Negative size box with border radius causes hang under WebCore::approximateAsRegion
authorantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Aug 2019 17:20:20 +0000 (17:20 +0000)
committerantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Aug 2019 17:20:20 +0000 (17:20 +0000)
https://bugs.webkit.org/show_bug.cgi?id=200769
<rdar://problem/53380674>

Reviewed by Alex Christensen.

Source/WebCore:

If a box's width or height computes negative the rounded border rect will also be negative.
This caused near-infinite loop during rounded border region approximation.

Test: fast/css/border-radius-negative-size.html

* platform/graphics/RoundedRect.cpp:
(WebCore::approximateAsRegion):

Bail out if the region is empty (which includes negative sizes).
For safety also limit the number of rectangles we generate for corner arc approximation.

LayoutTests:

* fast/css/border-radius-negative-size-expected.txt: Added.
* fast/css/border-radius-negative-size.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248722 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/border-radius-negative-size-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/border-radius-negative-size.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/RoundedRect.cpp

index 5bf35c6..25234c5 100644 (file)
@@ -1,3 +1,14 @@
+2019-08-15  Antti Koivisto  <antti@apple.com>
+
+        Negative size box with border radius causes hang under WebCore::approximateAsRegion
+        https://bugs.webkit.org/show_bug.cgi?id=200769
+        <rdar://problem/53380674>
+
+        Reviewed by Alex Christensen.
+
+        * fast/css/border-radius-negative-size-expected.txt: Added.
+        * fast/css/border-radius-negative-size.html: Added.
+
 2019-08-15  Youenn Fablet  <youenn@apple.com>
 
         Make mock libwebrtc tests run with unified plan
diff --git a/LayoutTests/fast/css/border-radius-negative-size-expected.txt b/LayoutTests/fast/css/border-radius-negative-size-expected.txt
new file mode 100644 (file)
index 0000000..622ee0e
--- /dev/null
@@ -0,0 +1 @@
+This test passes if it doesn't hang.
diff --git a/LayoutTests/fast/css/border-radius-negative-size.html b/LayoutTests/fast/css/border-radius-negative-size.html
new file mode 100644 (file)
index 0000000..6a59bba
--- /dev/null
@@ -0,0 +1,28 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+.test {
+    position: absolute;
+    box-sizing: border-box;
+    left: 0px;
+    right: 0px;
+    margin-left: 200px;
+    border-radius: 10px;
+    border: 2px solid red;
+    height: 10px;
+}
+.container {
+    position: relative;
+    width: 100px;
+    height: 100px;
+    border: 2px solid blue;
+    will-change:transform;
+}
+</style>
+<div class="container">
+<div class="test">
+This test passes if it doesn't hang.
+</div>
+</div>
index 6b2d1c1..863065d 100644 (file)
@@ -1,3 +1,22 @@
+2019-08-15  Antti Koivisto  <antti@apple.com>
+
+        Negative size box with border radius causes hang under WebCore::approximateAsRegion
+        https://bugs.webkit.org/show_bug.cgi?id=200769
+        <rdar://problem/53380674>
+
+        Reviewed by Alex Christensen.
+
+        If a box's width or height computes negative the rounded border rect will also be negative.
+        This caused near-infinite loop during rounded border region approximation.
+
+        Test: fast/css/border-radius-negative-size.html
+
+        * platform/graphics/RoundedRect.cpp:
+        (WebCore::approximateAsRegion):
+
+        Bail out if the region is empty (which includes negative sizes).
+        For safety also limit the number of rectangles we generate for corner arc approximation.
+
 2019-08-15  Thibault Saunier  <tsaunier@igalia.com>
 
         [GStreamer] Deal with slow buffer consumption in GStreamerMediaStreamSource
index b1d8eb8..ee92ed7 100644 (file)
@@ -310,6 +310,9 @@ Region approximateAsRegion(const RoundedRect& roundedRect, unsigned stepLength)
 {
     Region region;
 
+    if (roundedRect.isEmpty())
+        return region;
+
     auto& rect = roundedRect.rect();
     region.unite(enclosingIntRect(rect));
 
@@ -332,6 +335,9 @@ Region approximateAsRegion(const RoundedRect& roundedRect, unsigned stepLength)
         auto arcLengthFactor = roundToInt(std::min(axes.width(), axes.height()));
         auto count = (arcLengthFactor + (stepLength / 2)) / stepLength;
 
+        constexpr auto maximumCount = 20u;
+        count = std::min(maximumCount, count);
+
         for (auto i = 0u; i < count; ++i) {
             auto angle = fromAngle + (i + 1) * (toAngle - fromAngle) / (count + 1);
             auto ellipsisPoint = LayoutPoint { axes.width() * cos(angle), axes.height() * sin(angle) };