Changeset 206635 in webkit

Timestamp:

Sep 30, 2016, 9:01:36 AM (9 years ago)

Author:

Said Abou-Hallawa

Message:

Change the MemoryCache and CachedResource adjustSize functions to take a long argument
​https://bugs.webkit.org/show_bug.cgi?id=162708
<rdar://problem/28555702>

Reviewed by Brent Fulgham.

Source/WebCore:

Because the MemoryCache stores the size of the cached memory in unsigned,
two problems my happen when reporting a change in the size of the memory:

1. Signed integer overflow -- which can happen because MemoryCache::adjustSize() takes a signed integer argument. If the allocated or the freed memory size is larger than the maximum of a signed integer, an overflow will happen. For the image caching code, this can be seen where the unsigned decodedSize is casted to an integer before passing it to ImageObserver::decodedSizeChanged().

2. Unsigned integer overflow -- which can happen if the new allocated memory size plus the currentSize exceeds the maximum of unsigned. This can be seen in MemoryCache::adjustSize() where we add delta to m_liveSize or m_deadSize without checking whether this addition will overflow or not. We do not assert for overflow although we assert for underflow.

The fix for these two problems can be the following:

1. Make all the adjustSize functions all the way till MemoryCache::adjustSize() take a signed long integer argument.

2. Do not create a NativeImagePtr for an ImageFrame if its frameBytes plus the ImageFrameCache::decodedSize() will exceed the maximum of an unsigned integer.

• loader/cache/CachedImage.cpp:

(WebCore::CachedImage::decodedSizeChanged): Change the argument to be long. No overflow will happen when casting the argument from unsigned to long.

• loader/cache/CachedImage.h:
• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::setDecodedSize): Use long integer casting when calling MemoryCache::adjustSize().
(WebCore::CachedResource::setEncodedSize): Ditto.

• loader/cache/MemoryCache.cpp:

(WebCore::MemoryCache::MemoryCache): Add as static assert to ensure sizeof(long long) can hold any unsigned or its negation.
(WebCore::MemoryCache::revalidationSucceeded): Use long integer casting when calling MemoryCache::adjustSize().
(WebCore::MemoryCache::remove): Ditto.
(WebCore::MemoryCache::adjustSize): Change the function argument to long integer. No overflow will happen when casting the argument from unsigned to long.

• loader/cache/MemoryCache.h:
• platform/graphics/ImageFrameCache.cpp:

(WebCore::ImageFrameCache::destroyIncompleteDecodedData): Call a function with its new name.
(WebCore::ImageFrameCache::decodedSizeChanged): Change the function argument to long integer. No overflow will happen when casting the argument from unsigned to long.
(WebCore::ImageFrameCache::decodedSizeIncreased): Use long integer casting when calling decodedSizeChanged().
(WebCore::ImageFrameCache::decodedSizeDecreased): Ditto.
(WebCore::ImageFrameCache::decodedSizeReset): Ditto.
(WebCore::ImageFrameCache::didDecodeProperties): Ditto.
(WebCore::ImageFrameCache::frameAtIndex): Do not create the NativeImage if adding its frameByes to the MemoryCache will cause numerical overflow.
(WebCore::ImageFrameCache::decodedSizeIncremented): Deleted. This function is renamed decodedSizeIncreased().
(WebCore::ImageFrameCache::decodedSizeDecremented): Deleted. This function is renamed decodedSizeDecreased().

• platform/graphics/ImageFrameCache.h:
• platform/graphics/ImageObserver.h:
• platform/graphics/IntSize.h:

(WebCore::IntSize::unclampedArea): Returns the area of an IntSize in size_t.

• platform/graphics/cg/PDFDocumentImage.cpp:

(WebCore::PDFDocumentImage::decodedSizeChanged): Use long integer casting when calling ImageObserver::decodedSizeChanged().

LayoutTests:

