Crash on shape-outside when using calc()

https://bugs.webkit.org/show_bug.cgi?id=121020

Reviewed by Dirk Schulze.

Source/WebCore:

This change prevents a crash caused by specifying a CSS Shape geometry
Length attribute with a calc() expression. It adds support for converting
Lengths to CSSPrimitive Values, in large part by migrating Blink changes
made to the calc classes since the split. Doing so required a few supporting
changes in some related classes, notably CSSPrimitiveValue.

Tests: fast/shapes/shape-inside/shape-inside-calc-crash.html
       css3/calc/simplification.html

* css/BasicShapeFunctions.cpp:
(WebCore::convertToCSSPrimitiveValue): Effectively use the new CSSPrimtiveValue(length,style) constructor to convert Lengths to CSSValues.
(WebCore::valueForBasicShape): Use the convertToCSSPrimitiveValue() function.
(WebCore::convertToLength): Added the CalculatedConversion convertToLength() flag to enable support for calc() valued Length Shape attributes.
* css/BasicShapeFunctions.h:
* css/CSSCalculationValue.cpp:
(WebCore::hasDoubleValue):
(WebCore::buildCssText):
(WebCore::CSSCalcValue::clampToPermittedRange):
(WebCore::CSSCalcValue::doubleValue):
(WebCore::CSSCalcExpressionNode::~CSSCalcExpressionNode):
(WebCore::CSSCalcPrimitiveValue::create):
(WebCore::CSSCalcPrimitiveValue::toCalcValue):
(WebCore::CSSCalcPrimitiveValue::doubleValue):
(WebCore::CSSCalcPrimitiveValue::computeLengthPx):
(WebCore::CSSCalcPrimitiveValue::primitiveType):
(WebCore::CSSCalcPrimitiveValue::CSSCalcPrimitiveValue):
(WebCore::determineCategory):
(WebCore::isIntegerResult):
(WebCore::CSSCalcBinaryOperation::create):
(WebCore::CSSCalcBinaryOperation::createSimplified):
(WebCore::CSSCalcBinaryOperation::doubleValue):
(WebCore::CSSCalcBinaryOperation::buildCssText):
(WebCore::CSSCalcBinaryOperation::primitiveType):
(WebCore::CSSCalcBinaryOperation::CSSCalcBinaryOperation):
(WebCore::CSSCalcBinaryOperation::getNumberSide):
(WebCore::CSSCalcBinaryOperation::evaluate):
(WebCore::CSSCalcBinaryOperation::evaluateOperator):
(WebCore::CSSCalcExpressionNodeParser::parseValue):
(WebCore::CSSCalcExpressionNodeParser::parseValueTerm):
(WebCore::CSSCalcExpressionNodeParser::parseValueMultiplicativeExpression):
(WebCore::CSSCalcExpressionNodeParser::parseAdditiveValueExpression):
(WebCore::CSSCalcValue::createExpressionNode):
(WebCore::CSSCalcValue::create):
* css/CSSCalculationValue.h:
(WebCore::CSSCalcExpressionNode::category):
(WebCore::CSSCalcValue::create):
(WebCore::CSSCalcValue::isInt):
(WebCore::CSSCalcValue::permittedValueRange):
(WebCore::CSSCalcValue::expressionNode):
(WebCore::CSSCalcValue::CSSCalcValue):
(WebCore::toCSSCalcValue):
* css/CSSComputedStyleDeclaration.cpp:
(WebCore::ComputedStyleExtractor::propertyValue): Pass the style along to the new valueForBasicShape() function.
* css/CSSPrimitiveValue.cpp:
(WebCore::CSSPrimitiveValue::unitCategory): Made this function public so that CSSCalculationValue could use it.
(WebCore::CSSPrimitiveValue::conversionToCanonicalUnitsScaleFactor): Ditto.
(WebCore::CSSPrimitiveValue::primitiveType): Cleared trailing whitespace.
(WebCore::CSSPrimitiveValue::CSSPrimitiveValue): Construct a CSSPrimitiveValue from a Length and a RenderStyle*.
(WebCore::CSSPrimitiveValue::init): The common part of the two Length CSSPrimitiveValue constructors.
(WebCore::CSSPrimitiveValue::computeLengthDouble): Moved the case labels to the left per check-webkit-style.
(WebCore::CSSPrimitiveValue::getStringValue): Ditto.
(WebCore::CSSPrimitiveValue::getDoubleValue): Removed trailing whitespace.
* css/CSSPrimitiveValue.h:
(WebCore::CSSPrimitiveValue::create): Construct a CSSPrimitiveValue from a Length and a RenderStyle*.
(WebCore::toCSSPrimitiveValue): Check the CSSValue*'s validity with ASSERT_WITH_SECURITY_IMPLICATION before casting to CSSPrimitiveValue*.
* css/CSSValuePool.h:
(WebCore::CSSValuePool::createValue): A new overload that delegates to the new CSSPrimitiveValue(length,style) constructor.
* platform/CalculationValue.h:
(WebCore::CalculationValue::operator==):
(WebCore::CalculationValue::isNonNegative):
(WebCore::CalculationValue::expression):
(WebCore::CalcExpressionNumber::value):
(WebCore::toCalcExpressionNumber):
(WebCore::CalcExpressionLength::CalcExpressionLength):
(WebCore::CalcExpressionLength::length):
(WebCore::toCalcExpressionLength):
(WebCore::CalcExpressionBinaryOperation::leftSide):
(WebCore::CalcExpressionBinaryOperation::rightSide):
(WebCore::CalcExpressionBinaryOperation::getOperator):
(WebCore::toCalcExpressionBinaryOperation):
(WebCore::CalcExpressionBlendLength::CalcExpressionBlendLength):
(WebCore::CalcExpressionBlendLength::from):
(WebCore::CalcExpressionBlendLength::to):
(WebCore::CalcExpressionBlendLength::progress):
(WebCore::toCalcExpressionBlendLength):

LayoutTests:

Specifying a CSS Shape geometry Length attribute with a calc() expression
or looking up the value with getComputedStyle(), caused crashes.

