[Webkit-unassigned] [Bug 114807] New: Division by zero in CSSGradientValue::addStops()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 18 04:18:37 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=114807
Summary: Division by zero in CSSGradientValue::addStops()
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: CSS
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: cgarcia at igalia.com
This causes an assertion when running fast/forms/type-after-focus-rule-shrink-width.html in BlackBerry port. The test contains the following:
input { width: 200px; background: -webkit-linear-gradient(left, white 110px, green 100px); }
input:focus { width: 100px; }
when the input is focused, the first offset of the gradient is outside the input. These offsest are normalized as 1.078431 and 0.980392 in CSSGradientValue::addStops(). But then there's a loop that checks if there are color stop with a position that is less than others specified in the list and setting them to the largest one. In our case we end up with two color stops at the same position 1.078431. At the end of the method, positions are normalized to the 0..1 scale in case of being out of the scale. Since both color stops are at the same position, its current scale is 0, so every offset is computed as a value divided by zero.
So platform gradients are filled with two color stops at 'nan' position. The BlackBerry port requires that the first color stop is at position 0 and the last one at position 1, there's code to ensure that, but it checks whether offset[0] > 0 which is the case, and in platform code there's an ASSERT that checks offset[0] == 0 and it crashes.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list