• TestExpectations: Remove failed tests.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/cache/CachedImage.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedImage.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResource.cpp (modified) (3 diffs)
• Source/WebCore/loader/cache/MemoryCache.cpp (modified) (4 diffs)
• Source/WebCore/loader/cache/MemoryCache.h (modified) (1 diff)
• Source/WebCore/platform/graphics/ImageFrameCache.cpp (modified) (9 diffs)
• Source/WebCore/platform/graphics/ImageFrameCache.h (modified) (1 diff)
• Source/WebCore/platform/graphics/ImageObserver.h (modified) (1 diff)
• Source/WebCore/platform/graphics/IntSize.h (modified) (1 diff)
• Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-09-30  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        Change the MemoryCache and CachedResource adjustSize functions to take a long argument
+        https://bugs.webkit.org/show_bug.cgi?id=162708
+        <rdar://problem/28555702>
+
+        Reviewed by Brent Fulgham.
+
+        * TestExpectations: Remove failed tests.
+
 2016-09-30  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -986 +986 @@
 # Only iOS has implemented lettepress.
 fast/text/letterpress-different.html [ ImageOnlyFailure ]
-
-webkit.org/b/162696 [ Release ] fast/images/paletted-png-with-color-profile.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/paint-subrect.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/paint-subrect-grid.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/pdf-as-image-crop-box.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/link-body-content-imageDimensionChanged-crash.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/object-data-url-case-insensitivity.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/move-image-to-new-document.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/pdf-as-background.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/pdf-as-image-landscape.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/pdf-as-image-with-annotations-expected.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/pdf-as-image-too-big.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/object-image.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/pdf-as-image-with-annotations.html [ Crash ]
-webkit.org/b/162696 [ Release ] fast/images/load-img-with-empty-src.html [ Crash ]

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-30  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        Change the MemoryCache and CachedResource adjustSize functions to take a long argument
+        https://bugs.webkit.org/show_bug.cgi?id=162708
+        <rdar://problem/28555702>
+
+        Reviewed by Brent Fulgham.
+
+        Because the MemoryCache stores the size of the cached memory in unsigned,
+        two problems my happen when reporting a change in the size of the memory:
+        
+        1. Signed integer overflow -- which can happen because MemoryCache::adjustSize()
+           takes a signed integer argument. If the allocated or the freed memory size is
+           larger than the maximum of a signed integer, an overflow will happen.
+           For the image caching code, this can be seen where the unsigned decodedSize
+           is casted to an integer before passing it to ImageObserver::decodedSizeChanged().
+
+        2. Unsigned integer overflow -- which can happen if the new allocated memory
+           size plus the currentSize exceeds the maximum of unsigned.
+           This can be seen in MemoryCache::adjustSize() where we add delta to m_liveSize
+           or m_deadSize without checking whether this addition will overflow or not. We
+           do not assert for overflow although we assert for underflow.
+           
+        The fix for these two problems can be the following:
+        
+        1. Make all the adjustSize functions all the way till MemoryCache::adjustSize()
+           take a signed long integer argument.
+           
+        2. Do not create a NativeImagePtr for an ImageFrame if its frameBytes plus the
+           ImageFrameCache::decodedSize() will exceed the maximum of an unsigned integer.
+
+        * loader/cache/CachedImage.cpp:
+        (WebCore::CachedImage::decodedSizeChanged): Change the argument to be long. No overflow will happen when casting the argument from unsigned to long.
+        * loader/cache/CachedImage.h:
+        * loader/cache/CachedResource.cpp: 
+        (WebCore::CachedResource::setDecodedSize): Use long integer casting when calling MemoryCache::adjustSize().
+        (WebCore::CachedResource::setEncodedSize): Ditto.
+        * loader/cache/MemoryCache.cpp:
+        (WebCore::MemoryCache::MemoryCache): Add as static assert to ensure sizeof(long long) can hold any unsigned or its negation.
+        (WebCore::MemoryCache::revalidationSucceeded): Use long integer casting when calling MemoryCache::adjustSize().
+        (WebCore::MemoryCache::remove): Ditto.
+        (WebCore::MemoryCache::adjustSize): Change the function argument to long integer. No overflow will happen when casting the argument from unsigned to long.
+        * loader/cache/MemoryCache.h:
+        * platform/graphics/ImageFrameCache.cpp:
+        (WebCore::ImageFrameCache::destroyIncompleteDecodedData): Call a function with its new name.
+        (WebCore::ImageFrameCache::decodedSizeChanged): Change the function argument to long integer. No overflow will happen when casting the argument from unsigned to long.
+        (WebCore::ImageFrameCache::decodedSizeIncreased): Use long integer casting when calling decodedSizeChanged().
+        (WebCore::ImageFrameCache::decodedSizeDecreased): Ditto.
+        (WebCore::ImageFrameCache::decodedSizeReset): Ditto.
+        (WebCore::ImageFrameCache::didDecodeProperties): Ditto.
+        (WebCore::ImageFrameCache::frameAtIndex): Do not create the NativeImage if adding its frameByes to the MemoryCache will cause numerical overflow.
+        (WebCore::ImageFrameCache::decodedSizeIncremented): Deleted. This function is renamed decodedSizeIncreased().
+        (WebCore::ImageFrameCache::decodedSizeDecremented): Deleted. This function is renamed decodedSizeDecreased().
+        * platform/graphics/ImageFrameCache.h:
+        * platform/graphics/ImageObserver.h:
+        * platform/graphics/IntSize.h:
+        (WebCore::IntSize::unclampedArea): Returns the area of an IntSize in size_t.
+        * platform/graphics/cg/PDFDocumentImage.cpp:
+        (WebCore::PDFDocumentImage::decodedSizeChanged): Use long integer casting when calling ImageObserver::decodedSizeChanged().
+
 2016-09-30  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/loader/cache/CachedImage.cpp

