summaryrefslogtreecommitdiff
path: root/Source/WebCore/css/CSSComputedStyleDeclaration.cpp
diff options
context:
space:
mode:
authorhmuller@adobe.com <hmuller@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>2013-09-27 23:17:34 +0000
committerKonstantin Tokarev <annulen@yandex.ru>2016-09-27 07:16:46 +0000
commit7cdd855e3287492093749a833b8b56c67e8db800 (patch)
tree44dba000af3df4eb85751e1f0acca62d358a0b4c /Source/WebCore/css/CSSComputedStyleDeclaration.cpp
parent3bb3f4e49fec10dfe1bd58e3466384317d71ffbe (diff)
downloadqtwebkit-7cdd855e3287492093749a833b8b56c67e8db800.tar.gz
Crash on shape-outside when using calc()
https://bugs.webkit.org/show_bug.cgi?id=121020 Reviewed by Dirk Schulze. Source/WebCore: This change prevents a crash caused by specifying a CSS Shape geometry Length attribute with a calc() expression. It adds support for converting Lengths to CSSPrimitive Values, in large part by migrating Blink changes made to the calc classes since the split. Doing so required a few supporting changes in some related classes, notably CSSPrimitiveValue. Tests: fast/shapes/shape-inside/shape-inside-calc-crash.html css3/calc/simplification.html * css/BasicShapeFunctions.cpp: (WebCore::convertToCSSPrimitiveValue): Effectively use the new CSSPrimtiveValue(length,style) constructor to convert Lengths to CSSValues. (WebCore::valueForBasicShape): Use the convertToCSSPrimitiveValue() function. (WebCore::convertToLength): Added the CalculatedConversion convertToLength() flag to enable support for calc() valued Length Shape attributes. * css/BasicShapeFunctions.h: * css/CSSCalculationValue.cpp: (WebCore::hasDoubleValue): (WebCore::buildCssText): (WebCore::CSSCalcValue::clampToPermittedRange): (WebCore::CSSCalcValue::doubleValue): (WebCore::CSSCalcExpressionNode::~CSSCalcExpressionNode): (WebCore::CSSCalcPrimitiveValue::create): (WebCore::CSSCalcPrimitiveValue::toCalcValue): (WebCore::CSSCalcPrimitiveValue::doubleValue): (WebCore::CSSCalcPrimitiveValue::computeLengthPx): (WebCore::CSSCalcPrimitiveValue::primitiveType): (WebCore::CSSCalcPrimitiveValue::CSSCalcPrimitiveValue): (WebCore::determineCategory): (WebCore::isIntegerResult): (WebCore::CSSCalcBinaryOperation::create): (WebCore::CSSCalcBinaryOperation::createSimplified): (WebCore::CSSCalcBinaryOperation::doubleValue): (WebCore::CSSCalcBinaryOperation::buildCssText): (WebCore::CSSCalcBinaryOperation::primitiveType): (WebCore::CSSCalcBinaryOperation::CSSCalcBinaryOperation): (WebCore::CSSCalcBinaryOperation::getNumberSide): (WebCore::CSSCalcBinaryOperation::evaluate): (WebCore::CSSCalcBinaryOperation::evaluateOperator): (WebCore::CSSCalcExpressionNodeParser::parseValue): (WebCore::CSSCalcExpressionNodeParser::parseValueTerm): (WebCore::CSSCalcExpressionNodeParser::parseValueMultiplicativeExpression): (WebCore::CSSCalcExpressionNodeParser::parseAdditiveValueExpression): (WebCore::CSSCalcValue::createExpressionNode): (WebCore::CSSCalcValue::create): * css/CSSCalculationValue.h: (WebCore::CSSCalcExpressionNode::category): (WebCore::CSSCalcValue::create): (WebCore::CSSCalcValue::isInt): (WebCore::CSSCalcValue::permittedValueRange): (WebCore::CSSCalcValue::expressionNode): (WebCore::CSSCalcValue::CSSCalcValue): (WebCore::toCSSCalcValue): * css/CSSComputedStyleDeclaration.cpp: (WebCore::ComputedStyleExtractor::propertyValue): Pass the style along to the new valueForBasicShape() function. * css/CSSPrimitiveValue.cpp: (WebCore::CSSPrimitiveValue::unitCategory): Made this function public so that CSSCalculationValue could use it. (WebCore::CSSPrimitiveValue::conversionToCanonicalUnitsScaleFactor): Ditto. (WebCore::CSSPrimitiveValue::primitiveType): Cleared trailing whitespace. (WebCore::CSSPrimitiveValue::CSSPrimitiveValue): Construct a CSSPrimitiveValue from a Length and a RenderStyle*. (WebCore::CSSPrimitiveValue::init): The common part of the two Length CSSPrimitiveValue constructors. (WebCore::CSSPrimitiveValue::computeLengthDouble): Moved the case labels to