https://bugs.webkit.org/show_bug.cgi?id=37370
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 9 Apr 2010 22:58:37 +0000 (22:58 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 9 Apr 2010 22:58:37 +0000 (22:58 +0000)
Division by 0 in RenderBoxModelObject::calculateFillTileSize

Reviewed by Maciej Stachowiak.

WebCore:

Test: fast/backgrounds/background-fill-zero-area-crash.html

* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::calculateFillTileSize): Added checks for
zero before doing division. These come up when the area to fill is zero.

LayoutTests:

* fast/backgrounds/background-fill-zero-area-crash-expected.txt: Added.
* fast/backgrounds/background-fill-zero-area-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@57377 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/backgrounds/background-fill-zero-area-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/backgrounds/background-fill-zero-area-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/rendering/RenderBoxModelObject.cpp

index d182436..3068981 100644 (file)
@@ -1,3 +1,13 @@
+2010-04-09  Darin Adler  <darin@apple.com>
+
+        Reviewed by Maciej Stachowiak.
+
+        https://bugs.webkit.org/show_bug.cgi?id=37370
+        Division by 0 in RenderBoxModelObject::calculateFillTileSize
+
+        * fast/backgrounds/background-fill-zero-area-crash-expected.txt: Added.
+        * fast/backgrounds/background-fill-zero-area-crash.html: Added.
+
 2010-04-09  Alexey Proskuryakov  <ap@apple.com>
 
         Reviewed by Maciej Stachowiak.
 2010-04-09  Alexey Proskuryakov  <ap@apple.com>
 
         Reviewed by Maciej Stachowiak.
diff --git a/LayoutTests/fast/backgrounds/background-fill-zero-area-crash-expected.txt b/LayoutTests/fast/backgrounds/background-fill-zero-area-crash-expected.txt
new file mode 100644 (file)
index 0000000..8c50c98
--- /dev/null
@@ -0,0 +1,3 @@
+Test of some edge cases for background fills with generated images. Test passed if it rendered and there was no division by zero.
+
+
diff --git a/LayoutTests/fast/backgrounds/background-fill-zero-area-crash.html b/LayoutTests/fast/backgrounds/background-fill-zero-area-crash.html
new file mode 100644 (file)
index 0000000..bd7a580
--- /dev/null
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <script>
+            if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+        </script>
+        <style>
+            #a {
+                background-image: -webkit-gradient(linear, left top, left bottom, from(white), to(black));
+                -webkit-background-size: auto 50px;
+                -webkit-box-sizing: border-box;
+                border: 1px solid black;
+                width: 100px;
+                height: 2px;
+            }
+            #b {
+                background-image: -webkit-gradient(linear, left top, left bottom, from(white), to(black));
+                -webkit-background-size: 50px auto;
+                -webkit-box-sizing: border-box;
+                border: 1px solid black;
+                width: 2px;
+                height: 100px;
+            }
+            #c {
+                background-image: -webkit-gradient(linear, left top, left bottom, from(white), to(black));
+                -webkit-background-size: contain;
+                -webkit-box-sizing: border-box;
+                border: 1px solid black;
+                width: 2px;
+                height: 100px;
+            }
+            #d {
+                background-image: -webkit-gradient(linear, left top, left bottom, from(white), to(black));
+                -webkit-background-size: contain;
+                -webkit-box-sizing: border-box;
+                border: 1px solid black;
+                width: 100px;
+                height: 2px;
+            }
+        </style>
+    </head>
+    <body>
+        <p>Test of some edge cases for background fills with generated images. Test passed if it rendered and there was no division by zero.</p>
+        <div id="a"></div>
+        <div id="b"></div>
+        <div id="c"></div>
+        <div id="d"></div>
+    </body>
+</html>
index 7f48481..11754de 100644 (file)
@@ -1,3 +1,16 @@
+2010-04-09  Darin Adler  <darin@apple.com>
+
+        Reviewed by Maciej Stachowiak.
+
+        https://bugs.webkit.org/show_bug.cgi?id=37370
+        Division by 0 in RenderBoxModelObject::calculateFillTileSize
+
+        Test: fast/backgrounds/background-fill-zero-area-crash.html
+
+        * rendering/RenderBoxModelObject.cpp:
+        (WebCore::RenderBoxModelObject::calculateFillTileSize): Added checks for
+        zero before doing division. These come up when the area to fill is zero.
+
 2010-04-09  Alexey Proskuryakov  <ap@apple.com>
 
