Revert "Rewrite parseFrameSetListOfDimension to match HTML5"

The change has resulted in ASAN failures:
http://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20ASAN/builds/7635/steps/webkit_tests/logs/stdio

==2535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000176835 at pc 0x5b315d5 bp 0x7fffeec0d570 sp 0x7fffeec0d568
READ of size 1 at 0x604000176835 thread T0 (content_shell)
       #0 0x5b315d4 in WebCore::Length WebCore::parseDimension<unsigned char>(unsigned char const*, unsigned long, unsigned long) ../third_party/WebKit/Source/core/html/HTMLDimension.cpp:62:0
       #1 0x5b3111b in WebCore::parseDimension(WTF::String const&, unsigned long, unsigned long) ../third_party/WebKit/Source/core/html/HTMLDimension.cpp:97:0
       #2 0x5b30fab in WebCore::parseListOfDimensions(WTF::String const&) ../third_party/WebKit/Source/core/html/HTMLDimension.cpp:129:0
       #3 0x5a4ae7f in WebCore::HTMLFrameSetElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) ../third_party/WebKit/Source/core/html/HTMLFrameSetElement.cpp:84:0

This reverts commit ac7e5c0.

TBR=jchaffraix@chromium.org

Review URL: https://codereview.chromium.org/18565005

git-svn-id: svn://svn.chromium.org/blink/trunk@154013 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Author: apavlov@chromium.org

Source/core/core.gypi

@@ -2069,8 +2069,6 @@
             'html/HTMLDetailsElement.h',
             'html/HTMLDialogElement.cpp',
             'html/HTMLDialogElement.h',
-            'html/HTMLDimension.cpp',
-            'html/HTMLDimension.h',
             'html/HTMLDirectoryElement.cpp',
             'html/HTMLDirectoryElement.h',
             'html/HTMLDivElement.cpp',

Source/core/html/HTMLDimension.cpp

@@ -33,10 +33,10 @@
 #include "core/dom/MouseEvent.h"
 #include "core/dom/NodeRenderingContext.h"
 #include "core/html/HTMLCollection.h"
-#include "core/html/HTMLDimension.h"
 #include "core/html/HTMLFrameElement.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "core/page/Frame.h"
+#include "core/platform/Length.h"
 #include "core/rendering/RenderFrameSet.h"
 
 namespace WebCore {
@@ -81,12 +81,12 @@ void HTMLFrameSetElement::parseAttribute(const QualifiedName& name, const Atomic
 {
     if (name == rowsAttr) {
         if (!value.isNull()) {
-            m_rowLengths = parseListOfDimensions(value.string());
+            m_rowLengths = parseFrameSetListOfDimensions(value.string());
             setNeedsStyleRecalc();
         }
     } else if (name == colsAttr) {
         if (!value.isNull()) {
-            m_colLengths = parseListOfDimensions(value.string());
+            m_colLengths = parseFrameSetListOfDimensions(value.string());
             setNeedsStyleRecalc();
         }
     } else if (name == frameborderAttr) {

Source/core/html/HTMLDimension.h

@@ -73,6 +73,36 @@ static Length parseHTMLAreaCoordinate(const CharType* data, unsigned length)
     return Length(0, Fixed);
 }
 
+template<typename CharType>
+static Length parseFrameSetDimension(const CharType* data, unsigned length)
+{
+    if (!length)
+        return Length(1, Relative);
+
+    unsigned intLength;
+    unsigned doubleLength;
+    unsigned i = splitLength(data, length, intLength, doubleLength);
+
+    bool ok;
+    CharType next = (i < length) ? data[i] : ' ';
+    if (next == '%') {
+        // IE quirk: accept decimal fractions for percentages.
+        double r = charactersToDouble(data, doubleLength, &ok);
+        if (ok)
+            return Length(r, Percent);
+        return Length(1, Relative);
+    }
+    int r = charactersToIntStrict(data, intLength, &ok);
+    if (next == '*') {
+        if (ok)
+            return Length(r, Relative);
+        return Length(1, Relative);
+    }
+    if (ok)
+        return Length(r, Fixed);
+    return Length(0, Relative);
+}
+
 // FIXME: Per HTML5, this should follow the "rules for parsing a list of integers".
 Vector<Length> parseHTMLAreaElementCoords(const String& string)
 {
@@ -110,6 +140,43 @@ Vector<Length> parseHTMLAreaElementCoords(const String& string)
     return r;
 }
 
+template<typename CharType>
+static Vector<Length> parseFrameSetListOfDimensionsInternal(StringImpl* str)
+{
+    unsigned len = str->count(',') + 1;
+    Vector<Length> r(len);
+
+    int i = 0;
+    unsigned pos = 0;
+    size_t pos2;
+
+    while ((pos2 = str->find(',', pos)) != notFound) {
+        r[i++] = parseFrameSetDimension(str->getCharacters<CharType>() + pos, pos2 - pos);
+        pos = pos2 + 1;
+    }
+
+    ASSERT(i == len - 1);
+
+    // IE Quirk: If the last comma is the last char skip it and reduce len by one.
+    if (str->length() - pos > 0)
+        r[i] = parseFrameSetDimension(str->getCharacters<CharType>() + pos, str->length() - pos);
+    else
+        r.shrink(r.size() - 1);
+
+    return r;
+}
+
+// FIXME: Per HTML5, this should "use the rules for parsing a list of dimensions".
+Vector<Length> parseFrameSetListOfDimensions(const String& string)
+{
+    RefPtr<StringImpl> str = string.impl()->simplifyWhiteSpace();
+    if (!str->length())
+        return Vector<Length>();
+    if (str->is8Bit())
+        return parseFrameSetListOfDimensionsInternal<LChar>(str.get());
+    return parseFrameSetListOfDimensionsInternal<UChar>(str.get());
+}
+
 class CalculationValueHandleMap {
     WTF_MAKE_FAST_ALLOCATED;
 public:

Source/core/html/HTMLFrameSetElement.cpp

@@ -310,6 +310,7 @@ struct Length {
 };
 
 Vector<Length> parseHTMLAreaElementCoords(const String&);
+Vector<Length> parseFrameSetListOfDimensions(const String&);
 
 } // namespace WebCore