RESOLVED FIXED121455
Bad ASSERT() in RasterShapeIntervals::firstIncludedIntervalY() 
https://bugs.webkit.org/show_bug.cgi?id=121455
Summary Bad ASSERT() in RasterShapeIntervals::firstIncludedIntervalY()
Hans Muller
Reported 2013-09-16 15:02:41 PDT
The changes for https://bugs.webkit.org/show_bug.cgi?id=120211 included an over-constrained ASSERT() in RasterShapeIntervals::firstIncludedIntervalY(): bool RasterShapeIntervals::firstIncludedIntervalY(int minY, const IntSize& minSize, LayoutUnit& result) const { minY = std::max<int>(bounds().y(), minY); ASSERT(minY >= 0 && minY + minSize.height() < size()); ... } It's only necessary for the caller to ensure that minY is effectively < size(). Legitimate calls to firstIncluedIntervalY() may specify values of minY that are greater than size() - minSize.height().
Attachments
Patch (3.32 KB, patch)
2013-09-16 16:08 PDT, Hans Muller 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Hans Muller
Comment 1 2013-09-16 16:08:17 PDT
Created attachment 211840 [details] Patch Fixed the bad ASSERT() in RasterShapeIntervals::firstIncludedIntervalY().
Darin Adler
Comment 2 2013-09-17 08:58:41 PDT
Comment on attachment 211840 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=211840&action=review > Source/WebCore/rendering/shapes/RasterShape.cpp:100 > - ASSERT(minY >= 0 && minY + minSize.height() < size()); > + ASSERT(minY >= 0 && minY < size()); Wouldn’t the right fix be to make the assertion "<=" rather than leaving out the height?
Hans Muller
Comment 3 2013-09-17 09:18:28 PDT
(In reply to comment #2) > (From update of attachment 211840 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=211840&action=review > > > Source/WebCore/rendering/shapes/RasterShape.cpp:100 > > - ASSERT(minY >= 0 && minY + minSize.height() < size()); > > + ASSERT(minY >= 0 && minY < size()); > > Wouldn’t the right fix be to make the assertion "<=" rather than leaving out the height? If minY + minSize.height() extends beyond the bounds of the shape, then this function is just supposed to return false. And bounds().height() <= size(). The assertion is only supposed to insure that minY is in range. Thanks for the quick review!
WebKit Commit Bot
Comment 4 2013-09-17 09:45:25 PDT
Comment on attachment 211840 [details] Patch Clearing flags on attachment: 211840 Committed r155965: <http://trac.webkit.org/changeset/155965>
WebKit Commit Bot
Comment 5 2013-09-17 09:45:27 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.