Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore...
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 Nov 2016 18:20:35 +0000 (18:20 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 Nov 2016 18:20:35 +0000 (18:20 +0000)
<https://webkit.org/b/164702>
<rdar://problem/29236368>

Reviewed by Darin Adler.

Source/WebCore:

Test: inspector/layers/layers-compositing-reasons.html

* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::requiresCompositingForCanvas):
Don't composite if the canvas area overflows.

LayoutTests:

* inspector/layers/layers-compositing-reasons-expected.txt:
Update results.
* inspector/layers/layers-compositing-reasons.html: Update to
reproduce the crash.  This does not reproduce the original crash
stack, but does exercise the same crashing code.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@208691 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/inspector/layers/layers-compositing-reasons-expected.txt
LayoutTests/inspector/layers/layers-compositing-reasons.html
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderLayerCompositor.cpp

index a8d4940..b6eaa5a 100644 (file)
@@ -1,3 +1,17 @@
+2016-11-14  David Kilzer  <ddkilzer@apple.com>
+
+        Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104
+        <https://webkit.org/b/164702>
+        <rdar://problem/29236368>
+
+        Reviewed by Darin Adler.
+
+        * inspector/layers/layers-compositing-reasons-expected.txt:
+        Update results.
+        * inspector/layers/layers-compositing-reasons.html: Update to
+        reproduce the crash.  This does not reproduce the original crash
+        stack, but does exercise the same crashing code.
+
 2016-11-14  Joanmarie Diggs  <jdiggs@igalia.com>
 
         AX: [ATK] Expose STATE_SINGLE_LINE and STATE_MULTI_LINE for ARIA searchbox role
index 86fb644..00b9fa0 100644 (file)
@@ -1,4 +1,4 @@
-
 === Enable the LayerTree agent ===
 
 PASS
@@ -15,4 +15,5 @@ PASS
 
 PASS: <div id="opacity-container"> is composited due to having an opacity style and a composited child.
 PASS: <div id="child"> is composited due to having "backface-visibility: hidden" and a 3D transform.
+PASS: <canvas id="canvas"> is composited due to having a 3D transform.
 
index 5bd9351..bd2cff4 100644 (file)
@@ -73,6 +73,11 @@ function test()
                     "<div id=\"child\"> is composited due to having \"backface-visibility: hidden\" and a 3D transform",
                     compositingReasons.transform3D && compositingReasons.backfaceVisibilityHidden,
                     true);
+            } else if (hasId(node, "canvas")) {
+                assert(
+                    "<canvas id=\"canvas\"> is composited due to having a 3D transform",
+                    compositingReasons.transform3D,
+                    true);
             }
 
             if (++count === layers.length)
@@ -152,6 +157,10 @@ window.addEventListener("DOMContentLoaded", function()
         -webkit-transform: translateZ(0);
     }
 
+    #canvas {
+        transform: translate3D(0,0,0);
+    }
+
 </style>
 </head>
 <body>
@@ -162,5 +171,7 @@ window.addEventListener("DOMContentLoaded", function()
         <div id="child"></div>
     </div>
 
+    <canvas id="canvas" width="65537" height="65537"></canvas>
+
 </body>
 </html>
index 9e24129..10636ff 100644 (file)
@@ -1,3 +1,17 @@
+2016-11-14  David Kilzer  <ddkilzer@apple.com>
+
+        Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104
+        <https://webkit.org/b/164702>
+        <rdar://problem/29236368>
+
+        Reviewed by Darin Adler.
+
+        Test: inspector/layers/layers-compositing-reasons.html
+
+        * rendering/RenderLayerCompositor.cpp:
+        (WebCore::RenderLayerCompositor::requiresCompositingForCanvas):
+        Don't composite if the canvas area overflows.
+
 2016-11-14  Chris Dumez  <cdumez@apple.com>
 
         Fix the !ENABLE(FETCH_API) build after r208613
index 877bd05..40a7042 100644 (file)
@@ -2537,7 +2537,8 @@ bool RenderLayerCompositor::requiresCompositingForCanvas(RenderLayerModelObject&
         bool isCanvasLargeEnoughToForceCompositing = true;
 #else
         HTMLCanvasElement* canvas = downcast<HTMLCanvasElement>(renderer.element());
-        bool isCanvasLargeEnoughToForceCompositing = canvas->size().area().unsafeGet() >= canvasAreaThresholdRequiringCompositing;
+        auto canvasArea = canvas->size().area<RecordOverflow>();
+        bool isCanvasLargeEnoughToForceCompositing = !canvasArea.hasOverflowed() && canvasArea.unsafeGet() >= canvasAreaThresholdRequiringCompositing;
 #endif
         CanvasCompositingStrategy compositingStrategy = canvasCompositingStrategy(renderer);
         return compositingStrategy == CanvasAsLayerContents || (compositingStrategy == CanvasPaintedToLayer && isCanvasLargeEnoughToForceCompositing);