Skip to site navigation (Press enter)

[webkit-changes] [211647] trunk

zalan Fri, 03 Feb 2017 13:16:49 -0800

Title: [211647] trunk

Revision: 211647
Author: za...@apple.com
Date: 2017-02-03 13:17:28 -0800 (Fri, 03 Feb 2017)

Log Message

Simple line layout: Removing adjacent trailing whitespace runs should not crash.
https://bugs.webkit.org/show_bug.cgi?id=167803
<rdar://problem/30337368>


Reviewed by Antti Koivisto.

Source/WebCore:

In case of adjacent collapsed whitespace fragments, the length of these fragments (TextFragmentIterator::TextFragment)
do not necessarily equal the length of the final runs (SimpleLineLayout::Run).
This patch removes the dependency on the length and switches over to using the position information instead.

Test: fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html

* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::LineState::appendFragmentAndCreateRunIfNeeded):
(WebCore::SimpleLineLayout::LineState::removeTrailingWhitespace):

LayoutTests:

* fast/text/simple-line-layout-multiple-trailingwhitespace-crash-expected.txt: Added.
* fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/SimpleLineLayout.cpp

Added Paths

trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash-expected.txt
trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (211646 => 211647)


--- trunk/LayoutTests/ChangeLog	2017-02-03 20:53:35 UTC (rev 211646)
+++ trunk/LayoutTests/ChangeLog	2017-02-03 21:17:28 UTC (rev 211647)
@@ -1,3 +1,14 @@
+2017-02-03  Zalan Bujtas  <za...@apple.com>
+
+        Simple line layout: Removing adjacent trailing whitespace runs should not crash.
+        https://bugs.webkit.org/show_bug.cgi?id=167803
+        <rdar://problem/30337368>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/text/simple-line-layout-multiple-trailingwhitespace-crash-expected.txt: Added.
+        * fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html: Added.
+
 2017-02-03  Chris Dumez  <cdu...@apple.com>
 
         Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody()

Added: trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash-expected.txt (0 => 211647)


--- trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash-expected.txt	2017-02-03 21:17:28 UTC (rev 211647)
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+F

Added: trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html (0 => 211647)


--- trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html	2017-02-03 21:17:28 UTC (rev 211647)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>This tests that we don't crash on multiple trailing whitespace runs</title>
+<style>
+div {
+	font-size: 0;
+}
+</style>
+</head>
+<body>
+PASS if no crash or assert.
+<div>F			<!---->
+</div>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (211646 => 211647)


--- trunk/Source/WebCore/ChangeLog	2017-02-03 20:53:35 UTC (rev 211646)
+++ trunk/Source/WebCore/ChangeLog	2017-02-03 21:17:28 UTC (rev 211647)
@@ -1,3 +1,21 @@
+2017-02-03  Zalan Bujtas  <za...@apple.com>
+
+        Simple line layout: Removing adjacent trailing whitespace runs should not crash.
+        https://bugs.webkit.org/show_bug.cgi?id=167803
+        <rdar://problem/30337368>
+
+        Reviewed by Antti Koivisto.
+
+        In case of adjacent collapsed whitespace fragments, the length of these fragments (TextFragmentIterator::TextFragment)
+        do not necessarily equal the length of the final runs (SimpleLineLayout::Run).
+        This patch removes the dependency on the length and switches over to using the position information instead.
+
+        Test: fast/text/simple-line-layout-multiple-trailingwhitespace-crash.html
+
+        * rendering/SimpleLineLayout.cpp:
+        (WebCore::SimpleLineLayout::LineState::appendFragmentAndCreateRunIfNeeded):
+        (WebCore::SimpleLineLayout::LineState::removeTrailingWhitespace):
+
 2017-02-03  Brent Fulgham  <bfulg...@apple.com>
 
         Correct memory leak in MediaConstraints

Modified: trunk/Source/WebCore/rendering/SimpleLineLayout.cpp (211646 => 211647)


--- trunk/Source/WebCore/rendering/SimpleLineLayout.cpp	2017-02-03 20:53:35 UTC (rev 211646)
+++ trunk/Source/WebCore/rendering/SimpleLineLayout.cpp	2017-02-03 21:17:28 UTC (rev 211647)
@@ -383,20 +383,23 @@
     return 0;
 }
 
-static void revertRuns(Layout::RunVector& runs, unsigned length, float width)
+static void revertRuns(Layout::RunVector& runs, unsigned positionToRevertTo, float width)
 {
-    while (length) {
-        ASSERT(runs.size());
-        Run& lastRun = runs.last();
-        unsigned lastRunLength = lastRun.end - lastRun.start;
-        if (lastRunLength > length) {
+    while (runs.size()) {
+        auto& lastRun = runs.last();
+        if (lastRun.end <= positionToRevertTo)
+            break;
+        if (lastRun.start >= positionToRevertTo) {
+            // Revert this run completely.
+            width -= (lastRun.logicalRight - lastRun.logicalLeft);
+            runs.removeLast();
+        } else {
             lastRun.logicalRight -= width;
-            lastRun.end -= length;
+            width = 0;
+            lastRun.end = positionToRevertTo;
+            // Partial removal.
             break;
         }
-        length -= lastRunLength;
-        width -= (lastRun.logicalRight - lastRun.logicalLeft);
-        runs.removeLast();
     }
 }
 
@@ -517,7 +520,7 @@
         }
         ASSERT(m_lastFragment.isValid());
         m_runsWidth -= m_uncompletedWidth;
-        revertRuns(runs, endPositionForCollapsedFragment(m_lastFragment) - endPositionForCollapsedFragment(m_lastCompleteFragment), m_uncompletedWidth);
+        revertRuns(runs, endPositionForCollapsedFragment(m_lastCompleteFragment), m_uncompletedWidth);
         m_uncompletedWidth = 0;
         ASSERT(m_lastCompleteFragment.isValid());
         return m_lastCompleteFragment;
@@ -527,8 +530,7 @@
     {
         if (m_lastFragment.type() != TextFragmentIterator::TextFragment::Whitespace || m_lastFragment.end() == m_lastNonWhitespaceFragment.end())
             return;
-        unsigned trailingWhitespaceLength = endPositionForCollapsedFragment(m_lastFragment) - m_lastNonWhitespaceFragment.end();
-        revertRuns(runs, trailingWhitespaceLength, m_trailingWhitespaceWidth);
+        revertRuns(runs, m_lastNonWhitespaceFragment.end(), m_trailingWhitespaceWidth);
         m_runsWidth -= m_trailingWhitespaceWidth;
         m_lastFragment = m_lastNonWhitespaceFragment;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes