Bug 1334582 - Check whether overall progress exceeds UINT64_MAX. r?birtles draft
authorHiroyuki Ikezoe <hikezoe@mozilla.com>
Tue, 12 Sep 2017 07:16:41 +0900
changeset 662696 db348ec1ee52f273d1fb66f568f79da856878610
parent 662695 214455d2e988ea4bb62c4367c851d89a78c99039
child 662697 9880d2692035c9fc8e22a6b84fd6e64d3869bb08
push id79159
push userhikezoe@mozilla.com
push dateMon, 11 Sep 2017 23:25:15 +0000
reviewersbirtles
bugs1334582
milestone57.0a1
Bug 1334582 - Check whether overall progress exceeds UINT64_MAX. r?birtles The overall progress is factored in iteration start, so even if TimingParams.mIterations is less than UINT64_MAX, it will exceed UINT64_MAX. MozReview-Commit-ID: CEOYAGsCoIE
dom/animation/AnimationEffectReadOnly.cpp
dom/animation/test/crashtests/1334582-2.html
dom/animation/test/crashtests/crashtests.list
--- a/dom/animation/AnimationEffectReadOnly.cpp
+++ b/dom/animation/AnimationEffectReadOnly.cpp
@@ -181,18 +181,19 @@ AnimationEffectReadOnly::GetComputedTimi
   // Factor in iteration start offset.
   if (IsFinite(overallProgress)) {
     overallProgress += result.mIterationStart;
   }
 
   // Determine the 0-based index of the current iteration.
   // https://w3c.github.io/web-animations/#current-iteration
   result.mCurrentIteration =
-    result.mIterations >= UINT64_MAX &&
-      result.mPhase == ComputedTiming::AnimationPhase::After
+    (result.mIterations >= UINT64_MAX
+     && result.mPhase == ComputedTiming::AnimationPhase::After)
+    || overallProgress >= UINT64_MAX
     ? UINT64_MAX // In GetComputedTimingDictionary(),
                  // we will convert this into Infinity
     : static_cast<uint64_t>(overallProgress);
 
   // Convert the overall progress to a fraction of a single iteration--the
   // simply iteration progress.
   // https://w3c.github.io/web-animations/#simple-iteration-progress
   double progress = IsFinite(overallProgress)
new file mode 100644
--- /dev/null
+++ b/dom/animation/test/crashtests/1334582-2.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+window.onload = function(){
+  let a = document.documentElement.animate([], {"iterationStart": 1.7976931348623157e+308, "fill": "both"});
+};
+</script>
+</head>
+</html>
--- a/dom/animation/test/crashtests/crashtests.list
+++ b/dom/animation/test/crashtests/crashtests.list
@@ -19,15 +19,16 @@ pref(dom.animations-api.core.enabled,tru
 pref(dom.animations-api.core.enabled,true) load 1324554-1.html
 pref(dom.animations-api.core.enabled,true) load 1325193-1.html
 pref(dom.animations-api.core.enabled,true) load 1330190-1.html
 pref(dom.animations-api.core.enabled,true) load 1330190-2.html
 pref(dom.animations-api.core.enabled,true) load 1330513-1.html
 pref(dom.animations-api.core.enabled,true) load 1333539-1.html
 pref(dom.animations-api.core.enabled,true) load 1333539-2.html
 pref(dom.animations-api.core.enabled,true) load 1334582-1.html
+pref(dom.animations-api.core.enabled,true) load 1334582-2.html
 pref(dom.animations-api.core.enabled,true) load 1334583-1.html
 pref(dom.animations-api.core.enabled,true) load 1335998-1.html
 pref(dom.animations-api.core.enabled,true) load 1343589-1.html
 pref(dom.animations-api.core.enabled,true) load 1359658-1.html
 pref(dom.animations-api.core.enabled,true) load 1373712-1.html
 pref(dom.animations-api.core.enabled,true) load 1379606-1.html
 pref(dom.animations-api.core.enabled,true) load 1393605-1.html