the left per check-webkit-style. (WebCore::CSSPrimitiveValue::getStringValue): Ditto. (WebCore::CSSPrimitiveValue::getDoubleValue): Removed trailing whitespace. * css/CSSPrimitiveValue.h: (WebCore::CSSPrimitiveValue::create): Construct a CSSPrimitiveValue from a Length and a RenderStyle*. (WebCore::toCSSPrimitiveValue): Check the CSSValue*'s validity with ASSERT_WITH_SECURITY_IMPLICATION before casting to CSSPrimitiveValue*. * css/CSSValuePool.h: (WebCore::CSSValuePool::createValue): A new overload that delegates to the new CSSPrimitiveValue(length,style) constructor. * platform/CalculationValue.h: (WebCore::CalculationValue::operator==): (WebCore::CalculationValue::isNonNegative): (WebCore::CalculationValue::expression): (WebCore::CalcExpressionNumber::value): (WebCore::toCalcExpressionNumber): (WebCore::CalcExpressionLength::CalcExpressionLength): (WebCore::CalcExpressionLength::length): (WebCore::toCalcExpressionLength): (WebCore::CalcExpressionBinaryOperation::leftSide): (WebCore::CalcExpressionBinaryOperation::rightSide): (WebCore::CalcExpressionBinaryOperation::getOperator): (WebCore::toCalcExpressionBinaryOperation): (WebCore::CalcExpressionBlendLength::CalcExpressionBlendLength): (WebCore::CalcExpressionBlendLength::from): (WebCore::CalcExpressionBlendLength::to): (WebCore::CalcExpressionBlendLength::progress): (WebCore::toCalcExpressionBlendLength): LayoutTests: Specifying a CSS Shape geometry Length attribute with a calc() expression or looking up the value with getComputedStyle(), caused crashes. * fast/shapes/shape-inside/shape-inside-calc-crash-expected.txt: Added. * fast/shapes/shape-inside/shape-inside-calc-crash.html: Added. * css3/calc/simplification-expected.txt: Added * css3/calc/simplification.html: Added * LayoutTests/css3/calc/cssom-expected.txt: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156586 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I38216be400bd7024999444d9c1c7e5ad79cce2de Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'Source/WebCore/css/CSSComputedStyleDeclaration.cpp')
-rw-r--r--Source/WebCore/css/CSSComputedStyleDeclaration.cpp6
1 files changed, 3 insertions, 3 deletions
diff --git a/Source/WebCore/css/CSSComputedStyleDeclaration.cpp b/Source/WebCore/css/CSSComputedStyleDeclaration.cpp
index f645ace2c..621cdf038 100644
--- a/Source/WebCore/css/CSSComputedStyleDeclaration.cpp
+++ b/Source/WebCore/css/CSSComputedStyleDeclaration.cpp
@@ -2707,7 +2707,7 @@ PassRefPtr<CSSValue> ComputedStyleExtractor::propertyValue(CSSPropertyID propert
case CSSPropertyWebkitClipPath:
if (ClipPathOperation* operation = style->clipPath()) {
if (operation->getOperationType() == ClipPathOperation::SHAPE)
- return valueForBasicShape(static_cast<ShapeClipPathOperation*>(operation)->basicShape());
+ return valueForBasicShape(style.get(), static_cast<ShapeClipPathOperation*>(operation)->basicShape());
#if ENABLE(SVG)
else if (operation->getOperationType() == ClipPathOperation::REFERENCE) {
ReferenceClipPathOperation* referenceOperation = static_cast<ReferenceClipPathOperation*>(operation);
@@ -2750,7 +2750,7 @@ PassRefPtr<CSSValue> ComputedStyleExtractor::propertyValue(CSSPropertyID propert
return cssValuePool().createIdentifierValue(CSSValueNone);
}
ASSERT(style->shapeInside()->type() == ShapeValue::Shape);
- return valueForBasicShape(style->shapeInside()->shape());
+ return valueForBasicShape(style.get(), style->shapeInside()->shape());
case CSSPropertyWebkitShapeOutside:
if (!style->shapeOutside())
return cssValuePool().createIdentifierValue(CSSValueAuto);
@@ -2760,7 +2760,7 @@ PassRefPtr<CSSValue> ComputedStyleExtractor::propertyValue(CSSPropertyID propert
return cssValuePool().createIdentifierValue(CSSValueNone);
}
ASSERT(style->shapeOutside()->type() == ShapeValue::Shape);
- return valueForBasicShape(style->shapeOutside()->shape());
+ return valueForBasicShape(style.get(), style->shapeOutside()->shape());
#endif
#if ENABLE(CSS_FILTERS)
case CSSPropertyWebkitFilter: