Avoid setting visual viewport location/scale if it's infinite/NaN

third_party/WebKit/Source/core/frame/VisualViewport.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 232 matching lines @@
     notifyRootFrameViewport();
 }
 
 bool VisualViewport::didSetScaleOrLocation(float scale,
                                            const FloatPoint& location) {
   if (!mainFrame())
     return false;
 
   bool valuesChanged = false;
 
-  CHECK(!std::isnan(scale));
-  CHECK(std::isfinite(scale));
-  if (scale != m_scale) {
+  if (scale != m_scale && !std::isnan(scale) && !std::isinf(scale)) {
     m_scale = scale;
     valuesChanged = true;
     page().chromeClient().pageScaleFactorChanged();
     enqueueResizeEvent();
   }
 
   ScrollOffset clampedOffset = clampScrollOffset(toScrollOffset(location));
 
-  CHECK(!std::isnan(clampedOffset.width()) &&
-        !std::isnan(clampedOffset.height()));
-  CHECK(std::isfinite(clampedOffset.width()) &&
-        std::isfinite(clampedOffset.height()));
+  // TODO(bokan): If the offset is invalid, we might end up in an infinite
+  // recursion as we reenter this function on clamping. It would be cleaner to
+  // avoid reentrancy but for now just prevent the stack overflow.
+  // crbug.com/702771.
+  if (std::isnan(clampedOffset.width()) || std::isnan(clampedOffset.height()) ||
+      std::isinf(clampedOffset.width()) || std::isinf(clampedOffset.height()))
+    return false;
+
   if (clampedOffset != m_offset) {
     m_offset = clampedOffset;
     scrollAnimator().setCurrentOffset(m_offset);
 
     // SVG runs with accelerated compositing disabled so no
     // ScrollingCoordinator.
     if (ScrollingCoordinator* coordinator = page().scrollingCoordinator())
       coordinator->scrollableAreaScrollLayerDidChange(this);
 
     if (!page().settings().getInertVisualViewport()) {
@@ skipping 23 matching lines @@
   const float oldPageScale = scale();
   const float newPageScale = page().chromeClient().clampPageScaleFactorToLimits(
       magnifyDelta * oldPageScale);
   if (newPageScale == oldPageScale)
     return false;
   if (!mainFrame() || !mainFrame()->view())
     return false;
 
   // Keep the center-of-pinch anchor in a stable position over the course
   // of the magnify.
+  // TODO(bokan): Looks lie we call into setScaleAndLocation with infinity for

[skobes, 2017/03/21 19:06:49]

typo: lie -> like

[bokan, 2017/03/21 19:19:30]

Done.

+  // the location so it seems either old or newPageScale is invalid.
+  // crbug.com/702771.
   FloatPoint anchorAtOldScale = anchor.scaledBy(1.f / oldPageScale);
   FloatPoint anchorAtNewScale = anchor.scaledBy(1.f / newPageScale);
   FloatSize anchorDelta = anchorAtOldScale - anchorAtNewScale;
 
   // First try to use the anchor's delta to scroll the FrameView.
   FloatSize anchorDeltaUnusedByScroll = anchorDelta;
 
   // Manually bubble any remaining anchor delta up to the visual viewport.
   FloatPoint newLocation(FloatPoint(getScrollOffset()) +
                          anchorDeltaUnusedByScroll);
@@ skipping 516 matching lines @@
   } else if (graphicsLayer == m_rootTransformLayer.get()) {
     name = "Root Transform Layer";
   } else {
     ASSERT_NOT_REACHED();
   }
 
   return name;
 }
 
 }  // namespace blink