Clamp paddingBoxWidth/Height to a minimum of zero
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Jan 2020 04:12:57 +0000 (04:12 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Jan 2020 04:12:57 +0000 (04:12 +0000)
https://bugs.webkit.org/show_bug.cgi?id=206317
rdar://57102010

Patch by Sunny He <sunny_he@apple.com> on 2020-01-29
Reviewed by Zalan Bujtas.

LayoutTests/imported/w3c:

Source/WebCore:

Test: fast/multicol/crash-negative-paddingBoxWidth.html

* rendering/RenderBox.h:
(WebCore::RenderBox::paddingBoxWidth const):
(WebCore::RenderBox::paddingBoxHeight const):

LayoutTests:

* fast/multicol/crash-negative-paddingBoxWidth-expected.txt: Added.
* fast/multicol/crash-negative-paddingBoxWidth.html: Added.

* web-platform-tests/css/cssom-view/scrollLeft-of-scroller-with-wider-scrollbar-expected.txt:

Source/WebCore:

Test: fast/multicol/crash-negative-paddingBoxWidth.html

* rendering/RenderBox.h:
(WebCore::RenderBox::paddingBoxWidth const):
(WebCore::RenderBox::paddingBoxHeight const):

LayoutTests:

* fast/multicol/crash-negative-paddingBoxWidth-expected.txt: Added.
* fast/multicol/crash-negative-paddingBoxWidth.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@255413 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/multicol/crash-negative-paddingBoxWidth-expected.txt [new file with mode: 0644]
LayoutTests/fast/multicol/crash-negative-paddingBoxWidth.html [new file with mode: 0644]
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/css/cssom-view/scrollLeft-of-scroller-with-wider-scrollbar-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBox.h
Source/WebCore/rendering/RenderReplaced.cpp

index 26b8833..4795d72 100644 (file)
@@ -1,3 +1,14 @@
+2020-01-29  Sunny He  <sunny_he@apple.com>
+
+        Clamp paddingBoxWidth/Height to a minimum of zero
+        https://bugs.webkit.org/show_bug.cgi?id=206317
+        rdar://57102010
+
+        Reviewed by Zalan Bujtas.
+
+        * fast/multicol/crash-negative-paddingBoxWidth-expected.txt: Added.
+        * fast/multicol/crash-negative-paddingBoxWidth.html: Added.
+
 2020-01-29  Justin Fan  <justin_fan@apple.com>
 
         [WebGL] Skip ANGLE-dependent WebGL 2 expected progressions on WebGL bot
diff --git a/LayoutTests/fast/multicol/crash-negative-paddingBoxWidth-expected.txt b/LayoutTests/fast/multicol/crash-negative-paddingBoxWidth-expected.txt
new file mode 100644 (file)
index 0000000..61cb65e
--- /dev/null
@@ -0,0 +1,4 @@
+
+Check that interactions between column gap, width, and scrollbar width don't cause crashes.
+
+PASS
diff --git a/LayoutTests/fast/multicol/crash-negative-paddingBoxWidth.html b/LayoutTests/fast/multicol/crash-negative-paddingBoxWidth.html
new file mode 100644 (file)
index 0000000..90956db
--- /dev/null
@@ -0,0 +1,14 @@
+<html>
+    <style>
+    * { width: 25%; grid-gap: 40%; columns: 6px;}
+    </style>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+    </script>
+    <body>
+        <textarea>A</textarea>
+        <p>Check that interactions between column gap, width, and scrollbar width don't cause crashes.</p>
+    PASS
+    </body>
+</html>
\ No newline at end of file
index 02ef3a8..07309b5 100644 (file)
@@ -1,3 +1,26 @@
+2020-01-29  Sunny He  <sunny_he@apple.com>
+
+        Clamp paddingBoxWidth/Height to a minimum of zero
+        https://bugs.webkit.org/show_bug.cgi?id=206317
+        rdar://57102010
+
+        Reviewed by Zalan Bujtas.
+
+        Source/WebCore:
+
+        Test: fast/multicol/crash-negative-paddingBoxWidth.html
+
+        * rendering/RenderBox.h:
+        (WebCore::RenderBox::paddingBoxWidth const):
+        (WebCore::RenderBox::paddingBoxHeight const):
+
+        LayoutTests:
+
+        * fast/multicol/crash-negative-paddingBoxWidth-expected.txt: Added.
+        * fast/multicol/crash-negative-paddingBoxWidth.html: Added.
+
+        * web-platform-tests/css/cssom-view/scrollLeft-of-scroller-with-wider-scrollbar-expected.txt:
+
 2020-01-29  Carlos Alberto Lopez Perez  <clopez@igalia.com>
 