* fast/shapes/shape-inside/shape-inside-calc-crash-expected.txt: Added.
* fast/shapes/shape-inside/shape-inside-calc-crash.html: Added.
* css3/calc/simplification-expected.txt: Added
* css3/calc/simplification.html: Added
* LayoutTests/css3/calc/cssom-expected.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156586 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: I38216be400bd7024999444d9c1c7e5ad79cce2de
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 22 insertions, 5 deletions

diff --git a/Source/WebCore/css/CSSPrimitiveValue.h b/Source/WebCore/css/CSSPrimitiveValue.h
index 6bf437ac5..9ccb1eeb3 100644
--- a/Source/WebCore/css/CSSPrimitiveValue.h
+++ b/Source/WebCore/css/CSSPrimitiveValue.h
@@ -154,6 +154,7 @@ public:
 #endif
         UOther
     };
+    static UnitCategory unitCategory(CSSPrimitiveValue::UnitTypes);
 
     bool isAngle() const
     {
@@ -207,7 +208,7 @@ public:
     bool isViewportPercentageMax() const { return m_primitiveUnitType == CSS_VMAX; }
     bool isViewportPercentageMin() const { return m_primitiveUnitType == CSS_VMIN; }
     bool isValueID() const { return m_primitiveUnitType == CSS_VALUE_ID; }
-    
+
     static PassRefPtr<CSSPrimitiveValue> createIdentifier(CSSValueID valueID) { return adoptRef(new CSSPrimitiveValue(valueID)); }
     static PassRefPtr<CSSPrimitiveValue> createIdentifier(CSSPropertyID propertyID) { return adoptRef(new CSSPrimitiveValue(propertyID)); }
     static PassRefPtr<CSSPrimitiveValue> createParserOperator(int parserOperator) { return adoptRef(new CSSPrimitiveValue(parserOperator)); }
@@ -215,6 +216,7 @@ public:
     static PassRefPtr<CSSPrimitiveValue> createColor(unsigned rgbValue) { return adoptRef(new CSSPrimitiveValue(rgbValue)); }
     static PassRefPtr<CSSPrimitiveValue> create(double value, UnitTypes type) { return adoptRef(new CSSPrimitiveValue(value, type)); }
     static PassRefPtr<CSSPrimitiveValue> create(const String& value, UnitTypes type) { return adoptRef(new CSSPrimitiveValue(value, type)); }
+    static PassRefPtr<CSSPrimitiveValue> create(const Length& value, const RenderStyle* style) { return adoptRef(new CSSPrimitiveValue(value, style)); }
 
     template<typename T> static PassRefPtr<CSSPrimitiveValue> create(T value)
     {
@@ -314,7 +316,7 @@ public:
 #endif
 
     CSSBasicShape* getShapeValue() const { return m_primitiveUnitType != CSS_SHAPE ? 0 : m_value.shape; }
-    
+
     CSSCalcValue* cssCalcValue() const { return m_primitiveUnitType != CSS_CALC ? 0 : m_value.calc; }
 
     CSSPropertyID getPropertyID() const { return m_primitiveUnitType == CSS_PROPERTY_ID ? m_value.propertyID : CSSPropertyInvalid; }
@@ -333,12 +335,15 @@ public:
     void addSubresourceStyleURLs(ListHashSet<KURL>&, const StyleSheetContents*) const;
 
     Length viewportPercentageLength() const;
-    
+
     PassRefPtr<CSSPrimitiveValue> cloneForCSSOM() const;
     void setCSSOMSafe() { m_isCSSOMSafe = true; }
 
     bool equals(const CSSPrimitiveValue&) const;
 
+    static UnitTypes canonicalUnitTypeForCategory(UnitCategory);
+    static double conversionToCanonicalUnitsScaleFactor(unsigned short unitType);
+
 private:
     CSSPrimitiveValue(CSSValueID);
     CSSPrimitiveValue(CSSPropertyID);
@@ -346,6 +351,7 @@ private:
     CSSPrimitiveValue(int parserOperator);
     CSSPrimitiveValue(unsigned color); // RGB value
     CSSPrimitiveValue(const Length&);
+    CSSPrimitiveValue(const Length&, const RenderStyle*);
     CSSPrimitiveValue(const String&, UnitTypes);
     CSSPrimitiveValue(double, UnitTypes);
 
@@ -366,8 +372,7 @@ private:
     static void create(unsigned); // compile-time guard
     template<typename T> operator T*(); // compile-time guard
 
-    static UnitTypes canonicalUnitTypeForCategory(UnitCategory category);
-
+    void init(const Length&);
     void init(PassRefPtr<Counter>);
     void init(PassRefPtr<Rect>);
     void init(PassRefPtr<Pair>);
@@ -396,6 +401,18 @@ private:
     } m_value;
 };
 
+inline CSSPrimitiveValue* toCSSPrimitiveValue(CSSValue* value)
+{
+    ASSERT_WITH_SECURITY_IMPLICATION(!value || value->isPrimitiveValue());
+    return static_cast<CSSPrimitiveValue*>(value);
+}
+
+inline const CSSPrimitiveValue* toCSSPrimitiveValue(const CSSValue* value)
+{
+    ASSERT_WITH_SECURITY_IMPLICATION(!value || value->isPrimitiveValue());
+    return static_cast<const CSSPrimitiveValue*>(value);
+}
+
 } // namespace WebCore
 
 #endif // CSSPrimitiveValue_h