Changeset 178156 in webkit

Timestamp:

Jan 8, 2015 9:29:09 PM (9 years ago)

Author:

Chris Dumez

Message:

ASSERTION FAILED: !valueWithCalculation.calculation() in WebCore::CSSParser::validateCalculationUnit
​https://bugs.webkit.org/show_bug.cgi?id=140251

Reviewed by Darin Adler.

Source/WebCore:

Using a calculated value for text-shadow's blur-radius was hitting an
assertion in CSSParser::validateCalculationUnit() because validUnit()
is called twice, first with 'FLength' unit, then more stricly with
'FLength|FNonNeg' if parsing the blur-radius as it cannot be negative
as per the specification:

• ​http://dev.w3.org/csswg/css-text-decor-3/#text-shadow-property
• ​http://dev.w3.org/csswg/css-backgrounds-3/#shadow

On the second call, the ValueWithCalculation's m_calculation member
was already initialized and the code did not handle this. This patch
updates validateCalculationUnit() to teach it to reuse the previously
parsed calculation in this case. All it needs to do is to update the
existing CSSCalcValue's range to allow negative values or not.

When writing the layout test for this, I also noticed that the CSS
parser was not rejecting negative calculated values for blur-radius
(only negative non-calculated ones). This is because
validateCalculationUnit() was ignoring FNonNeg if the calculated
value is a Length. This patch also addresses the issue.

Test: fast/css/text-shadow-calc-value.html

• css/CSSCalculationValue.h:

(WebCore::CSSCalcValue::setPermittedValueRange):
Add a setter to update the CSSCalculationValue's permitted value range
so that the CSS parser does not need to fully reparse the calculation
only to update the permitted value range.

• css/CSSParser.cpp:

(WebCore::CSSParser::validateCalculationUnit):

• Teach the code to reuse the previously parsed calculation value.
• Do the FNonNeg check for Length calculations as well.

LayoutTests:

Add a layout test to check that using calculated values for
'text-shadow' CSS doesn't crash and works as intended. Also check
that the CSS parser is correctly validating the blur-radius, which
is supposed to be non-negative, as per the specification:

• ​http://dev.w3.org/csswg/css-text-decor-3/#text-shadow-property
• ​http://dev.w3.org/csswg/css-backgrounds-3/#shadow

• fast/css/text-shadow-calc-value-expected.txt: Added.
• fast/css/text-shadow-calc-value.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/text-shadow-calc-value-expected.txt (added)
• LayoutTests/fast/css/text-shadow-calc-value.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSCalculationValue.h (modified) (3 diffs)
• Source/WebCore/css/CSSParser.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-01-08  Chris Dumez  <cdumez@apple.com>
+
+        ASSERTION FAILED: !valueWithCalculation.calculation() in WebCore::CSSParser::validateCalculationUnit
+        https://bugs.webkit.org/show_bug.cgi?id=140251
+
+        Reviewed by Darin Adler.
+
+        Add a layout test to check that using calculated values for
+        'text-shadow' CSS doesn't crash and works as intended. Also check
+        that the CSS parser is correctly validating the blur-radius, which
+        is supposed to be non-negative, as per the specification:
+        - http://dev.w3.org/csswg/css-text-decor-3/#text-shadow-property
+        - http://dev.w3.org/csswg/css-backgrounds-3/#shadow
+
+        * fast/css/text-shadow-calc-value-expected.txt: Added.
+        * fast/css/text-shadow-calc-value.html: Added.
+
 2015-01-08  Benjamin Poulain  <bpoulain@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-01-08  Chris Dumez  <cdumez@apple.com>
+
+        ASSERTION FAILED: !valueWithCalculation.calculation() in WebCore::CSSParser::validateCalculationUnit
+        https://bugs.webkit.org/show_bug.cgi?id=140251
+
+        Reviewed by Darin Adler.
+
+        Using a calculated value for text-shadow's blur-radius was hitting an
+        assertion in CSSParser::validateCalculationUnit() because validUnit()
+        is called twice, first with 'FLength' unit, then more stricly with
+        'FLength|FNonNeg' if parsing the blur-radius as it cannot be negative
+        as per the specification:
+        - http://dev.w3.org/csswg/css-text-decor-3/#text-shadow-property
+        - http://dev.w3.org/csswg/css-backgrounds-3/#shadow
+
+        On the second call, the ValueWithCalculation's m_calculation member
+        was already initialized and the code did not handle this. This patch
+        updates validateCalculationUnit() to teach it to reuse the previously
+        parsed calculation in this case. All it needs to do is to update the
+        existing CSSCalcValue's range to allow negative values or not.
+
+        When writing the layout test for this, I also noticed that the CSS
+        parser was not rejecting negative calculated values for blur-radius
+        (only negative non-calculated ones). This is because
+        validateCalculationUnit() was ignoring FNonNeg if the calculated
+        value is a Length. This patch also addresses the issue.
+
+        Test: fast/css/text-shadow-calc-value.html
+
+        * css/CSSCalculationValue.h:
+        (WebCore::CSSCalcValue::setPermittedValueRange):
+        Add a setter to update the CSSCalculationValue's permitted value range
+        so that the CSS parser does not need to fully reparse the calculation
+        only to update the permitted value range.
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::validateCalculationUnit):
+        - Teach the code to reuse the previously parsed calculation value.
+        - Do the FNonNeg check for Length calculations as well.
+
 2015-01-08  Darin Adler  <darin@apple.com>
 

