Crash when setting 'z-index' / 'flex-shrink' CSS properties to a calculated value
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Nov 2014 02:05:34 +0000 (02:05 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Nov 2014 02:05:34 +0000 (02:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=138783

Reviewed by Andreas Kling.

Source/WebCore:

Update operators converting CSSPrimitiveValue to integer / floating
point types to properly handle calculated values (e.g. 'calc(2 * 3)').
Previously, this was not working in release builds and we would hit an
ASSERT_NOT_REACHED() in debug builds.

Tests: fast/css/flex-shrink-calculated-value.html
       fast/css/z-index-calculated-value.html

* css/CSSPrimitiveValueMappings.h:
(WebCore::CSSPrimitiveValue::operator unsigned short):
(WebCore::CSSPrimitiveValue::operator int):
(WebCore::CSSPrimitiveValue::operator unsigned):
(WebCore::CSSPrimitiveValue::operator float):

LayoutTests:

Add layout tests to check that settings 'z-index' / 'flex-shrink' CSS
properties to a calculated value does not crash and behaves as
expected.

* fast/css/flex-shrink-calculated-value-expected.txt: Added.
* fast/css/flex-shrink-calculated-value.html: Added.
* fast/css/z-index-calculated-value-expected.txt: Added.
* fast/css/z-index-calculated-value.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@176301 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/flex-shrink-calculated-value-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/flex-shrink-calculated-value.html [new file with mode: 0644]
LayoutTests/fast/css/z-index-calculated-value-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/z-index-calculated-value.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/CSSPrimitiveValueMappings.h

index 7577cca..a299699 100644 (file)
@@ -1,3 +1,19 @@
+2014-11-18  Chris Dumez  <cdumez@apple.com>
+
+        Crash when setting 'z-index' / 'flex-shrink' CSS properties to a calculated value
+        https://bugs.webkit.org/show_bug.cgi?id=138783
+
+        Reviewed by Andreas Kling.
+
+        Add layout tests to check that settings 'z-index' / 'flex-shrink' CSS
+        properties to a calculated value does not crash and behaves as
+        expected.
+
+        * fast/css/flex-shrink-calculated-value-expected.txt: Added.
+        * fast/css/flex-shrink-calculated-value.html: Added.
+        * fast/css/z-index-calculated-value-expected.txt: Added.
+        * fast/css/z-index-calculated-value.html: Added.
+
 2014-11-18  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r176263 and r176273.
diff --git a/LayoutTests/fast/css/flex-shrink-calculated-value-expected.txt b/LayoutTests/fast/css/flex-shrink-calculated-value-expected.txt
new file mode 100644 (file)
index 0000000..9face3b
--- /dev/null
@@ -0,0 +1,13 @@
+Tests assigning a calculated value to flex-shrink CSS property.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS testDiv.style['flex-shrink'] is ""
+testDiv.style['flex-shrink'] = 'calc(2 * 3)'
+PASS testDiv.style['flex-shrink'] is "calc(6)"
+PASS window.getComputedStyle(testDiv).getPropertyValue('flex-shrink') is "6"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/css/flex-shrink-calculated-value.html b/LayoutTests/fast/css/flex-shrink-calculated-value.html
new file mode 100644 (file)
index 0000000..edf805f
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<body>
+<script src="../../resources/js-test-pre.js"></script>
+<div id="testDiv" style="position: absolute;"></div>
+<script>
+description("Tests assigning a calculated value to flex-shrink CSS property.");
+
+var testDiv = document.getElementById("testDiv");
+
+shouldBeEmptyString("testDiv.style['flex-shrink']");
+evalAndLog("testDiv.style['flex-shrink'] = 'calc(2 * 3)'");
+shouldBeEqualToString("testDiv.style['flex-shrink']", "calc(6)");
+shouldBeEqualToString("window.getComputedStyle(testDiv).getPropertyValue('flex-shrink')", "6");
+
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
diff --git a/LayoutTests/fast/css/z-index-calculated-value-expected.txt b/LayoutTests/fast/css/z-index-calculated-value-expected.txt
new file mode 100644 (file)
index 0000000..acda00c
--- /dev/null
@@ -0,0 +1,13 @@
+Tests assigning a calculated value to z-index CSS property.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS testDiv.style['z-index'] is ""
+testDiv.style['z-index'] = 'calc(-2 * 3)'
+PASS testDiv.style['z-index'] is "calc(-6)"
+PASS window.getComputedStyle(testDiv).getPropertyValue('z-index') is "-6"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/css/z-index-calculated-value.html b/LayoutTests/fast/css/z-index-calculated-value.html
new file mode 100644 (file)
index 0000000..bd160b7
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<body>
+<script src="../../resources/js-test-pre.js"></script>
+<div id="testDiv" style="position: absolute;"></div>
+<script>
+description("Tests assigning a calculated value to z-index CSS property.");
+
+var testDiv = document.getElementById("testDiv");
+
+shouldBeEmptyString("testDiv.style['z-index']");
+evalAndLog("testDiv.style['z-index'] = 'calc(-2 * 3)'");
+shouldBeEqualToString("testDiv.style['z-index']", "calc(-6)");
+shouldBeEqualToString("window.getComputedStyle(testDiv).getPropertyValue('z-index')", "-6");
+
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
index 87a0282..abd10be 100644 (file)
@@ -1,3 +1,24 @@
+2014-11-18  Chris Dumez  <cdumez@apple.com>
+
+        Crash when setting 'z-index' / 'flex-shrink' CSS properties to a calculated value
+        https://bugs.webkit.org/show_bug.cgi?id=138783
+
+        Reviewed by Andreas Kling.
+
+        Update operators converting CSSPrimitiveValue to integer / floating
+        point types to properly handle calculated values (e.g. 'calc(2 * 3)').
+        Previously, this was not working in release builds and we would hit an
+        ASSERT_NOT_REACHED() in debug builds.
+
+        Tests: fast/css/flex-shrink-calculated-value.html
+               fast/css/z-index-calculated-value.html
+
+        * css/CSSPrimitiveValueMappings.h:
+        (WebCore::CSSPrimitiveValue::operator unsigned short):
+        (WebCore::CSSPrimitiveValue::operator int):
+        (WebCore::CSSPrimitiveValue::operator unsigned):
+        (WebCore::CSSPrimitiveValue::operator float):
+
 2014-11-18  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r176263 and r176273.
index 8165e3b..1042b33 100644 (file)
@@ -82,8 +82,8 @@ template<> inline CSSPrimitiveValue::CSSPrimitiveValue(unsigned short i)
 
 template<> inline CSSPrimitiveValue::operator unsigned short() const
 {
-    if (m_primitiveUnitType == CSS_NUMBER)
-        return clampTo<unsigned short>(m_value.num);
+    if (primitiveType() == CSS_NUMBER)
+        return getValue<unsigned short>();
 
     ASSERT_NOT_REACHED();
     return 0;
@@ -91,8 +91,8 @@ template<> inline CSSPrimitiveValue::operator unsigned short() const
 
 template<> inline CSSPrimitiveValue::operator int() const
 {
-    if (m_primitiveUnitType == CSS_NUMBER)
-        return clampTo<int>(m_value.num);
+    if (primitiveType() == CSS_NUMBER)
+        return getValue<int>();
 
     ASSERT_NOT_REACHED();
     return 0;
@@ -100,8 +100,8 @@ template<> inline CSSPrimitiveValue::operator int() const
 
 template<> inline CSSPrimitiveValue::operator unsigned() const
 {
-    if (m_primitiveUnitType == CSS_NUMBER)
-        return clampTo<unsigned>(m_value.num);
+    if (primitiveType() == CSS_NUMBER)
+        return getValue<unsigned>();
 
     ASSERT_NOT_REACHED();
     return 0;
@@ -117,8 +117,8 @@ template<> inline CSSPrimitiveValue::CSSPrimitiveValue(float i)
 
 template<> inline CSSPrimitiveValue::operator float() const
 {
-    if (m_primitiveUnitType == CSS_NUMBER)
-        return clampTo<float>(m_value.num);
+    if (primitiveType() == CSS_NUMBER)
+        return getValue<float>();
 
     ASSERT_NOT_REACHED();
     return 0.0f;