Title: [273918] trunk
- Revision
- 273918
- Author
- za...@apple.com
- Date
- 2021-03-04 14:16:16 -0800 (Thu, 04 Mar 2021)
Log Message
[LFC][IFC] LineStatus::availableWidth should always be a valid number
https://bugs.webkit.org/show_bug.cgi?id=222752
<rdar://problem/75028043>
Reviewed by Antti Koivisto.
Source/WebCore:
A NaN available width value can confuse the line breaking logic. This patch ensures we always provide a valid value.
Test: fast/inline/crash-when-negative-spacing-produce-nan.html
* layout/inlineformatting/InlineContentBreaker.cpp:
(WebCore::Layout::InlineContentBreaker::processInlineContent):
(WebCore::Layout::InlineContentBreaker::processOverflowingContent const):
* layout/inlineformatting/InlineLineBuilder.cpp:
(WebCore::Layout::LineBuilder::handleInlineContent):
LayoutTests:
* fast/inline/crash-when-negative-spacing-produce-nan-expected.txt: Added.
* fast/inline/crash-when-negative-spacing-produce-nan.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (273917 => 273918)
--- trunk/LayoutTests/ChangeLog 2021-03-04 22:05:53 UTC (rev 273917)
+++ trunk/LayoutTests/ChangeLog 2021-03-04 22:16:16 UTC (rev 273918)
@@ -1,3 +1,14 @@
+2021-03-04 Zalan Bujtas <za...@apple.com>
+
+ [LFC][IFC] LineStatus::availableWidth should always be a valid number
+ https://bugs.webkit.org/show_bug.cgi?id=222752
+ <rdar://problem/75028043>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/inline/crash-when-negative-spacing-produce-nan-expected.txt: Added.
+ * fast/inline/crash-when-negative-spacing-produce-nan.html: Added.
+
2021-03-04 Peng Liu <peng.l...@apple.com>
[GPUP] Some media tests are flaky when media in GPU Process is enabled
Added: trunk/LayoutTests/fast/inline/crash-when-negative-spacing-produce-nan-expected.txt (0 => 273918)
--- trunk/LayoutTests/fast/inline/crash-when-negative-spacing-produce-nan-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/inline/crash-when-negative-spacing-produce-nan-expected.txt 2021-03-04 22:16:16 UTC (rev 273918)
@@ -0,0 +1,3 @@
+* { display: block; } html { zoom: 12345678901234567890; } style { letter-spacing: -1px; zoom: 12345678901234567890; }
+PASS if no crash or assert
+if (window.testRunner) testRunner.dumpAsText();
Added: trunk/LayoutTests/fast/inline/crash-when-negative-spacing-produce-nan.html (0 => 273918)
--- trunk/LayoutTests/fast/inline/crash-when-negative-spacing-produce-nan.html (rev 0)
+++ trunk/LayoutTests/fast/inline/crash-when-negative-spacing-produce-nan.html 2021-03-04 22:16:16 UTC (rev 273918)
@@ -0,0 +1,19 @@
+<html>
+<style>
+ * {
+ display: block;
+ }
+ html {
+ zoom: 12345678901234567890;
+ }
+ style {
+ letter-spacing: -1px;
+ zoom: 12345678901234567890;
+ }
+</style>
+PASS if no crash or assert
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (273917 => 273918)
--- trunk/Source/WebCore/ChangeLog 2021-03-04 22:05:53 UTC (rev 273917)
+++ trunk/Source/WebCore/ChangeLog 2021-03-04 22:16:16 UTC (rev 273918)
@@ -1,3 +1,21 @@
+2021-03-04 Zalan Bujtas <za...@apple.com>
+
+ [LFC][IFC] LineStatus::availableWidth should always be a valid number
+ https://bugs.webkit.org/show_bug.cgi?id=222752
+ <rdar://problem/75028043>
+
+ Reviewed by Antti Koivisto.
+
+ A NaN available width value can confuse the line breaking logic. This patch ensures we always provide a valid value.
+
+ Test: fast/inline/crash-when-negative-spacing-produce-nan.html
+
+ * layout/inlineformatting/InlineContentBreaker.cpp:
+ (WebCore::Layout::InlineContentBreaker::processInlineContent):
+ (WebCore::Layout::InlineContentBreaker::processOverflowingContent const):
+ * layout/inlineformatting/InlineLineBuilder.cpp:
+ (WebCore::Layout::LineBuilder::handleInlineContent):
+
2021-03-04 Youenn Fablet <you...@apple.com>
In case of POST navigation redirected by a 302, the 'Origin' header is kept in the redirected request
Modified: trunk/Source/WebCore/layout/inlineformatting/InlineContentBreaker.cpp (273917 => 273918)
--- trunk/Source/WebCore/layout/inlineformatting/InlineContentBreaker.cpp 2021-03-04 22:05:53 UTC (rev 273917)
+++ trunk/Source/WebCore/layout/inlineformatting/InlineContentBreaker.cpp 2021-03-04 22:16:16 UTC (rev 273918)
@@ -131,6 +131,7 @@
InlineContentBreaker::Result InlineContentBreaker::processInlineContent(const ContinuousContent& candidateContent, const LineStatus& lineStatus)
{
+ ASSERT(!std::isnan(lineStatus.availableWidth));
auto processCandidateContent = [&] {
if (candidateContent.logicalWidth() <= lineStatus.availableWidth)
return Result { Result::Action::Keep };
Modified: trunk/Source/WebCore/layout/inlineformatting/InlineLineBuilder.cpp (273917 => 273918)
--- trunk/Source/WebCore/layout/inlineformatting/InlineLineBuilder.cpp 2021-03-04 22:05:53 UTC (rev 273917)
+++ trunk/Source/WebCore/layout/inlineformatting/InlineLineBuilder.cpp 2021-03-04 22:16:16 UTC (rev 273918)
@@ -668,7 +668,10 @@
}
return adjustedLineLogicalRect;
}();
- auto availableWidth = lineLogicalRectForCandidateContent.width() - m_line.contentLogicalRight();
+ auto availableWidth = [&] {
+ auto availableWidthForContent = lineLogicalRectForCandidateContent.width() - m_line.contentLogicalRight();
+ return std::isnan(availableWidthForContent) ? maxInlineLayoutUnit() : availableWidthForContent;
+ }();
// While the floats are not considered to be on the line, they make the line contentful for line breaking.
auto lineHasContent = !m_line.runs().isEmpty() || m_contentIsConstrainedByFloat;
auto lineStatus = InlineContentBreaker::LineStatus { m_line.contentLogicalRight(), availableWidth, m_line.trimmableTrailingWidth(), m_line.trailingSoftHyphenWidth(), m_line.isTrailingRunFullyTrimmable(), lineHasContent, !m_wrapOpportunityList.isEmpty() };
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes