Bug 1547420 - Handle bounds overflow in FrameLayerBuilder::PaintItems() r=mattwoodrow
authorMiko Mynttinen <mikokm@gmail.com>
Fri, 03 May 2019 15:15:44 +0000
changeset 531311 762224e2d5e9076f67088e396046d92813d27459
parent 531310 10e1808b667554314618e4b9dc8c33e8a930ed9b
child 531312 cf9f2fb3cfad4ba66bae732ae7c9acf21b7ff6dd
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmattwoodrow
bugs1547420
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1547420 - Handle bounds overflow in FrameLayerBuilder::PaintItems() r=mattwoodrow Differential Revision: https://phabricator.services.mozilla.com/D29754
layout/painting/FrameLayerBuilder.cpp
layout/painting/crashtests/1547420-1.html
layout/painting/crashtests/crashtests.list
--- a/layout/painting/FrameLayerBuilder.cpp
+++ b/layout/painting/FrameLayerBuilder.cpp
@@ -6836,16 +6836,23 @@ void FrameLayerBuilder::PaintItems(std::
   DrawTarget& aDrawTarget = *aContext->GetDrawTarget();
 
   int32_t appUnitsPerDevPixel = aPresContext->AppUnitsPerDevPixel();
   nsRect boundRect = ToAppUnits(aRect, appUnitsPerDevPixel);
   boundRect.MoveBy(NSIntPixelsToAppUnits(aOffset.x, appUnitsPerDevPixel),
                    NSIntPixelsToAppUnits(aOffset.y, appUnitsPerDevPixel));
   boundRect.ScaleInverseRoundOut(aXScale, aYScale);
 
+  if (boundRect.IsEmpty()) {
+    // Hack! This can happen if the conversion of |aRect| to scaled and offset
+    // app units overflowed. Ideally the conversion would detect this and handle
+    // such situations gracefully. For now, do nothing.
+    return;
+  }
+
 #ifdef DEBUG
   // Tracks effect nesting level. These are used to track that every effect
   // start marker has a corresponding end marker.
   int opacityLevel = 0;
   int transformLevel = 0;
 #endif
 
   // Tracks effect nesting level for skipping items between effect markers,
new file mode 100644
--- /dev/null
+++ b/layout/painting/crashtests/1547420-1.html
@@ -0,0 +1,21 @@
+<script></script>
+<style>
+* {
+  text-align-last: right;
+  min-height: max-content;
+  min-width: 1vmin;
+  writing-mode: vertical-rl;
+}
+</style>
+<q style="writing-mode: lr">
+<marquee></marquee>
+<style></style>
+</q>
+<dl style="-webkit-transform: skew(0deg); mso-ignore: colspan">
+<dd>
+<table>
+<dt style="margin-left: 67%; scale: 7 46 0.006057077979">
+</dt>
+<marquee bgcolor="-moz-mac-accentdarkestshadow">
+<button autofocus="autofocus">
+
--- a/layout/painting/crashtests/crashtests.list
+++ b/layout/painting/crashtests/crashtests.list
@@ -12,8 +12,10 @@ load 1430589-1.html
 load 1454105-1.html
 load 1455944-1.html
 load 1465305-1.html
 load 1468124-1.html
 load 1469472.html
 load 1477831-1.html
 load 1504033.html
 load 1514544-1.html
+load 1547420-1.html
+