-value-expected.txt: Added.
+ * fast/css/infinite-floating-value.html: Added.
+
2014-03-21 Mark Lam <mark....@apple.com>
Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
Added: trunk/LayoutTests/fast/css/infinite-floating-value-expected.txt (0 => 166114)
--- trunk/LayoutTests/fast/css/infinite-floating-value-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/infinite-floating-value-expected.txt 2014-03-22 15:16:42 UTC (rev 166114)
@@ -0,0 +1,5 @@
+This test passes if it does not crash.
+
+fontsize aaa
+fontsize bbb
+line-height
Property changes on: trunk/LayoutTests/fast/css/infinite-floating-value-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: trunk/LayoutTests/fast/css/infinite-floating-value.html (0 => 166114)
--- trunk/LayoutTests/fast/css/infinite-floating-value.html (rev 0)
+++ trunk/LayoutTests/fast/css/infinite-floating-value.html 2014-03-22 15:16:42 UTC (rev 166114)
@@ -0,0 +1,20 @@
+<html>
+ <head>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+ </head>
+ <body>
+ <p>This test passes if it does not crash.</p>
+ <div style="font-size: 900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000%;">fontsize aaa</div>
+
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <text y="150" font-size="8E+2%">fontsize bbb</text>
+ </svg>
+
+ <span style="line-height:900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000%">
+ line-height
+ </span>
+ </body>
+</html>
Property changes on: trunk/LayoutTests/fast/css/infinite-floating-value.html
___________________________________________________________________
Added: svn:mime-type
Added: svn:eol-style
Modified: trunk/Source/WebCore/ChangeLog (166113 => 166114)
--- trunk/Source/WebCore/ChangeLog 2014-03-22 14:31:08 UTC (rev 166113)
+++ trunk/Source/WebCore/ChangeLog 2014-03-22 15:16:42 UTC (rev 166114)
@@ -1,3 +1,18 @@
+2014-03-22 Martin Hodovan <mhodo...@inf.u-szeged.hu>
+
+ ASSERTION FAILED: std::isfinite(num) in WebCore::CSSPrimitiveValue::CSSPrimitiveValue
+ https://bugs.webkit.org/show_bug.cgi?id=127361
+
+ Huge numbers represented by the 'INF' value can not be used
+ in CSS rules, so they make the assert fail. We have to make
+ sure that the parsed property value is finite, otherwise
+ the property will be dropped.
+
+ Test: fast/css/infinite-floating-value.html
+
+ * css/CSSValuePool.cpp:
+ (WebCore::CSSValuePool::createValue):
+
2014-03-21 Zalan Bujtas <za...@apple.com>
Remove redundant friending from class Image.
Modified: trunk/Source/WebCore/css/CSSValuePool.cpp (166113 => 166114)
--- trunk/Source/WebCore/css/CSSValuePool.cpp 2014-03-22 14:31:08 UTC (rev 166113)
+++ trunk/Source/WebCore/css/CSSValuePool.cpp 2014-03-22 15:16:42 UTC (rev 166114)
@@ -89,6 +89,9 @@
PassRef<CSSPrimitiveValue> CSSValuePool::createValue(double value, CSSPrimitiveValue::UnitTypes type)
{
+ if (std::isinf(value))
+ return createIdentifierValue(CSSValueID::CSSValueInvalid);
+
if (value < 0 || value > maximumCacheableIntegerValue)
return CSSPrimitiveValue::create(value, type);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