         Update WPT tests for css-easing (previously known as css-timing)
index 1377b45..c78fd7e 100644 (file)
@@ -1,3 +1,17 @@
+2020-01-29  Sunny He  <sunny_he@apple.com>
+
+        Clamp paddingBoxWidth/Height to a minimum of zero
+        https://bugs.webkit.org/show_bug.cgi?id=206317
+        rdar://57102010
+
+        Reviewed by Zalan Bujtas.
+
+        Test: fast/multicol/crash-negative-paddingBoxWidth.html
+
+        * rendering/RenderBox.h:
+        (WebCore::RenderBox::paddingBoxWidth const):
+        (WebCore::RenderBox::paddingBoxHeight const):
+
 2020-01-29  Robin Morisset  <rmorisset@apple.com>
 
         Remove Options::enableSpectreMitigations
index 4954814..920276d 100644 (file)
@@ -217,8 +217,8 @@ public:
     LayoutUnit contentLogicalWidth() const { return style().isHorizontalWritingMode() ? contentWidth() : contentHeight(); }
     LayoutUnit contentLogicalHeight() const { return style().isHorizontalWritingMode() ? contentHeight() : contentWidth(); }
 
-    LayoutUnit paddingBoxWidth() const { return width() - borderLeft() - borderRight() - verticalScrollbarWidth(); }
-    LayoutUnit paddingBoxHeight() const { return height() - borderTop() - borderBottom() - horizontalScrollbarHeight(); }
+    LayoutUnit paddingBoxWidth() const { return std::max(0_lu, width() - borderLeft() - borderRight() - verticalScrollbarWidth()); }
+    LayoutUnit paddingBoxHeight() const { return std::max(0_lu, height() - borderTop() - borderBottom() - horizontalScrollbarHeight()); }
     LayoutRect paddingBoxRect() const;
     LayoutRect paddingBoxRectIncludingScrollbar() const { return LayoutRect(borderLeft(), borderTop(), width() - borderLeft() - borderRight(), height() - borderTop() - borderBottom()); }
 
index f471900..beccd39 100644 (file)
@@ -479,8 +479,10 @@ LayoutUnit RenderReplaced::computeConstrainedLogicalWidth(ShouldComputePreferred
     
     // This solves above equation for 'width' (== logicalWidth).
     LayoutUnit marginStart = minimumValueForLength(style().marginStart(), logicalWidth);
-    LayoutUnit marginEnd = minimumValueForLength(style().marginEnd(), logicalWidth);
-    logicalWidth = std::max(0_lu, (logicalWidth - (marginStart + marginEnd + (size().width() - clientWidth()))));
+    LayoutUnit marginEnd = minimumValueForLength(style().marginEnd(), logicalWidth); 
+
+    // FIXME: This expression does not align with the comment above, which is quoting https://www.w3.org/TR/CSS22/visudet.html#blockwidth.
+    logicalWidth = std::max(0_lu, (logicalWidth - (marginStart + marginEnd + borderLeft() + borderRight())));
     return computeReplacedLogicalWidthRespectingMinMaxWidth(logicalWidth, shouldComputePreferred);
 }