Changeset 206249 in webkit


Ignore:
Timestamp:
Sep 21, 2016 11:01:33 PM (8 years ago)
Author:
ap@apple.com
Message:

Rolling out r206244, as it caused flaky crashes on tests.
Was: Correct uses of 'safeCast'

Source/WebCore:

  • loader/cache/MemoryCache.cpp:

(WebCore::MemoryCache::adjustSize):

  • platform/graphics/BitmapImage.cpp:

(WebCore::BitmapImage::destroyMetadataAndNotify):
(WebCore::BitmapImage::cacheFrame):
(WebCore::BitmapImage::didDecodeProperties):
(WebCore::BitmapImage::dataChanged):
(WebCore::BitmapImage::frameImageAtIndex):

  • platform/graphics/cg/PDFDocumentImage.cpp:

(WebCore::PDFDocumentImage::decodedSizeChanged):
(WebCore::PDFDocumentImage::updateCachedImageIfNeeded):

Source/WTF:

  • wtf/StdLibExtras.h:

(WTF::safeCast):

Location:
trunk/Source
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WTF/ChangeLog

    r206245 r206249  
     12016-09-21  Alexey Proskuryakov  <ap@apple.com>
     2
     3        Rolling out r206244, as it caused flaky crashes on tests.
     4        Was: Correct uses of 'safeCast'
     5
     6        * wtf/StdLibExtras.h:
     7        (WTF::safeCast):
     8
    192016-09-21  Keith Miller  <keith_miller@apple.com>
    210
  • trunk/Source/WTF/wtf/StdLibExtras.h

    r206244 r206249  
    160160inline ToType safeCast(FromType value)
    161161{
    162     RELEASE_ASSERT(isInBounds<ToType>(value));
     162    ASSERT(isInBounds<ToType>(value));
    163163    return static_cast<ToType>(value);
    164164}
  • trunk/Source/WebCore/ChangeLog

    r206246 r206249  
     12016-09-21  Alexey Proskuryakov  <ap@apple.com>
     2
     3        Rolling out r206244, as it caused flaky crashes on tests.
     4        Was: Correct uses of 'safeCast'
     5
     6        * loader/cache/MemoryCache.cpp:
     7        (WebCore::MemoryCache::adjustSize):
     8        * platform/graphics/BitmapImage.cpp:
     9        (WebCore::BitmapImage::destroyMetadataAndNotify):
     10        (WebCore::BitmapImage::cacheFrame):
     11        (WebCore::BitmapImage::didDecodeProperties):
     12        (WebCore::BitmapImage::dataChanged):
     13        (WebCore::BitmapImage::frameImageAtIndex):
     14        * platform/graphics/cg/PDFDocumentImage.cpp:
     15        (WebCore::PDFDocumentImage::decodedSizeChanged):
     16        (WebCore::PDFDocumentImage::updateCachedImageIfNeeded):
     17
    1182016-09-21  Chris Dumez  <cdumez@apple.com>
    219
  • trunk/Source/WebCore/loader/cache/MemoryCache.cpp

    r206244 r206249  
    645645{
    646646    if (live) {
    647         RELEASE_ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));
     647        ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));
    648648        m_liveSize += delta;
    649649    } else {
    650         RELEASE_ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));
     650        ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));
    651651        m_deadSize += delta;
    652652    }
  • trunk/Source/WebCore/platform/graphics/BitmapImage.cpp

    r206244 r206249  
    11/*
    22 * Copyright (C) 2006 Samuel Weinig (sam.weinig@gmail.com)
    3  * Copyright (C) 2004-2006, 2008, 2015-2016 Apple Inc. All rights reserved.
     3 * Copyright (C) 2004, 2005, 2006, 2008, 2015 Apple Inc. All rights reserved.
    44 *
    55 * Redistribution and use in source and binary forms, with or without
     
    3737#include "TextStream.h"
    3838#include "Timer.h"
    39 #include <wtf/CheckedArithmetic.h>
    4039#include <wtf/CurrentTime.h>
    4140#include <wtf/Vector.h>
     
