Bug 893496: Avoid doing bogus infinity*0 multiplication when producing a flex weight from huge flex-shrink and 0 flex-basis. r=mats
authorDaniel Holbert <dholbert@cs.stanford.edu>
Sun, 05 Jan 2014 20:18:12 -0800
changeset 162176 d1cf3709a1f06b92def61b81f062ed2df5869520
parent 162175 183398cf2b5e6187687fe7841c3d5579bc8475dd
child 162177 98660dab432f8dd53971db9fc046b61b4e686fb5
push idunknown
push userunknown
push dateunknown
reviewersmats
bugs893496
milestone29.0a1
Bug 893496: Avoid doing bogus infinity*0 multiplication when producing a flex weight from huge flex-shrink and 0 flex-basis. r=mats
layout/generic/crashtests/893496-1.html
layout/generic/crashtests/crashtests.list
layout/generic/nsFlexContainerFrame.cpp
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/893496-1.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<meta charset="UTF-8">
+<body>
+
+<div style="display: flex;">
+    <div style="padding: calc(50%);"></div>
+    <div style="padding: 4px; flex: 0 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;"></div>
+</div>
+
+</body>
+</html>
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -509,14 +509,15 @@ load 847211-1.html
 load 849603.html
 load 851396-1.html
 load 854263-1.html
 load 862947-1.html
 needs-focus pref(accessibility.browsewithcaret,true) load 868906.html
 load 866547-1.html
 asserts(1-4) load 876074-1.html # bug 876749
 load 885009-1.html
+load 893496-1.html
 load 893523.html
 test-pref(layout.css.sticky.enabled,true) load 914891.html
 test-pref(layout.css.sticky.enabled,true) load 915475.xhtml
 load 943509-1.html
 asserts(4-8) load 944909-1.html
 test-pref(layout.css.sticky.enabled,true) load 949932.html
--- a/layout/generic/nsFlexContainerFrame.cpp
+++ b/layout/generic/nsFlexContainerFrame.cpp
@@ -330,19 +330,29 @@ public:
   // base size, so that when both large and small items are shrinking,
   // the large items shrink more).
   float GetFlexWeightToUse(bool aIsUsingFlexGrow)
   {
     if (IsFrozen()) {
       return 0.0f;
     }
 
-    return aIsUsingFlexGrow ?
-      mFlexGrow :
-      mFlexShrink * mFlexBaseSize;
+    if (aIsUsingFlexGrow) {
+      return mFlexGrow;
+    }
+
+    // We're using flex-shrink --> return mFlexShrink * mFlexBaseSize
+    if (mFlexBaseSize == 0) {
+      // Special-case for mFlexBaseSize == 0 -- we have no room to shrink, so
+      // regardless of mFlexShrink, we should just return 0.
+      // (This is really a special-case for when mFlexShrink is infinity, to
+      // avoid performing mFlexShrink * mFlexBaseSize = inf * 0 = undefined.)
+      return 0.0f;
+    }
+    return mFlexShrink * mFlexBaseSize;
   }
 
   // Getters for margin:
   // ===================
   const nsMargin& GetMargin() const { return mMargin; }
 
   // Returns the margin component for a given mozilla::css::Side
   nscoord GetMarginComponentForSide(Side aSide) const