https://bugs.webkit.org/show_bug.cgi?id=134886
rdar://problem/
17663561
Reviewed by Chris Dumez.
Source/WebCore:
Test: fast/css/calc-binary-operation-crash.html
* css/CSSCalculationValue.cpp:
(WebCore::determineCategory):
Ensure that both axis are within the addSubtractResult table.
Remove unneeded CalcOther test. The call site guarantees it doesn't happen and the normal cases would handle it anyway.
Also strengthen some asserts.
LayoutTests:
* fast/css/calc-binary-operation-crash-expected.txt: Added.
* fast/css/calc-binary-operation-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@177089
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2014-12-10 Antti Koivisto <antti@apple.com>
+
+ Crash when creating CSSCalcBinaryOperation
+ https://bugs.webkit.org/show_bug.cgi?id=134886
+ rdar://problem/17663561
+
+ Reviewed by Chris Dumez.
+
+ * fast/css/calc-binary-operation-crash-expected.txt: Added.
+ * fast/css/calc-binary-operation-crash.html: Added.
+
2014-12-10 Joanmarie Diggs <jdiggs@igalia.com>
AX: [ATK] MathML tokens with text fail to expose their text content via AtkText
--- /dev/null
+This test passes if it doesn't crash.
+
+X
--- /dev/null
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<p>This test passes if it doesn't crash.</p>
+<p style="text-indent: calc(25s - 3px + 12.5%*2)">X</p>
+2014-12-10 Antti Koivisto <antti@apple.com>
+
+ Crash when creating CSSCalcBinaryOperation
+ https://bugs.webkit.org/show_bug.cgi?id=134886
+ rdar://problem/17663561
+
+ Reviewed by Chris Dumez.
+
+ Test: fast/css/calc-binary-operation-crash.html
+
+ * css/CSSCalculationValue.cpp:
+ (WebCore::determineCategory):
+
+ Ensure that both axis are within the addSubtractResult table.
+ Remove unneeded CalcOther test. The call site guarantees it doesn't happen and the normal cases would handle it anyway.
+ Also strengthen some asserts.
+
2014-12-10 Anders Carlsson <andersca@apple.com>
Add WebStorageNamespaceProvider::closeLocalStorage
case CalcOther:
ASSERT_NOT_REACHED();
}
+ ASSERT_NOT_REACHED();
return nullptr;
}
{
CalculationCategory leftCategory = leftSide.category();
CalculationCategory rightCategory = rightSide.category();
-
- if (leftCategory == CalcOther || rightCategory == CalcOther)
- return CalcOther;
+ ASSERT(leftCategory < CalcOther);
+ ASSERT(rightCategory < CalcOther);
switch (op) {
case CalcAdd:
case CalcSubtract:
- if (leftCategory < CalcAngle || rightCategory < CalcAngle)
+ if (leftCategory < CalcAngle && rightCategory < CalcAngle)
return addSubtractResult[leftCategory][rightCategory];
if (leftCategory == rightCategory)
return leftCategory;
public:
static PassRefPtr<CSSCalcBinaryOperation> create(CalcOperator op, PassRefPtr<CSSCalcExpressionNode> leftSide, PassRefPtr<CSSCalcExpressionNode> rightSide)
{
- ASSERT(leftSide->category() != CalcOther && rightSide->category() != CalcOther);
+ ASSERT(leftSide->category() < CalcOther);
+ ASSERT(rightSide->category() < CalcOther);
CalculationCategory newCategory = determineCategory(*leftSide, *rightSide, op);
{
CalculationCategory leftCategory = leftSide->category();
CalculationCategory rightCategory = rightSide->category();
- ASSERT(leftCategory != CalcOther && rightCategory != CalcOther);
+ ASSERT(leftCategory < CalcOther);
+ ASSERT(rightCategory < CalcOther);
bool isInteger = isIntegerResult(op, *leftSide, *rightSide);
git://git.webkit.org / WebKit-https.git / commitdiff