Bug 14498

Summary:

RenderContainer::positionForCoordinates contains an order of operations error

Product:

WebKit

Reporter:

Adam Roben (:aroben) <aroben>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

hyatt, mitz

Priority:

Version:

523.x (Safari 3)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Test case for RenderContainer::positionForCoordinates	none
patch with changelog	darin: review+

Description Adam Roben (:aroben) 2007-07-02 11:31:39 PDT

Here's the code from RenderContainer::positionForCoordinates (also visible at http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/rendering/RenderContainer.cpp#L58 ):

        int top = borderTop() + paddingTop() + isTableRow() ? 0 : renderer->xPos();
        int bottom = top + renderer->contentHeight();
        int left = borderLeft() + paddingLeft() + isTableRow() ? 0 : renderer->yPos();
        int right = left + renderer->contentWidth();

The problem (spotted by prefast) is that the + operator has higher precedence than the ternary operator, so the code evaluates like this (note the parentheses):

        int top = (borderTop() + paddingTop() + isTableRow()) ? 0 : renderer->xPos();
        int bottom = top + renderer->contentHeight();
        int left = (borderLeft() + paddingLeft() + isTableRow()) ? 0 : renderer->yPos();
        int right = left + renderer->contentWidth();

It's easy to fix (just put parentheses around the ternary expression), but I'm not sure how to make a test case.

Comment 1 Adam Roben (:aroben) 2007-07-02 11:33:06 PDT

Sorry, the link to the code should have been http://trac.webkit.org/projects/webkit/browser/trunk/WebCore/rendering/RenderContainer.cpp#L586

Comment 2 mitz 2007-07-02 11:41:14 PDT

(In reply to comment #0)

> It's easy to fix (just put parentheses around the ternary expression)

That "top" goes with "xPos" and "left" goes with "yPos" looks very suspicious as well!

Comment 3 mitz 2007-07-02 15:05:50 PDT

Created attachment 15356 [details]
Test case for RenderContainer::positionForCoordinates

Comment 4 Adam Roben (:aroben) 2007-07-02 16:46:43 PDT

Created attachment 15357 [details]
patch with changelog

Comment 5 Darin Adler 2007-07-02 16:49:02 PDT

Comment on attachment 15357 [details]
patch with changelog

r=me

Comment 6 Adam Roben (:aroben) 2007-07-02 17:28:52 PDT

Landed as r23938