    144143    invalidatePlatformData();
    145144
    146     if (!WTF::safeSub(m_decodedSize, frameBytesCleared, m_decodedSize))
    147         CRASH_WITH_SECURITY_IMPLICATION();
     145    ASSERT(m_decodedSize >= frameBytesCleared);
     146    m_decodedSize -= frameBytesCleared;
    148147
    149148    // Clearing the ImageSource destroys the extra decoded data used for determining image properties.
    150     long long adjustedFrameBytesCleared = frameBytesCleared;
    151149    if (clearedSource == ClearedSource::Yes) {
    152         adjustedFrameBytesCleared += m_decodedPropertiesSize;
     150        frameBytesCleared += m_decodedPropertiesSize;
    153151        m_decodedPropertiesSize = 0;
    154152    }
    155153
    156     if (adjustedFrameBytesCleared && imageObserver()) {
    157         Checked<int> checkedDelta = adjustedFrameBytesCleared;
    158         imageObserver()->decodedSizeChanged(this, -checkedDelta.unsafeGet());
    159     }
     154    if (frameBytesCleared && imageObserver())
     155        imageObserver()->decodedSizeChanged(this, -safeCast<int>(frameBytesCleared));
    160156}
    161157
     
    177173
    178174    if (m_frames[index].hasNativeImage()) {
    179         if (!WTF::safeAdd(m_decodedSize, m_frames[index].frameBytes(), m_decodedSize)) {
    180             LOG(Images, "BitmapImage %p cacheFrame m_decodedSize overflowed unsigned.", this);
    181             destroyDecodedData(false);
    182             return;
    183         }
    184 
     175        int deltaBytes = safeCast<int>(m_frames[index].frameBytes());
     176        m_decodedSize += deltaBytes;
    185177        // The fully-decoded frame will subsume the partially decoded data used
    186178        // to determine image properties.
    187         long long deltaBytes = m_frames[index].frameBytes() - m_decodedPropertiesSize;
     179        deltaBytes -= m_decodedPropertiesSize;
    188180        m_decodedPropertiesSize = 0;
    189 
    190         Checked<int, RecordOverflow> checkedDeltaBytes = deltaBytes;
    191         if (checkedDeltaBytes.hasOverflowed()) {
    192             LOG(Images, "BitmapImage %p cacheFrame deltaBytes=%lld overflowed integer.", this, deltaBytes);
    193             destroyDecodedData(false);
    194             return;
    195         }
    196 
    197181        if (imageObserver())
    198             imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet());
     182            imageObserver()->decodedSizeChanged(this, deltaBytes);
    199183    }
    200184}
     
    209193        return;
    210194
    211     long long deltaBytes = updatedSize - m_decodedPropertiesSize;
     195    int deltaBytes = updatedSize - m_decodedPropertiesSize;
    212196#if !ASSERT_DISABLED
    213197    bool overflow = updatedSize > m_decodedPropertiesSize && deltaBytes < 0;
     
    216200#endif
    217201    m_decodedPropertiesSize = updatedSize;
    218     if (imageObserver()) {
    219         Checked<int> checkedDeltaBytes = deltaBytes;
    220         imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet());
    221     }
     202    if (imageObserver())
     203        imageObserver()->decodedSizeChanged(this, deltaBytes);
    222204}
    223205
     
    275257    // frame affected by appending new data here. Thus we have to clear all the
    276258    // incomplete frames to be safe.
    277     Checked<unsigned> frameBytesCleared = 0;
     259    unsigned frameBytesCleared = 0;
    278260    for (auto& frame : m_frames) {
    279261        // NOTE: Don't call frameIsCompleteAtIndex() here, that will try to
     
    283265            frameBytesCleared += frame.clear();
    284266    }
    285     destroyMetadataAndNotify(frameBytesCleared.unsafeGet(), ClearedSource::No);
     267    destroyMetadataAndNotify(frameBytesCleared, ClearedSource::No);
    286268#else
    287269    // FIXME: why is this different for iOS?
    288     Checked<int> deltaBytes = 0;
     270    int deltaBytes = 0;
    289271    if (!m_frames.isEmpty()) {
    290272        if (int bytes = m_frames[m_frames.size() - 1].clear()) {
     
    294276        }
    295277    }
    296     destroyMetadataAndNotify(deltaBytes.unsafeGet(), ClearedSource::No);
     278    destroyMetadataAndNotify(deltaBytes, ClearedSource::No);
    297279#endif
    298280   
     
