A bug was found where grid items were being drawn outside of the grid if
the item had a large span and the grid was defined as having gaps
between the rows/columns.
This was caused by an erroneous calculation of the
{row,column}_{start,span} properties.
ObjectType is now passed as an enum instead of a plain number. The
underlying type for both ObjectType and VirGLCommand have been reduced
to u8 to make sure they fit in the encoded command. Command length is
verified to not overflow u16.
Size and format information are the same for every implementation and do
not need to be virtual. This removes the need to reimplement them for
each driver.
Currently, the generated IPC decoders will default-construct the type to
be decoded, then pass that value by reference to the concrete decoder.
This, of course, requires that the type is default-constructible. This
was an issue for decoding Variants, which had to require the first type
in the Variant list is Empty, to ensure it is default constructible.
Further, this made it possible for values to become uninitialized in
user-defined decoders.
This patch makes the decoder interface such that the concrete decoders
themselves contruct the decoded type upon return from the decoder. To do
so, the default decoders in IPC::Decoder had to be moved to the IPC
namespace scope, as these decoders are now specializations instead of
overloaded methods (C++ requires specializations to be in a namespace
scope).
Both widgets now make use of their base class's scrolling timer and
now always accept drag selection updates on mousemove_event().
This guarantees much snappier feeling selections when actively moving
the mouse.
Renames on_automatic_scrolling_timer_fired() =>
automatic_scrolling_timer_did_fire()
The 'on_' prefix is usually reserved for AK::Function hooks.
Renames set_automatic_scrolling_{active,timer}() =>
set_automatic_scrolling_timer_active()
For consistency, accuracy, and header file A E S T H E T I C S
Previously, automatic cursor tracking widgets consumed all mouse
events but did not update their own hover state while active, meaning
Enter and Leave events were not being dispatched.
Fixes TextEditor's automatic selection scroll timer failing to stop
and start while autotracking. Its manual workaround in mousedown
is no longer needed.
It's possible to construct a floating point value that when converted to
double is not larger than i64::max(), but when remaining a float is
larger. This patch avoids that edge case with some even less exciting if
constexpr branches to fix a float-cast-overflow UBSAN error on macOS
with llvm 15.0.6.
Previously gradient painting was dominated by the clipping checks in
Painter::set_pixel(). This commit changes gradient painting to use the
new Painter::fill_pixels() function (which does all these checks outside
the hot loop).
With this change gradient painting drops from 96% of the profile to 51%
when scrolling around on gradients.html. A nice 45% reduction :^)
This function fills a region of pixels with the result of a callback
function. This is an alternative to a for loop that repeatedly calls
Painter::set_pixel(), which can get very expensive due to the clipping
checks set_pixel() does each call.
This is fixed by making the "about to be notified rejected promises
list" use JS::Handle instead of JS::NonnullGCPtr. This UAF happens
because notify_about_rejected_promises makes a local copy of this list,
empties the member variable list and then moves the local copy into a
JS::SafeFunction lambda. JS::SafeFunction can only see GC pointers that
are in its storage, not external storage.
Example exploit (requires fixed microtask timing by removing the dummy
execution context):
```html
<script>
Promise.reject(new Error);
// Exit the script block, causing a microtask checkpoint and thus
// queuing of a task to fire the unhandled rejection event for the
// above promise.
// During the time after being queued but before being ran, these
// promises are not kept alive. This is because JS::SafeFunction cannot
// see into a Vector, meaning it can't visit the stored NonnullGCPtrs.
</script>
<script defer>
// Cause a garbage collection, destroying the above promise.
const b = [];
for (var i = 0; i < 200000; i++)
b.push({});
// Some time after this script block, the queued unhandled rejection
// event task will fire, with the event object containing the dead
// promise.
window.onunhandledrejection = (event) => {
let value = event.promise;
console.log(value);
}
</script>
```
Previously we were doing this at the painting stage, which meant that
layout potentially used the wrong glyphs when measuring text.
This would lead to incorrect layout metrics and was visible on the
HTML5Test score display, for example. :^)
