Context Navigation

← Previous Changeset
Next Changeset →

Changeset 248722 in webkit

Timestamp:

Aug 15, 2019 10:20:20 AM (5 years ago)

Author:

Antti Koivisto

Message:

Negative size box with border radius causes hang under WebCore::approximateAsRegion
https://bugs.webkit.org/show_bug.cgi?id=200769
<rdar://problem/53380674>

Reviewed by Alex Christensen.

Source/WebCore:

If a box's width or height computes negative the rounded border rect will also be negative.
This caused near-infinite loop during rounded border region approximation.

Test: fast/css/border-radius-negative-size.html

platform/graphics/RoundedRect.cpp:

(WebCore::approximateAsRegion):

Bail out if the region is empty (which includes negative sizes).
For safety also limit the number of rectangles we generate for corner arc approximation.

LayoutTests:

fast/css/border-radius-negative-size-expected.txt: Added.
fast/css/border-radius-negative-size.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/css/border-radius-negative-size-expected.txt (added)
LayoutTests/fast/css/border-radius-negative-size.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/platform/graphics/RoundedRect.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r248718
+                      r248722
+-08-15  Antti Koivisto  <antti@apple.com>
+        Negative size box with border radius causes hang under WebCore::approximateAsRegion
+        https://bugs.webkit.org/show_bug.cgi?id=200769
+        <rdar://problem/53380674>
+        Reviewed by Alex Christensen.
+        * fast/css/border-radius-negative-size-expected.txt: Added.
+        * fast/css/border-radius-negative-size.html: Added.
 -08-15  Youenn Fablet  <youenn@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r248721
+                      r248722
+-08-15  Antti Koivisto  <antti@apple.com>
+        Negative size box with border radius causes hang under WebCore::approximateAsRegion
+        https://bugs.webkit.org/show_bug.cgi?id=200769
+        <rdar://problem/53380674>
+        Reviewed by Alex Christensen.
+        If a box's width or height computes negative the rounded border rect will also be negative.
+        This caused near-infinite loop during rounded border region approximation.
+        Test: fast/css/border-radius-negative-size.html
+        * platform/graphics/RoundedRect.cpp:
+        (WebCore::approximateAsRegion):
+        Bail out if the region is empty (which includes negative sizes).
+        For safety also limit the number of rectangles we generate for corner arc approximation.
 -08-15  Thibault Saunier  <tsaunier@igalia.com>

trunk/Source/WebCore/platform/graphics/RoundedRect.cpp

-                      r243680
+                      r248722
     Region region;
+    if (roundedRect.isEmpty())
+        return region;
     auto& rect = roundedRect.rect();
     region.unite(enclosingIntRect(rect));
 …
         auto count = (arcLengthFactor + (stepLength / 2)) / stepLength;
+        constexpr auto maximumCount = 20u;
+        count = std::min(maximumCount, count);
         for (auto i = 0u; i < count; ++i) {
             auto angle = fromAngle + (i + 1) * (toAngle - fromAngle) / (count + 1);

Note: See TracChangeset for help on using the changeset viewer.