    375357
    376358        // If the image is already cached, but at too small a size, re-decode a larger version.
    377         unsigned sizeChange = m_frames[index].clear();
     359        int sizeChange = -m_frames[index].clear();
    378360        invalidatePlatformData();
    379 
    380         if (WTF::safeSub(m_decodedSize, sizeChange, m_decodedSize)) {
    381             LOG(Images, "BitmapImage %p frameImageAtIndex m_decodedSize overflowed unsigned.", this);
    382             destroyDecodedData(false);
    383             return nullptr;
    384         }
    385 
    386         Checked<int, RecordOverflow> checkedSizeChange = -sizeChange;
    387         if (checkedSizeChange.hasOverflowed()) {
    388             LOG(Images, "BitmapImage %p frameImageAtIndex sizeChange=%u overflowed integer.", this, -sizeChange);
    389             destroyDecodedData(false);
    390             return nullptr;
    391         }
    392 
     361        m_decodedSize += sizeChange;
    393362        if (imageObserver())
    394             imageObserver()->decodedSizeChanged(this, checkedSizeChange.unsafeGet());
     363            imageObserver()->decodedSizeChanged(this, sizeChange);
    395364    }
    396365
  • trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp

    r206244 r206249  
    11/*
    2  * Copyright (C) 2004-2016 Apple Inc.  All rights reserved.
     2 * Copyright (C) 2004, 2005, 2006, 2013 Apple Inc.  All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    3939#include "IntRect.h"
    4040#include "Length.h"
    41 #include "Logging.h"
    4241#include "SharedBuffer.h"
    4342#include "TextStream.h"
    4443#include <CoreGraphics/CGContext.h>
    4544#include <CoreGraphics/CGPDFDocument.h>
    46 #include <wtf/CheckedArithmetic.h>
    4745#include <wtf/MathExtras.h>
    4846#include <wtf/RAMSize.h>
     
    184182        return;
    185183
    186     long long deltaBytes = m_cachedBytes - newCachedBytes;
    187 
    188     Checked<int> checkedDeltaBytes = deltaBytes;
    189184    if (imageObserver())
    190         imageObserver()->decodedSizeChanged(this, -checkedDeltaBytes.unsafeGet());
     185        imageObserver()->decodedSizeChanged(this, -safeCast<int>(m_cachedBytes) + newCachedBytes);
    191186
    192187    ASSERT(s_allDecodedDataSize >= m_cachedBytes);
    193188    // Update with the difference in two steps to avoid unsigned underflow subtraction.
    194     if (!WTF::safeSub(s_allDecodedDataSize, m_cachedBytes, s_allDecodedDataSize))
    195         CRASH_WITH_SECURITY_IMPLICATION();
    196 
    197     if (!WTF::safeAdd(s_allDecodedDataSize, newCachedBytes, s_allDecodedDataSize))
    198         CRASH_WITH_SECURITY_IMPLICATION();
     189    s_allDecodedDataSize -= m_cachedBytes;
     190    s_allDecodedDataSize += newCachedBytes;
    199191
    200192    m_cachedBytes = newCachedBytes;
     
    244236    if (m_pdfImageCachingPolicy == PDFImageCachingBelowMemoryLimit) {
    245237        IntSize scaledSize = ImageBuffer::compatibleBufferSize(cachedImageSize, context);
    246         Checked<size_t, RecordOverflow> scaledBytes = scaledSize.area() * 4;
    247 
    248         if (scaledBytes.hasOverflowed()) {
    249             LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this);
    250             destroyDecodedData();
    251             return;
    252         }
    253 
    254         Checked<size_t, RecordOverflow> potentialDecodedDataSize = s_allDecodedDataSize + scaledBytes - m_cachedBytes;
    255         if (potentialDecodedDataSize.hasOverflowed() || potentialDecodedDataSize.unsafeGet() > s_maxDecodedDataSize) {
    256             LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded potentialDecodedDataSize overflowed size_t.", this);
     238        if (s_allDecodedDataSize + safeCast<size_t>(scaledSize.width()) * scaledSize.height() * 4 - m_cachedBytes > s_maxDecodedDataSize) {
    257239            destroyDecodedData();
    258240            return;
     
    278260
    279261    IntSize internalSize = m_cachedImageBuffer->internalSize();
    280     Checked<size_t, RecordOverflow> scaledBytes = internalSize.area() * 4;
    281     if (scaledBytes.hasOverflowed()) {
    282         LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this);
    283         destroyDecodedData();
    284         return;
    285     }
    286 
    287     decodedSizeChanged(scaledBytes.unsafeGet());
     262    decodedSizeChanged(safeCast<size_t>(internalSize.width()) * internalSize.height() * 4);
    288263}
    289264
Note: See TracChangeset for help on using the changeset viewer.