trunk/Source/WebCore/css/CSSCalculationValue.h

@@ -98 +98 @@
 
     Ref<CalculationValue> createCalculationValue(const CSSToLengthConversionData&) const;
+    void setPermittedValueRange(CalculationPermittedValueRange);
 
     String customCSSText() const;
@@ -108 +109 @@
 
     const Ref<CSSCalcExpressionNode> m_expression;
-    const bool m_shouldClampToNonNegative;
+    bool m_shouldClampToNonNegative;
 };
 
@@ -124 +125 @@
 }
 
+inline void CSSCalcValue::setPermittedValueRange(CalculationPermittedValueRange range)
+{
+    m_shouldClampToNonNegative = range != CalculationRangeAll;
+}
+
 } // namespace WebCore
 

trunk/Source/WebCore/css/CSSParser.cpp

@@ -1587 +1587 @@
     bool mustBeNonNegative = unitFlags & FNonNeg;
 
-    ASSERT(!valueWithCalculation.calculation());
-    RefPtr<CSSCalcValue> calculation = parseCalculation(valueWithCalculation, mustBeNonNegative ? CalculationRangeNonNegative : CalculationRangeAll);
-    if (!calculation)
-        return false;
+    RefPtr<CSSCalcValue> calculation;
+    if (valueWithCalculation.calculation()) {
+        // The calculation value was already parsed so we reuse it. However, we may need to update its range.
+        calculation = valueWithCalculation.calculation();
+        calculation->setPermittedValueRange(mustBeNonNegative ? CalculationRangeNonNegative : CalculationRangeAll);
+    } else {
+        valueWithCalculation.setCalculation(parseCalculation(valueWithCalculation, mustBeNonNegative ? CalculationRangeNonNegative : CalculationRangeAll));
+        calculation = valueWithCalculation.calculation();
+        if (!calculation)
+            return false;
+    }
 
     bool isValid = false;
@@ -1605 +1612 @@
     case CalcLength:
         isValid = (unitFlags & FLength);
+        if (isValid && mustBeNonNegative && calculation->isNegative())
+            isValid = false;
         break;
     case CalcPercent:
@@ -1629 +1638 @@
         break;
     }
-    if (isValid)
-        valueWithCalculation.setCalculation(WTF::move(calculation));
+
     return isValid;
 }