The following fuzz html reveals the bug in chromium content_shell
===html=begins===
<style>
*{min-width:4%;-webkit-border-radius:+256%;}
.CLASS11{text-decoration:rgba(128%,16129%,1%,0.0000000004656612317904879831274006762300773920593144339363789186) dotted blink;vertical-align:124px;-webkit-column-count:
2147483655 !important;</style>
<h1 class="CLASS11 CLASS1">
>
B
<button>
<h4 class="CLASS11 CLASS12">
</h4>
<p>
c C
<table>
<caption class="CLASS11">
>
<ruby class="CLASS11 CLASS12">
</ruby>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA x
===html===ends===
BUG=chromium:662905
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=
2482863004
Review-Url: https://codereview.chromium.org/
2482863004
};
static inline SkFixed quickSkFDot6Div(SkFDot6 a, SkFDot6 b) {
- if (SkAbs32(b) < kInverseTableSize) {
- SkASSERT((int64_t)a * QuickFDot6Inverse::Lookup(b) <= SK_MaxS32);
+ // Max inverse of b is 2^6 which is 2^22 in SkFixed format.
+ // Hence the safe value of abs(a) should be less than 2^10.
+ if (SkAbs32(b) < kInverseTableSize && SkAbs32(a) < (1 << 10)) {
+ SkASSERT((int64_t)a * QuickFDot6Inverse::Lookup(b) <= SK_MaxS32
+ && (int64_t)a * QuickFDot6Inverse::Lookup(b) >= SK_MinS32);
SkFixed ourAnswer = (a * QuickFDot6Inverse::Lookup(b)) >> 6;
#ifdef SK_DEBUG
SkFixed directAnswer = SkFDot6Div(a, b);