Change the MemoryCache and CachedResource adjustSize functions to take a long argument
authorsaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Sep 2016 16:01:36 +0000 (16:01 +0000)
committersaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Sep 2016 16:01:36 +0000 (16:01 +0000)
commit6d51834941bf8b8e4590e43fdc49b6770bb78a10
tree9825dbb4dd2c28a6fec1c61c7b0423656889b142
parent3cff7127c52510a132c334dda8d1e480bb7dd7f5
Change the MemoryCache and CachedResource adjustSize functions to take a long argument
https://bugs.webkit.org/show_bug.cgi?id=162708
<rdar://problem/28555702>

Reviewed by Brent Fulgham.

Source/WebCore:

Because the MemoryCache stores the size of the cached memory in unsigned,
two problems my happen when reporting a change in the size of the memory:

1. Signed integer overflow -- which can happen because MemoryCache::adjustSize()
   takes a signed integer argument. If the allocated or the freed memory size is
   larger than the maximum of a signed integer, an overflow will happen.
   For the image caching code, this can be seen where the unsigned decodedSize
   is casted to an integer before passing it to ImageObserver::decodedSizeChanged().

2. Unsigned integer overflow -- which can happen if the new allocated memory
   size plus the currentSize exceeds the maximum of unsigned.
   This can be seen in MemoryCache::adjustSize() where we add delta to m_liveSize
   or m_deadSize without checking whether this addition will overflow or not. We
   do not assert for overflow although we assert for underflow.

The fix for these two problems can be the following:

1. Make all the adjustSize functions all the way till MemoryCache::adjustSize()
   take a signed long integer argument.

2. Do not create a NativeImagePtr for an ImageFrame if its frameBytes plus the
   ImageFrameCache::decodedSize() will exceed the maximum of an unsigned integer.

* loader/cache/CachedImage.cpp:
(WebCore::CachedImage::decodedSizeChanged): Change the argument to be long. No overflow will happen when casting the argument from unsigned to long.
* loader/cache/CachedImage.h:
* loader/cache/CachedResource.cpp:
(WebCore::CachedResource::setDecodedSize): Use long integer casting when calling MemoryCache::adjustSize().
(WebCore::CachedResource::setEncodedSize): Ditto.
* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::MemoryCache): Add as static assert to ensure sizeof(long long) can hold any unsigned or its negation.
(WebCore::MemoryCache::revalidationSucceeded): Use long integer casting when calling MemoryCache::adjustSize().
(WebCore::MemoryCache::remove): Ditto.
(WebCore::MemoryCache::adjustSize): Change the function argument to long integer. No overflow will happen when casting the argument from unsigned to long.
* loader/cache/MemoryCache.h:
* platform/graphics/ImageFrameCache.cpp:
(WebCore::ImageFrameCache::destroyIncompleteDecodedData): Call a function with its new name.
(WebCore::ImageFrameCache::decodedSizeChanged): Change the function argument to long integer. No overflow will happen when casting the argument from unsigned to long.
(WebCore::ImageFrameCache::decodedSizeIncreased): Use long integer casting when calling decodedSizeChanged().
(WebCore::ImageFrameCache::decodedSizeDecreased): Ditto.
(WebCore::ImageFrameCache::decodedSizeReset): Ditto.
(WebCore::ImageFrameCache::didDecodeProperties): Ditto.
(WebCore::ImageFrameCache::frameAtIndex): Do not create the NativeImage if adding its frameByes to the MemoryCache will cause numerical overflow.
(WebCore::ImageFrameCache::decodedSizeIncremented): Deleted. This function is renamed decodedSizeIncreased().
(WebCore::ImageFrameCache::decodedSizeDecremented): Deleted. This function is renamed decodedSizeDecreased().
* platform/graphics/ImageFrameCache.h:
* platform/graphics/ImageObserver.h:
* platform/graphics/IntSize.h:
(WebCore::IntSize::unclampedArea): Returns the area of an IntSize in size_t.
* platform/graphics/cg/PDFDocumentImage.cpp:
(WebCore::PDFDocumentImage::decodedSizeChanged): Use long integer casting when calling ImageObserver::decodedSizeChanged().

LayoutTests:

* TestExpectations: Remove failed tests.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@206635 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/loader/cache/CachedImage.cpp
Source/WebCore/loader/cache/CachedImage.h
Source/WebCore/loader/cache/CachedResource.cpp
Source/WebCore/loader/cache/MemoryCache.cpp
Source/WebCore/loader/cache/MemoryCache.h
Source/WebCore/platform/graphics/ImageFrameCache.cpp
Source/WebCore/platform/graphics/ImageFrameCache.h
Source/WebCore/platform/graphics/ImageObserver.h
Source/WebCore/platform/graphics/IntSize.h
Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp