Enforce depth limits on flat math expression chains during parsing [chromium/src : main]
0 views
Skip to first unread message
Daniil Sakhapov (Gerrit)
May 4, 2026, 9:53:46 AM (23 hours ago) May 4
to Anders Hartvoll Ruud, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, apavlo...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org
Attention needed from Anders Hartvoll Ruud
New activity on the change![]( "Open in Gerrit")
Related details
Attention is currently required from:
- Anders Hartvoll Ruud
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Anders Hartvoll Ruud (Gerrit)
May 4, 2026, 10:27:57 AM (22 hours ago) May 4
to Daniil Sakhapov, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, apavlo...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org
Attention needed from Daniil Sakhapov
Anders Hartvoll Ruud added 3 comments![]( "Open in Gerrit")
File third_party/blink/renderer/core/css/css_math_expression_node.cc
Line 5043, Patchset 1 (Latest):
int result_depth = state.depth + 1;Anders Hartvoll Ruud . unresolved
It would help with a comment here explaining that even though this is parsed iteratively, we want to avoid creating deep expression trees to avoid stack overflows later.
Line 5071, Patchset 1 (Latest):
} else {
result_depth = state.depth + 1;
}Anders Hartvoll Ruud . unresolved
I don't understand this "reset". Doesn't each iteration of this loop represent a new level?
File third_party/blink/web_tests/external/wpt/css/css-values/typed_arithmetic.html
Line 82, Patchset 1 (Latest):
test_invalid_value("width", "calc(1px * 1px" + " * 2".repeat(200) + ")");Anders Hartvoll Ruud . unresolved
This is only testing `ParseValueMultiplicativeExpression`, and not `ParseAdditiveValueExpression`, right?
Related details
Attention is currently required from:
- Daniil Sakhapov
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Daniil Sakhapov (Gerrit)
7:30 AM (1 hour ago) 7:30 AM
to Anders Hartvoll Ruud, Chromium LUCI CQ, Menard, Alexis, chromium...@chromium.org, apavlo...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org
Attention needed from Anders Hartvoll Ruud
Daniil Sakhapov voted and added 3 comments![]( "Open in Gerrit")
Votes added by Daniil Sakhapov
| Commit-Queue | +1 |
3 comments
File third_party/blink/renderer/core/css/css_math_expression_node.cc
It would help with a comment here explaining that even though this is parsed iteratively, we want to avoid creating deep expression trees to avoid stack overflows later.
Daniil Sakhapov
Done
Line 5071, Patchset 1:
} else {
result_depth = state.depth + 1;
}Anders Hartvoll Ruud . resolved
I don't understand this "reset". Doesn't each iteration of this loop represent a new level?
Daniil Sakhapov
Done
File third_party/blink/web_tests/external/wpt/css/css-values/typed_arithmetic.html
Line 82, Patchset 1:
test_invalid_value("width", "calc(1px * 1px" + " * 2".repeat(200) + ")");Anders Hartvoll Ruud . resolved
This is only testing `ParseValueMultiplicativeExpression`, and not `ParseAdditiveValueExpression`, right?
Attention is currently required from:
- Anders Hartvoll Ruud
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages