<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[172914] releases/WebKitGTK/webkit-2.4/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/172914">172914</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2014-08-25 03:57:33 -0700 (Mon, 25 Aug 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/172317">r172317</a> - HTML <sub> and <sup> elements do not work in some 64-bit builds
https://bugs.webkit.org/show_bug.cgi?id=135736
Reviewed by Tim Horton.
RootInlineBox::verticalPositionForBox() had some implicit conversions between
LayoutUnit and int that caused overflow, and resulted in different comparison
behavior with an int constant in different architectures, since overflow behavior
is undefined.
Specifically, VerticalPositionCache was written in terms of ints with a special
0x80000000 "not found" value. However, 0x80000000 was being assigned to
a LayoutUnit, which multiplies by 64 causing overflow. The result was then
compared again with 0x80000000 which could pass or fail depending on overflow
behavior.
Fix by converting VerticalPositionCache to use LayoutUnits, and to have a bool
return value with a result out param, instead of a special return value.
Not easily testable, since the difference does not show in DRT output,
and a ref test would be flakey.
* rendering/RootInlineBox.cpp:
(WebCore::RootInlineBox::ascentAndDescentForBox):
* rendering/VerticalPositionCache.h:
(WebCore::VerticalPositionCache::get):
(WebCore::VerticalPositionCache::set):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit24SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit24SourceWebCorerenderingRootInlineBoxcpp">releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RootInlineBox.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit24SourceWebCorerenderingVerticalPositionCacheh">releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/VerticalPositionCache.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit24SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (172913 => 172914)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-08-25 10:54:35 UTC (rev 172913)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-08-25 10:57:33 UTC (rev 172914)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2014-08-07 Simon Fraser <simon.fraser@apple.com>
+
+ HTML <sub> and <sup> elements do not work in some 64-bit builds
+ https://bugs.webkit.org/show_bug.cgi?id=135736
+
+ Reviewed by Tim Horton.
+
+ RootInlineBox::verticalPositionForBox() had some implicit conversions between
+ LayoutUnit and int that caused overflow, and resulted in different comparison
+ behavior with an int constant in different architectures, since overflow behavior
+ is undefined.
+
+ Specifically, VerticalPositionCache was written in terms of ints with a special
+ 0x80000000 "not found" value. However, 0x80000000 was being assigned to
+ a LayoutUnit, which multiplies by 64 causing overflow. The result was then
+ compared again with 0x80000000 which could pass or fail depending on overflow
+ behavior.
+
+ Fix by converting VerticalPositionCache to use LayoutUnits, and to have a bool
+ return value with a result out param, instead of a special return value.
+
+ Not easily testable, since the difference does not show in DRT output,
+ and a ref test would be flakey.
+
+ * rendering/RootInlineBox.cpp:
+ (WebCore::RootInlineBox::ascentAndDescentForBox):
+ * rendering/VerticalPositionCache.h:
+ (WebCore::VerticalPositionCache::get):
+ (WebCore::VerticalPositionCache::set):
+
</ins><span class="cx"> 2014-08-12 Fabien Vallée <fvallee@connected-labs.com>
</span><span class="cx">
</span><span class="cx"> [GStreamer] playback rate is rounded to integer
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24SourceWebCorerenderingRootInlineBoxcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RootInlineBox.cpp (172913 => 172914)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RootInlineBox.cpp 2014-08-25 10:54:35 UTC (rev 172913)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RootInlineBox.cpp 2014-08-25 10:57:33 UTC (rev 172914)
</span><span class="lines">@@ -965,9 +965,9 @@
</span><span class="cx"> // Check the cache.
</span><span class="cx"> bool isRenderInline = renderer->isRenderInline();
</span><span class="cx"> if (isRenderInline && !firstLine) {
</span><del>- LayoutUnit verticalPosition = verticalPositionCache.get(renderer, baselineType());
- if (verticalPosition != PositionUndefined)
- return verticalPosition;
</del><ins>+ LayoutUnit cachedPosition;
+ if (verticalPositionCache.get(renderer, baselineType(), cachedPosition))
+ return cachedPosition;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> LayoutUnit verticalPosition = 0;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24SourceWebCorerenderingVerticalPositionCacheh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/VerticalPositionCache.h (172913 => 172914)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/VerticalPositionCache.h 2014-08-25 10:54:35 UTC (rev 172913)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/VerticalPositionCache.h 2014-08-25 10:57:33 UTC (rev 172914)
</span><span class="lines">@@ -33,25 +33,24 @@
</span><span class="cx">
</span><span class="cx"> class RenderObject;
</span><span class="cx">
</span><del>-// Values for vertical alignment.
-const int PositionUndefined = 0x80000000;
-
</del><span class="cx"> class VerticalPositionCache {
</span><span class="cx"> WTF_MAKE_NONCOPYABLE(VerticalPositionCache);
</span><span class="cx"> public:
</span><span class="cx"> VerticalPositionCache()
</span><span class="cx"> { }
</span><span class="cx">
</span><del>- int get(RenderObject* renderer, FontBaseline baselineType) const
</del><ins>+ bool get(RenderObject* renderer, FontBaseline baselineType, LayoutUnit& result) const
</ins><span class="cx"> {
</span><del>- const HashMap<RenderObject*, int>& mapToCheck = baselineType == AlphabeticBaseline ? m_alphabeticPositions : m_ideographicPositions;
- const HashMap<RenderObject*, int>::const_iterator it = mapToCheck.find(renderer);
</del><ins>+ const HashMap<RenderObject*, LayoutUnit>& mapToCheck = baselineType == AlphabeticBaseline ? m_alphabeticPositions : m_ideographicPositions;
+ const HashMap<RenderObject*, LayoutUnit>::const_iterator it = mapToCheck.find(renderer);
</ins><span class="cx"> if (it == mapToCheck.end())
</span><del>- return PositionUndefined;
- return it->value;
</del><ins>+ return false;
+
+ result = it->value;
+ return true;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- void set(RenderObject* renderer, FontBaseline baselineType, int position)
</del><ins>+ void set(RenderObject* renderer, FontBaseline baselineType, LayoutUnit position)
</ins><span class="cx"> {
</span><span class="cx"> if (baselineType == AlphabeticBaseline)
</span><span class="cx"> m_alphabeticPositions.set(renderer, position);
</span><span class="lines">@@ -60,8 +59,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- HashMap<RenderObject*, int> m_alphabeticPositions;
- HashMap<RenderObject*, int> m_ideographicPositions;
</del><ins>+ HashMap<RenderObject*, LayoutUnit> m_alphabeticPositions;
+ HashMap<RenderObject*, LayoutUnit> m_ideographicPositions;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre>
</div>
</div>
</body>
</html>