         Reviewed by Maciej Stachowiak.
 2010-04-09  Alexey Proskuryakov  <ap@apple.com>
 
         Reviewed by Maciej Stachowiak.
index b1e0536..835fb45 100644 (file)
@@ -636,6 +636,7 @@ IntSize RenderBoxModelObject::calculateFillTileSize(const FillLayer* fillLayer,
         case SizeLength: {
             int w = positioningAreaSize.width();
             int h = positioningAreaSize.height();
         case SizeLength: {
             int w = positioningAreaSize.width();
             int h = positioningAreaSize.height();
+
             Length layerWidth = fillLayer->size().size.width();
             Length layerHeight = fillLayer->size().size.height();
 
             Length layerWidth = fillLayer->size().size.width();
             Length layerHeight = fillLayer->size().size.height();
 
@@ -651,15 +652,19 @@ IntSize RenderBoxModelObject::calculateFillTileSize(const FillLayer* fillLayer,
             
             // If one of the values is auto we have to use the appropriate
             // scale to maintain our aspect ratio.
             
             // If one of the values is auto we have to use the appropriate
             // scale to maintain our aspect ratio.
-            if (layerWidth.isAuto() && !layerHeight.isAuto())
-                w = image->imageSize(this, style()->effectiveZoom()).width() * h / image->imageSize(this, style()->effectiveZoom()).height();        
-            else if (!layerWidth.isAuto() && layerHeight.isAuto())
-                h = image->imageSize(this, style()->effectiveZoom()).height() * w / image->imageSize(this, style()->effectiveZoom()).width();
-            else if (layerWidth.isAuto() && layerHeight.isAuto()) {
-                // If both width and height are auto, we just want to use the image's
-                // intrinsic size.
-                w = image->imageSize(this, style()->effectiveZoom()).width();
-                h = image->imageSize(this, style()->effectiveZoom()).height();
+            if (layerWidth.isAuto() && !layerHeight.isAuto()) {
+                IntSize imageIntrinsicSize = image->imageSize(this, style()->effectiveZoom());
+                if (imageIntrinsicSize.height())
+                    w = imageIntrinsicSize.width() * h / imageIntrinsicSize.height();        
+            } else if (!layerWidth.isAuto() && layerHeight.isAuto()) {
+                IntSize imageIntrinsicSize = image->imageSize(this, style()->effectiveZoom());
+                if (imageIntrinsicSize.width())
+                    h = imageIntrinsicSize.height() * w / imageIntrinsicSize.width();
+            } else if (layerWidth.isAuto() && layerHeight.isAuto()) {
+                // If both width and height are auto, use the image's intrinsic size.
+                IntSize imageIntrinsicSize = image->imageSize(this, style()->effectiveZoom());
+                w = imageIntrinsicSize.width();
+                h = imageIntrinsicSize.height();
             }
             
             return IntSize(max(1, w), max(1, h));
             }
             
             return IntSize(max(1, w), max(1, h));
@@ -667,15 +672,17 @@ IntSize RenderBoxModelObject::calculateFillTileSize(const FillLayer* fillLayer,
         case Contain:
         case Cover: {
             IntSize imageIntrinsicSize = image->imageSize(this, 1);
         case Contain:
         case Cover: {
             IntSize imageIntrinsicSize = image->imageSize(this, 1);
-            float horizontalScaleFactor = static_cast<float>(positioningAreaSize.width()) / imageIntrinsicSize.width();
-            float verticalScaleFactor = static_cast<float>(positioningAreaSize.height()) / imageIntrinsicSize.height();
+            float horizontalScaleFactor = imageIntrinsicSize.width()
+                ? static_cast<float>(positioningAreaSize.width()) / imageIntrinsicSize.width() : 1;
+            float verticalScaleFactor = imageIntrinsicSize.height()
+                ? static_cast<float>(positioningAreaSize.height()) / imageIntrinsicSize.height() : 1;
             float scaleFactor = type == Contain ? min(horizontalScaleFactor, verticalScaleFactor) : max(horizontalScaleFactor, verticalScaleFactor);
             float scaleFactor = type == Contain ? min(horizontalScaleFactor, verticalScaleFactor) : max(horizontalScaleFactor, verticalScaleFactor);
-
             return IntSize(max<int>(1, imageIntrinsicSize.width() * scaleFactor), max<int>(1, imageIntrinsicSize.height() * scaleFactor));
         }
         case SizeNone:
             break;
     }
             return IntSize(max<int>(1, imageIntrinsicSize.width() * scaleFactor), max<int>(1, imageIntrinsicSize.height() * scaleFactor));
         }
         case SizeNone:
             break;
     }
+
     return image->imageSize(this, style()->effectiveZoom());
 }
 
     return image->imageSize(this, style()->effectiveZoom());
 }