@@ -451 +451 @@
 }
 
-void CachedImage::decodedSizeChanged(const Image* image, int delta)
+void CachedImage::decodedSizeChanged(const Image* image, long long delta)
 {
     if (!image || image != m_image)
         return;
-    
+
+    ASSERT(delta >= 0 || decodedSize() + delta >= 0);
     setDecodedSize(decodedSize() + delta);
 }

trunk/Source/WebCore/loader/cache/CachedImage.h

@@ -119 +119 @@
 
     // ImageObserver
-    void decodedSizeChanged(const Image*, int delta) override;
+    void decodedSizeChanged(const Image*, long long delta) override;
     void didDraw(const Image*) override;
 

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -650 +650 @@
         return;
 
-    int delta = size - m_decodedSize;
+    long long delta = static_cast<long long>(size) - m_decodedSize;
 
     // The object must be moved to a different queue, since its size has been changed.
@@ -656 +656 @@
     if (allowsCaching() && inCache())
         MemoryCache::singleton().removeFromLRUList(*this);
-    
+
     m_decodedSize = size;
    
@@ -687 +687 @@
         return;
 
-    int delta = size - m_encodedSize;
+    long long delta = static_cast<long long>(size) - m_encodedSize;
 
     // The object must be moved to a different queue, since its size has been changed.

trunk/Source/WebCore/loader/cache/MemoryCache.cpp

@@ -72 +72 @@
     , m_pruneTimer(*this, &MemoryCache::prune)
 {
+    static_assert(sizeof(long long) > sizeof(unsigned), "Numerical overflow can happen when adjusting the size of the cached memory.");
 }
 
@@ -149 +150 @@
     resource.updateResponseAfterRevalidation(response);
     insertInLRUList(resource);
-    int delta = resource.size();
+    long long delta = resource.size();
     if (resource.decodedSize() && resource.hasClients())
         insertInLiveDecodedResourcesList(resource);
@@ -449 +450 @@
             removeFromLRUList(resource);
             removeFromLiveDecodedResourcesList(resource);
-            adjustSize(resource.hasClients(), -static_cast<int>(resource.size()));
+            adjustSize(resource.hasClients(), -static_cast<long long>(resource.size()));
         } else
             ASSERT(resources->get(key) != &resource);
@@ -642 +643 @@
 }
 
-void MemoryCache::adjustSize(bool live, int delta)
+void MemoryCache::adjustSize(bool live, long long delta)
 {
     if (live) {
-        ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));
+        ASSERT(delta >= 0 || (static_cast<long long>(m_liveSize) + delta >= 0));
         m_liveSize += delta;
     } else {
-        ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));
+        ASSERT(delta >= 0 || (static_cast<long long>(m_deadSize) + delta >= 0));
         m_deadSize += delta;
     }

trunk/Source/WebCore/loader/cache/MemoryCache.h

@@ -134 +134 @@
 
     // Called to adjust the cache totals when a resource changes size.
-    void adjustSize(bool live, int delta);
+    void adjustSize(bool live, long long delta);
 
     // Track decoded resources that are in the cache and referenced by a Web page.

trunk/Source/WebCore/platform/graphics/ImageFrameCache.cpp

@@ -36 +36 @@
 #endif
 
+#include <wtf/CheckedArithmetic.h>
+
+
 namespace WebCore {
 
@@ -67 +70 @@
     for (size_t i = 0; i <  count; ++i)
         decodedSize += m_frames[i].clearImage();
-    
+
     decodedSizeReset(decodedSize);
 }
@@ -94 +97 @@
         decodedSize += frame.clear();
     }
-    
-    decodedSizeDecremented(decodedSize);
-}
-
-
-void ImageFrameCache::decodedSizeChanged(int decodedSize)
+
+    decodedSizeDecreased(decodedSize);
+}
+
+void ImageFrameCache::decodedSizeChanged(long long decodedSize)
 {
     if (!decodedSize || !m_image || !m_image->imageObserver())
@@ -107 +109 @@
 }
 
-void ImageFrameCache::decodedSizeIncremented(unsigned decodedSize)
+void ImageFrameCache::decodedSizeIncreased(unsigned decodedSize)
 {
     if (!decodedSize)
@@ -116 +118 @@
     // The fully-decoded frame will subsume the partially decoded data used
     // to determine image properties.
-    int changeSize = decodedSize - m_decodedPropertiesSize;
+    long long changeSize = static_cast<long long>(decodedSize) - m_decodedPropertiesSize;
     m_decodedPropertiesSize = 0;
     decodedSizeChanged(changeSize);
 }
 
-void ImageFrameCache::decodedSizeDecremented(unsigned decodedSize)
+void ImageFrameCache::decodedSizeDecreased(unsigned decodedSize)
 {
     if (!decodedSize)
         return;
-    
+
     ASSERT(m_decodedSize >= decodedSize);
     m_decodedSize -= decodedSize;
-    decodedSizeChanged(-safeCast<int>(decodedSize));
+    decodedSizeChanged(-static_cast<long long>(decodedSize));
 }
 
@@ -135 +137 @@
     ASSERT(m_decodedSize >= decodedSize);
     m_decodedSize -= decodedSize;
-    
+
     // Clearing the ImageSource destroys the extra decoded data used for
     // determining image properties.
     decodedSize += m_decodedPropertiesSize;
     m_decodedPropertiesSize = 0;
-    decodedSizeChanged(-safeCast<int>(decodedSize));
+    decodedSizeChanged(-static_cast<long long>(decodedSize));
 }
 
@@ -147 +149 @@
     if (m_decodedSize)
         return;
-    
-    int decodedSize = decodedPropertiesSize - m_decodedPropertiesSize;
+
+    long long decodedSize = static_cast<long long>(decodedPropertiesSize) - m_decodedPropertiesSize;
     m_decodedPropertiesSize = decodedPropertiesSize;
     decodedSizeChanged(decodedSize);
@@ -216 +218 @@
     if (frame.hasInvalidNativeImage(subsamplingLevel)) {
         unsigned decodedSize = frame.clear();
-        decodedSizeDecremented(decodedSize);
+        decodedSizeDecreased(decodedSize);
     }
     
@@ -223 +225 @@
     
     if (!frame.hasNativeImage() && caching == ImageFrame::Caching::MetadataAndImage) {
-        setFrameNativeImage(m_decoder->createFrameImageAtIndex(index, subsamplingLevel), index, subsamplingLevel);
-        decodedSizeIncremented(frame.frameBytes());
+        size_t frameBytes = size().unclampedArea() * sizeof(RGBA32);
+
+        // Do not create the NativeImage if adding its frameByes to the MemoryCache will cause numerical overflow.
+        if (WTF::isInBounds<unsigned>(frameBytes + decodedSize())) {
+            setFrameNativeImage(m_decoder->createFrameImageAtIndex(index, subsamplingLevel), index, subsamplingLevel);
+            decodedSizeIncreased(frame.frameBytes());
+        }
     }
     

trunk/Source/WebCore/platform/graphics/ImageFrameCache.h

@@ -88 +88 @@
 
     bool isDecoderAvailable() const { return m_decoder; }
-    void decodedSizeChanged(int decodedSize);
+    void decodedSizeChanged(long long decodedSize);
     void didDecodeProperties(unsigned decodedPropertiesSize);
-    void decodedSizeIncremented(unsigned decodedSize);
-    void decodedSizeDecremented(unsigned decodedSize);
+    void decodedSizeIncreased(unsigned decodedSize);
+    void decodedSizeDecreased(unsigned decodedSize);
     void decodedSizeReset(unsigned decodedSize);
 

trunk/Source/WebCore/platform/graphics/ImageObserver.h

@@ -38 +38 @@
     virtual ~ImageObserver() {}
 public:
-    virtual void decodedSizeChanged(const Image*, int delta) = 0;
+    virtual void decodedSizeChanged(const Image*, long long delta) = 0;
     virtual void didDraw(const Image*) = 0;
 

trunk/Source/WebCore/platform/graphics/IntSize.h

@@ -137 +137 @@
     }
 
+    size_t unclampedArea() const
+    {
+        return static_cast<size_t>(abs(m_width)) * abs(m_height);
+    }
+
     int diagonalLengthSquared() const
     {

trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp

@@ -183 +183 @@
 
     if (imageObserver())
-        imageObserver()->decodedSizeChanged(this, -safeCast<int>(m_cachedBytes) + newCachedBytes);
+        imageObserver()->decodedSizeChanged(this, -static_cast<long long>(m_cachedBytes) + newCachedBytes);
 
     ASSERT(s_allDecodedDataSize >= m_cachedBytes);