Title: [235485] trunk
- Revision
- 235485
- Author
- [email protected]
- Date
- 2018-08-29 16:35:30 -0700 (Wed, 29 Aug 2018)
Log Message
REGRESSION (r226138): WebCore::subdivide() may return an empty vector; Web process can crash when performing find in Epiphany
https://bugs.webkit.org/show_bug.cgi?id=184390
<rdar://problem/41804994>
And
<rdar://problem/39771867>
Reviewed by Simon Fraser.
Source/WebCore:
Speculative fix for Epiphany.
In theory, WebCore::subdivide() should never return an empty vector - no subdivisions - as such a
result represents a programmer error. In practice, InlineTextBox can invoke WebCore::subdivide()
such that it returns an empty vector. One way this can happen is when subdividing an empty inline
text box associated with combined text (RenderCombineText). For now we add a check to bail out of
resolving the style of subdivisions when WebCore::subdivide() returns no subdivisions. In a
subsequent patch we will look to assert that WebCore::subdivide() always returns subdivisions.
Test: fast/text/text-combine-surroundContents-crash.html
* rendering/InlineTextBox.cpp:
(WebCore::InlineTextBox::subdivideAndResolveStyle):
LayoutTests:
Add a test to ensure that we do not crash when painting an empty inline text box associated
with combined text.
* fast/text/text-combine-surroundContents-crash-expected.txt: Added.
* fast/text/text-combine-surroundContents-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (235484 => 235485)
--- trunk/LayoutTests/ChangeLog 2018-08-29 22:42:26 UTC (rev 235484)
+++ trunk/LayoutTests/ChangeLog 2018-08-29 23:35:30 UTC (rev 235485)
@@ -1,3 +1,19 @@
+2018-08-29 Daniel Bates <[email protected]>
+
+ REGRESSION (r226138): WebCore::subdivide() may return an empty vector; Web process can crash when performing find in Epiphany
+ https://bugs.webkit.org/show_bug.cgi?id=184390
+ <rdar://problem/41804994>
+ And
+ <rdar://problem/39771867>
+
+ Reviewed by Simon Fraser.
+
+ Add a test to ensure that we do not crash when painting an empty inline text box associated
+ with combined text.
+
+ * fast/text/text-combine-surroundContents-crash-expected.txt: Added.
+ * fast/text/text-combine-surroundContents-crash.html: Added.
+
2018-08-29 Youenn Fablet <[email protected]>
Remove WebRTC legacy API implementation
Added: trunk/LayoutTests/fast/text/text-combine-surroundContents-crash-expected.txt (0 => 235485)
--- trunk/LayoutTests/fast/text/text-combine-surroundContents-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/text/text-combine-surroundContents-crash-expected.txt 2018-08-29 23:35:30 UTC (rev 235485)
@@ -0,0 +1,17 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x76
+ RenderBlock {HTML} at (0,0) size 800x76
+ RenderBody {BODY} at (8,8) size 784x60
+ RenderBlock {DIV} at (0,0) size 20x40
+ RenderCombineText {#text} at (0,0) size 20x20
+ text run at (0,0) width 20: "\x{FFFC}"
+ RenderInline {SPAN} at (0,0) size 20x0
+ RenderCombineText {#text} at (0,20) size 20x20
+ text run at (0,20) width 20: "\x{FFFC}"
+ RenderBlock (anonymous) at (0,40) size 784x0
+ RenderText {#text} at (0,0) size 0x0
+ RenderText {#text} at (0,0) size 0x0
+ RenderBlock {DIV} at (0,40) size 784x20
+ RenderText {#text} at (0,0) size 400x20
+ text run at (0,0) width 400: "PASS, did not crash."
Added: trunk/LayoutTests/fast/text/text-combine-surroundContents-crash.html (0 => 235485)
--- trunk/LayoutTests/fast/text/text-combine-surroundContents-crash.html (rev 0)
+++ trunk/LayoutTests/fast/text/text-combine-surroundContents-crash.html 2018-08-29 23:35:30 UTC (rev 235485)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+@font-face {
+ font-family: Ahem;
+ src: url("../../resources/Ahem.ttf");
+}
+
+body {
+ font: 20px/1 Ahem;
+}
+
+#first {
+ writing-mode: vertical-rl;
+ -webkit-text-combine: horizontal;
+}
+</style>
+<script>
+function runTest()
+{
+ var second = document.getElementById("second");
+ var range = document.caretRangeFromPoint();
+ range.surroundContents(second); // Crash
+}
+</script>
+</head>
+<body _onload_="runTest()">
+<div id="first"> </div>
+<span id="second"></span> <!-- Must be an inline element. -->
+<div id="successMessage">PASS, did not crash.</div>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (235484 => 235485)
--- trunk/Source/WebCore/ChangeLog 2018-08-29 22:42:26 UTC (rev 235484)
+++ trunk/Source/WebCore/ChangeLog 2018-08-29 23:35:30 UTC (rev 235485)
@@ -1,3 +1,27 @@
+2018-08-29 Daniel Bates <[email protected]>
+
+ REGRESSION (r226138): WebCore::subdivide() may return an empty vector; Web process can crash when performing find in Epiphany
+ https://bugs.webkit.org/show_bug.cgi?id=184390
+ <rdar://problem/41804994>
+ And
+ <rdar://problem/39771867>
+
+ Reviewed by Simon Fraser.
+
+ Speculative fix for Epiphany.
+
+ In theory, WebCore::subdivide() should never return an empty vector - no subdivisions - as such a
+ result represents a programmer error. In practice, InlineTextBox can invoke WebCore::subdivide()
+ such that it returns an empty vector. One way this can happen is when subdividing an empty inline
+ text box associated with combined text (RenderCombineText). For now we add a check to bail out of
+ resolving the style of subdivisions when WebCore::subdivide() returns no subdivisions. In a
+ subsequent patch we will look to assert that WebCore::subdivide() always returns subdivisions.
+
+ Test: fast/text/text-combine-surroundContents-crash.html
+
+ * rendering/InlineTextBox.cpp:
+ (WebCore::InlineTextBox::subdivideAndResolveStyle):
+
2018-08-29 Youenn Fablet <[email protected]>
Remove WebRTC legacy API implementation
Modified: trunk/Source/WebCore/rendering/InlineTextBox.cpp (235484 => 235485)
--- trunk/Source/WebCore/rendering/InlineTextBox.cpp 2018-08-29 22:42:26 UTC (rev 235484)
+++ trunk/Source/WebCore/rendering/InlineTextBox.cpp 2018-08-29 23:35:30 UTC (rev 235485)
@@ -792,6 +792,8 @@
return { };
auto markedTexts = subdivide(textsToSubdivide);
+ if (markedTexts.isEmpty())
+ return { };
// Compute frontmost overlapping styled marked texts.
Vector<StyledMarkedText> frontmostMarkedTexts;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
