diff options
| author | Antti Koivisto <antti@apple.com> | 2014-12-10 20:46:15 +0000 |
|---|---|---|
| committer | Konstantin Tokarev <annulen@yandex.ru> | 2016-09-27 07:16:59 +0000 |
| commit | 6ca6514fa0caae5bf1df1aae126c51efb618d757 (patch) | |
| tree | 49a33769120144055ccc163d90e94c3e1e0d0eb8 | |
| parent | 502b4a55ac778d036a33c32fec51eecbbc73e1a9 (diff) | |
Crash when creating CSSCalcBinaryOperation
https://bugs.webkit.org/show_bug.cgi?id=134886
rdar://problem/17663561
Reviewed by Chris Dumez.
Source/WebCore:
Test: fast/css/calc-binary-operation-crash.html
* css/CSSCalculationValue.cpp:
(WebCore::determineCategory):
Ensure that both axis are within the addSubtractResult table.
Remove unneeded CalcOther test. The call site guarantees it doesn't happen and the normal cases would handle it anyway.
Also strengthen some asserts.
LayoutTests:
* fast/css/calc-binary-operation-crash-expected.txt: Added.
* fast/css/calc-binary-operation-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@177089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Change-Id: Iaf7199800b78c1397da9335bb3420ab6784f9227
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | Source/WebCore/css/CSSCalculationValue.cpp | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/Source/WebCore/css/CSSCalculationValue.cpp b/Source/WebCore/css/CSSCalculationValue.cpp index b7072e5e4..9864abd64 100644 --- a/Source/WebCore/css/CSSCalculationValue.cpp +++ b/Source/WebCore/css/CSSCalculationValue.cpp @@ -274,6 +274,7 @@ public: case CalcOther: ASSERT_NOT_REACHED(); } + ASSERT_NOT_REACHED(); return nullptr; } @@ -346,9 +347,8 @@ static CalculationCategory determineCategory(const CSSCalcExpressionNode& leftSi { CalculationCategory leftCategory = leftSide.category(); CalculationCategory rightCategory = rightSide.category(); - - if (leftCategory == CalcOther || rightCategory == CalcOther) - return CalcOther; + ASSERT(leftCategory < CalcOther); + ASSERT(rightCategory < CalcOther); #if ENABLE(CSS_VARIABLES) if (leftCategory == CalcVariable || rightCategory == CalcVariable) @@ -358,7 +358,7 @@ static CalculationCategory determineCategory(const CSSCalcExpressionNode& leftSi switch (op) { case CalcAdd: case CalcSubtract: - if (leftCategory < CalcAngle || rightCategory < CalcAngle) + if (leftCategory < CalcAngle && rightCategory < CalcAngle) return addSubtractResult[leftCategory][rightCategory]; if (leftCategory == rightCategory) return leftCategory; @@ -389,7 +389,8 @@ class CSSCalcBinaryOperation : public CSSCalcExpressionNode { public: static PassRefPtr<CSSCalcExpressionNode> create(PassRefPtr<CSSCalcExpressionNode> leftSide, PassRefPtr<CSSCalcExpressionNode> rightSide, CalcOperator op) { - ASSERT(leftSide->category() != CalcOther && rightSide->category() != CalcOther); + ASSERT(leftSide->category() < CalcOther); + ASSERT(rightSide->category() < CalcOther); CalculationCategory newCategory = determineCategory(*leftSide, *rightSide, op); @@ -403,7 +404,8 @@ public: { CalculationCategory leftCategory = leftSide->category(); CalculationCategory rightCategory = rightSide->category(); - ASSERT(leftCategory != CalcOther && rightCategory != CalcOther); + ASSERT(leftCategory < CalcOther); + ASSERT(rightCategory < CalcOther); bool isInteger = isIntegerResult(leftSide.get(), rightSide.get(), op); |