Changeset 206249 in webkit
- Timestamp:
- Sep 21, 2016 11:01:33 PM (8 years ago)
- Location:
- trunk/Source
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WTF/ChangeLog
r206245 r206249 1 2016-09-21 Alexey Proskuryakov <ap@apple.com> 2 3 Rolling out r206244, as it caused flaky crashes on tests. 4 Was: Correct uses of 'safeCast' 5 6 * wtf/StdLibExtras.h: 7 (WTF::safeCast): 8 1 9 2016-09-21 Keith Miller <keith_miller@apple.com> 2 10 -
trunk/Source/WTF/wtf/StdLibExtras.h
r206244 r206249 160 160 inline ToType safeCast(FromType value) 161 161 { 162 RELEASE_ASSERT(isInBounds<ToType>(value));162 ASSERT(isInBounds<ToType>(value)); 163 163 return static_cast<ToType>(value); 164 164 } -
trunk/Source/WebCore/ChangeLog
r206246 r206249 1 2016-09-21 Alexey Proskuryakov <ap@apple.com> 2 3 Rolling out r206244, as it caused flaky crashes on tests. 4 Was: Correct uses of 'safeCast' 5 6 * loader/cache/MemoryCache.cpp: 7 (WebCore::MemoryCache::adjustSize): 8 * platform/graphics/BitmapImage.cpp: 9 (WebCore::BitmapImage::destroyMetadataAndNotify): 10 (WebCore::BitmapImage::cacheFrame): 11 (WebCore::BitmapImage::didDecodeProperties): 12 (WebCore::BitmapImage::dataChanged): 13 (WebCore::BitmapImage::frameImageAtIndex): 14 * platform/graphics/cg/PDFDocumentImage.cpp: 15 (WebCore::PDFDocumentImage::decodedSizeChanged): 16 (WebCore::PDFDocumentImage::updateCachedImageIfNeeded): 17 1 18 2016-09-21 Chris Dumez <cdumez@apple.com> 2 19 -
trunk/Source/WebCore/loader/cache/MemoryCache.cpp
r206244 r206249 645 645 { 646 646 if (live) { 647 RELEASE_ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));647 ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0)); 648 648 m_liveSize += delta; 649 649 } else { 650 RELEASE_ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));650 ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0)); 651 651 m_deadSize += delta; 652 652 } -
trunk/Source/WebCore/platform/graphics/BitmapImage.cpp
r206244 r206249 1 1 /* 2 2 * Copyright (C) 2006 Samuel Weinig (sam.weinig@gmail.com) 3 * Copyright (C) 2004 -2006, 2008, 2015-2016Apple Inc. All rights reserved.3 * Copyright (C) 2004, 2005, 2006, 2008, 2015 Apple Inc. All rights reserved. 4 4 * 5 5 * Redistribution and use in source and binary forms, with or without … … 37 37 #include "TextStream.h" 38 38 #include "Timer.h" 39 #include <wtf/CheckedArithmetic.h>40 39 #include <wtf/CurrentTime.h> 41 40 #include <wtf/Vector.h> … … 144 143 invalidatePlatformData(); 145 144 146 if (!WTF::safeSub(m_decodedSize, frameBytesCleared, m_decodedSize))147 CRASH_WITH_SECURITY_IMPLICATION();145 ASSERT(m_decodedSize >= frameBytesCleared); 146 m_decodedSize -= frameBytesCleared; 148 147 149 148 // Clearing the ImageSource destroys the extra decoded data used for determining image properties. 150 long long adjustedFrameBytesCleared = frameBytesCleared;151 149 if (clearedSource == ClearedSource::Yes) { 152 adjustedFrameBytesCleared += m_decodedPropertiesSize;150 frameBytesCleared += m_decodedPropertiesSize; 153 151 m_decodedPropertiesSize = 0; 154 152 } 155 153 156 if (adjustedFrameBytesCleared && imageObserver()) { 157 Checked<int> checkedDelta = adjustedFrameBytesCleared; 158 imageObserver()->decodedSizeChanged(this, -checkedDelta.unsafeGet()); 159 } 154 if (frameBytesCleared && imageObserver()) 155 imageObserver()->decodedSizeChanged(this, -safeCast<int>(frameBytesCleared)); 160 156 } 161 157 … … 177 173 178 174 if (m_frames[index].hasNativeImage()) { 179 if (!WTF::safeAdd(m_decodedSize, m_frames[index].frameBytes(), m_decodedSize)) { 180 LOG(Images, "BitmapImage %p cacheFrame m_decodedSize overflowed unsigned.", this); 181 destroyDecodedData(false); 182 return; 183 } 184 175 int deltaBytes = safeCast<int>(m_frames[index].frameBytes()); 176 m_decodedSize += deltaBytes; 185 177 // The fully-decoded frame will subsume the partially decoded data used 186 178 // to determine image properties. 187 long long deltaBytes = m_frames[index].frameBytes() -m_decodedPropertiesSize;179 deltaBytes -= m_decodedPropertiesSize; 188 180 m_decodedPropertiesSize = 0; 189 190 Checked<int, RecordOverflow> checkedDeltaBytes = deltaBytes;191 if (checkedDeltaBytes.hasOverflowed()) {192 LOG(Images, "BitmapImage %p cacheFrame deltaBytes=%lld overflowed integer.", this, deltaBytes);193 destroyDecodedData(false);194 return;195 }196 197 181 if (imageObserver()) 198 imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet());182 imageObserver()->decodedSizeChanged(this, deltaBytes); 199 183 } 200 184 } … … 209 193 return; 210 194 211 long longdeltaBytes = updatedSize - m_decodedPropertiesSize;195 int deltaBytes = updatedSize - m_decodedPropertiesSize; 212 196 #if !ASSERT_DISABLED 213 197 bool overflow = updatedSize > m_decodedPropertiesSize && deltaBytes < 0; … … 216 200 #endif 217 201 m_decodedPropertiesSize = updatedSize; 218 if (imageObserver()) { 219 Checked<int> checkedDeltaBytes = deltaBytes; 220 imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet()); 221 } 202 if (imageObserver()) 203 imageObserver()->decodedSizeChanged(this, deltaBytes); 222 204 } 223 205 … … 275 257 // frame affected by appending new data here. Thus we have to clear all the 276 258 // incomplete frames to be safe. 277 Checked<unsigned>frameBytesCleared = 0;259 unsigned frameBytesCleared = 0; 278 260 for (auto& frame : m_frames) { 279 261 // NOTE: Don't call frameIsCompleteAtIndex() here, that will try to … … 283 265 frameBytesCleared += frame.clear(); 284 266 } 285 destroyMetadataAndNotify(frameBytesCleared .unsafeGet(), ClearedSource::No);267 destroyMetadataAndNotify(frameBytesCleared, ClearedSource::No); 286 268 #else 287 269 // FIXME: why is this different for iOS? 288 Checked<int>deltaBytes = 0;270 int deltaBytes = 0; 289 271 if (!m_frames.isEmpty()) { 290 272 if (int bytes = m_frames[m_frames.size() - 1].clear()) { … … 294 276 } 295 277 } 296 destroyMetadataAndNotify(deltaBytes .unsafeGet(), ClearedSource::No);278 destroyMetadataAndNotify(deltaBytes, ClearedSource::No); 297 279 #endif 298 280 … … 375 357 376 358 // If the image is already cached, but at too small a size, re-decode a larger version. 377 unsigned sizeChange =m_frames[index].clear();359 int sizeChange = -m_frames[index].clear(); 378 360 invalidatePlatformData(); 379 380 if (WTF::safeSub(m_decodedSize, sizeChange, m_decodedSize)) { 381 LOG(Images, "BitmapImage %p frameImageAtIndex m_decodedSize overflowed unsigned.", this); 382 destroyDecodedData(false); 383 return nullptr; 384 } 385 386 Checked<int, RecordOverflow> checkedSizeChange = -sizeChange; 387 if (checkedSizeChange.hasOverflowed()) { 388 LOG(Images, "BitmapImage %p frameImageAtIndex sizeChange=%u overflowed integer.", this, -sizeChange); 389 destroyDecodedData(false); 390 return nullptr; 391 } 392 361 m_decodedSize += sizeChange; 393 362 if (imageObserver()) 394 imageObserver()->decodedSizeChanged(this, checkedSizeChange.unsafeGet());363 imageObserver()->decodedSizeChanged(this, sizeChange); 395 364 } 396 365 -
trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
r206244 r206249 1 1 /* 2 * Copyright (C) 2004 -2016Apple Inc. All rights reserved.2 * Copyright (C) 2004, 2005, 2006, 2013 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 39 39 #include "IntRect.h" 40 40 #include "Length.h" 41 #include "Logging.h"42 41 #include "SharedBuffer.h" 43 42 #include "TextStream.h" 44 43 #include <CoreGraphics/CGContext.h> 45 44 #include <CoreGraphics/CGPDFDocument.h> 46 #include <wtf/CheckedArithmetic.h>47 45 #include <wtf/MathExtras.h> 48 46 #include <wtf/RAMSize.h> … … 184 182 return; 185 183 186 long long deltaBytes = m_cachedBytes - newCachedBytes;187 188 Checked<int> checkedDeltaBytes = deltaBytes;189 184 if (imageObserver()) 190 imageObserver()->decodedSizeChanged(this, - checkedDeltaBytes.unsafeGet());185 imageObserver()->decodedSizeChanged(this, -safeCast<int>(m_cachedBytes) + newCachedBytes); 191 186 192 187 ASSERT(s_allDecodedDataSize >= m_cachedBytes); 193 188 // Update with the difference in two steps to avoid unsigned underflow subtraction. 194 if (!WTF::safeSub(s_allDecodedDataSize, m_cachedBytes, s_allDecodedDataSize)) 195 CRASH_WITH_SECURITY_IMPLICATION(); 196 197 if (!WTF::safeAdd(s_allDecodedDataSize, newCachedBytes, s_allDecodedDataSize)) 198 CRASH_WITH_SECURITY_IMPLICATION(); 189 s_allDecodedDataSize -= m_cachedBytes; 190 s_allDecodedDataSize += newCachedBytes; 199 191 200 192 m_cachedBytes = newCachedBytes; … … 244 236 if (m_pdfImageCachingPolicy == PDFImageCachingBelowMemoryLimit) { 245 237 IntSize scaledSize = ImageBuffer::compatibleBufferSize(cachedImageSize, context); 246 Checked<size_t, RecordOverflow> scaledBytes = scaledSize.area() * 4; 247 248 if (scaledBytes.hasOverflowed()) { 249 LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this); 250 destroyDecodedData(); 251 return; 252 } 253 254 Checked<size_t, RecordOverflow> potentialDecodedDataSize = s_allDecodedDataSize + scaledBytes - m_cachedBytes; 255 if (potentialDecodedDataSize.hasOverflowed() || potentialDecodedDataSize.unsafeGet() > s_maxDecodedDataSize) { 256 LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded potentialDecodedDataSize overflowed size_t.", this); 238 if (s_allDecodedDataSize + safeCast<size_t>(scaledSize.width()) * scaledSize.height() * 4 - m_cachedBytes > s_maxDecodedDataSize) { 257 239 destroyDecodedData(); 258 240 return; … … 278 260 279 261 IntSize internalSize = m_cachedImageBuffer->internalSize(); 280 Checked<size_t, RecordOverflow> scaledBytes = internalSize.area() * 4; 281 if (scaledBytes.hasOverflowed()) { 282 LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this); 283 destroyDecodedData(); 284 return; 285 } 286 287 decodedSizeChanged(scaledBytes.unsafeGet()); 262 decodedSizeChanged(safeCast<size_t>(internalSize.width()) * internalSize.height() * 4); 288 263 } 289 264
Note: See TracChangeset
for help on using the changeset viewer.