From 6ca6514fa0caae5bf1df1aae126c51efb618d757 Mon Sep 17 00:00:00 2001 From: Antti Koivisto Date: Wed, 10 Dec 2014 20:46:15 +0000 Subject: Crash when creating CSSCalcBinaryOperation https://bugs.webkit.org/show_bug.cgi?id=134886 rdar://problem/17663561 Reviewed by Chris Dumez. Source/WebCore: Test: fast/css/calc-binary-operation-crash.html * css/CSSCalculationValue.cpp: (WebCore::determineCategory): Ensure that both axis are within the addSubtractResult table. Remove unneeded CalcOther test. The call site guarantees it doesn't happen and the normal cases would handle it anyway. Also strengthen some asserts. LayoutTests: * fast/css/calc-binary-operation-crash-expected.txt: Added. * fast/css/calc-binary-operation-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@177089 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Iaf7199800b78c1397da9335bb3420ab6784f9227 Reviewed-by: Allan Sandfeld Jensen --- Source/WebCore/css/CSSCalculationValue.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Source/WebCore/css/CSSCalculationValue.cpp b/Source/WebCore/css/CSSCalculationValue.cpp index b7072e5e4..9864abd64 100644 --- a/Source/WebCore/css/CSSCalculationValue.cpp +++ b/Source/WebCore/css/CSSCalculationValue.cpp @@ -274,6 +274,7 @@ public: case CalcOther: ASSERT_NOT_REACHED(); } + ASSERT_NOT_REACHED(); return nullptr; } @@ -346,9 +347,8 @@ static CalculationCategory determineCategory(const CSSCalcExpressionNode& leftSi { CalculationCategory leftCategory = leftSide.category(); CalculationCategory rightCategory = rightSide.category(); - - if (leftCategory == CalcOther || rightCategory == CalcOther) - return CalcOther; + ASSERT(leftCategory < CalcOther); + ASSERT(rightCategory < CalcOther); #if ENABLE(CSS_VARIABLES) if (leftCategory == CalcVariable || rightCategory == CalcVariable) @@ -358,7 +358,7 @@ static CalculationCategory determineCategory(const CSSCalcExpressionNode& leftSi switch (op) { case CalcAdd: case CalcSubtract: - if (leftCategory < CalcAngle || rightCategory < CalcAngle) + if (leftCategory < CalcAngle && rightCategory < CalcAngle) return addSubtractResult[leftCategory][rightCategory]; if (leftCategory == rightCategory) return leftCategory; @@ -389,7 +389,8 @@ class CSSCalcBinaryOperation : public CSSCalcExpressionNode { public: static PassRefPtr create(PassRefPtr leftSide, PassRefPtr rightSide, CalcOperator op) { - ASSERT(leftSide->category() != CalcOther && rightSide->category() != CalcOther); + ASSERT(leftSide->category() < CalcOther); + ASSERT(rightSide->category() < CalcOther); CalculationCategory newCategory = determineCategory(*leftSide, *rightSide, op); @@ -403,7 +404,8 @@ public: { CalculationCategory leftCategory = leftSide->category(); CalculationCategory rightCategory = rightSide->category(); - ASSERT(leftCategory != CalcOther && rightCategory != CalcOther); + ASSERT(leftCategory < CalcOther); + ASSERT(rightCategory < CalcOther); bool isInteger = isIntegerResult(leftSide.get(), rightSide.get(), op); -- cgit v1.2.3