Bug 1334582 - Check whether overall progress exceeds UINT64_MAX. r=boris, a=lizzard
authorHiroyuki Ikezoe <hikezoe@mozilla.com>
Tue, 12 Sep 2017 08:42:54 +0900
changeset 424067 a18761befb035cddbf8c48644254b0a909719870
parent 424066 e35824dc078285160f59b2f5d3ad2f2cc12168b2
child 424068 867b9e3b4f92445085c77cecf485f6a5568faeaf
push id1517
push userjlorenzo@mozilla.com
push dateThu, 14 Sep 2017 16:50:54 +0000
treeherdermozilla-release@3b41fd564418 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersboris, lizzard
bugs1334582
milestone56.0
Bug 1334582 - Check whether overall progress exceeds UINT64_MAX. r=boris, a=lizzard The overall progress is factored in iteration start, so even if TimingParams.mIterations is less than UINT64_MAX, it will exceed UINT64_MAX. MozReview-Commit-ID: CEOYAGsCoIE
dom/animation/AnimationEffectReadOnly.cpp
dom/animation/test/crashtests/1334582-2.html
dom/animation/test/crashtests/crashtests.list
--- a/dom/animation/AnimationEffectReadOnly.cpp
+++ b/dom/animation/AnimationEffectReadOnly.cpp
@@ -178,18 +178,19 @@ AnimationEffectReadOnly::GetComputedTimi
   // Factor in iteration start offset.
   if (IsFinite(overallProgress)) {
     overallProgress += result.mIterationStart;
   }
 
   // Determine the 0-based index of the current iteration.
   // https://w3c.github.io/web-animations/#current-iteration
   result.mCurrentIteration =
-    result.mIterations >= UINT64_MAX &&
-      result.mPhase == ComputedTiming::AnimationPhase::After
+    (result.mIterations >= UINT64_MAX
+     && result.mPhase == ComputedTiming::AnimationPhase::After)
+    || overallProgress >= UINT64_MAX
     ? UINT64_MAX // In GetComputedTimingDictionary(),
                  // we will convert this into Infinity
     : static_cast<uint64_t>(overallProgress);
 
   // Convert the overall progress to a fraction of a single iteration--the
   // simply iteration progress.
   // https://w3c.github.io/web-animations/#simple-iteration-progress
   double progress = IsFinite(overallProgress)
new file mode 100644
--- /dev/null
+++ b/dom/animation/test/crashtests/1334582-2.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+window.onload = function(){
+  let a = document.documentElement.animate([], {"iterationStart": 1.7976931348623157e+308, "fill": "both"});
+};
+</script>
+</head>
+</html>
--- a/dom/animation/test/crashtests/crashtests.list
+++ b/dom/animation/test/crashtests/crashtests.list
@@ -19,14 +19,15 @@ pref(dom.animations-api.core.enabled,tru
 pref(dom.animations-api.core.enabled,true) load 1324554-1.html
 pref(dom.animations-api.core.enabled,true) load 1325193-1.html
 pref(dom.animations-api.core.enabled,true) load 1330190-1.html
 pref(dom.animations-api.core.enabled,true) load 1330190-2.html
 pref(dom.animations-api.core.enabled,true) load 1330513-1.html
 pref(dom.animations-api.core.enabled,true) load 1333539-1.html
 pref(dom.animations-api.core.enabled,true) load 1333539-2.html
 pref(dom.animations-api.core.enabled,true) load 1334582-1.html
+pref(dom.animations-api.core.enabled,true) load 1334582-2.html
 pref(dom.animations-api.core.enabled,true) load 1334583-1.html
 pref(dom.animations-api.core.enabled,true) load 1335998-1.html
 pref(dom.animations-api.core.enabled,true) load 1343589-1.html
 pref(dom.animations-api.core.enabled,true) load 1359658-1.html
 pref(dom.animations-api.core.enabled,true) load 1373712-1.html
 pref(dom.animations-api.core.enabled,true) load 1379606-1.html