- Revision
- 235779
- Author
- [email protected]
- Date
- 2018-09-06 22:54:58 -0700 (Thu, 06 Sep 2018)
Log Message
Cherry-pick r235721. rdar://problem/44212406
Source/WebCore:
The width of an empty or nullptr TextRun should be zero
https://bugs.webkit.org/show_bug.cgi?id=189154
<rdar://problem/43685926>
Reviewed by Zalan Bujtas.
If a page has an empty TextRun and attempts to paint it we can crash with a nullptr.
This patch recognizes that an empty TextRun should always produce a zero width, rather than
attempt to compute this value from font data. It also prevents ListBox from attempting to
paint a null string.
Test: fast/text/null-string-textrun.html
* platform/graphics/FontCascade.cpp:
(WebCore::FontCascade::widthOfTextRange const): An empty TextRun has zero width.
(WebCore::FontCascade::width const): Ditto.
* platform/graphics/TextRun.h:
(WebCore::TextRun::TextRun): ASSERT that the supplied String is non-null.
(WebCore::TextRun::setText): Ditto.
* rendering/RenderListBox.cpp:
(WebCore::RenderListBox::paintItemForeground): Don't attempt to paint a null string.
Source/WTF:
The width of an empty or nullptr TextRun should be zero
https://bugs.webkit.org/show_bug.cgi?id=189154
<rdar://problem/43685926>
Reviewed by Zalan Bujtas.
Most accessors in WTFString.cpp, such as isAllASCII(), hash(), etc., perform a nullptr check
before using m_impl, but is8Bit() does not.
This patch adds a check in the is8Bit() implementation to be consistent with other methods,
and to address a small number of crashes observed in testing.
* wtf/text/WTFString.h:
(WTF::String::is8Bit const):
LayoutTests:
The width of a nullptr TextRun should be zero
https://bugs.webkit.org/show_bug.cgi?id=189154
<rdar://problem/43685926>
Reviewed by Zalan Bujtas.
* fast/text/null-string-textrun-expected.txt: Added.
* fast/text/null-string-textrun.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235721 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-606-branch/LayoutTests/ChangeLog (235778 => 235779)
--- branches/safari-606-branch/LayoutTests/ChangeLog 2018-09-07 04:40:12 UTC (rev 235778)
+++ branches/safari-606-branch/LayoutTests/ChangeLog 2018-09-07 05:54:58 UTC (rev 235779)
@@ -1,3 +1,71 @@
+2018-09-06 Babak Shafiei <[email protected]>
+
+ Cherry-pick r235721. rdar://problem/44212406
+
+ Source/WebCore:
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ If a page has an empty TextRun and attempts to paint it we can crash with a nullptr.
+
+ This patch recognizes that an empty TextRun should always produce a zero width, rather than
+ attempt to compute this value from font data. It also prevents ListBox from attempting to
+ paint a null string.
+
+ Test: fast/text/null-string-textrun.html
+
+ * platform/graphics/FontCascade.cpp:
+ (WebCore::FontCascade::widthOfTextRange const): An empty TextRun has zero width.
+ (WebCore::FontCascade::width const): Ditto.
+ * platform/graphics/TextRun.h:
+ (WebCore::TextRun::TextRun): ASSERT that the supplied String is non-null.
+ (WebCore::TextRun::setText): Ditto.
+ * rendering/RenderListBox.cpp:
+ (WebCore::RenderListBox::paintItemForeground): Don't attempt to paint a null string.
+
+ Source/WTF:
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ Most accessors in WTFString.cpp, such as isAllASCII(), hash(), etc., perform a nullptr check
+ before using m_impl, but is8Bit() does not.
+
+ This patch adds a check in the is8Bit() implementation to be consistent with other methods,
+ and to address a small number of crashes observed in testing.
+
+ * wtf/text/WTFString.h:
+ (WTF::String::is8Bit const):
+
+ LayoutTests:
+ The width of a nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ * fast/text/null-string-textrun-expected.txt: Added.
+ * fast/text/null-string-textrun.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235721 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-05 Brent Fulgham <[email protected]>
+
+ The width of a nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ * fast/text/null-string-textrun-expected.txt: Added.
+ * fast/text/null-string-textrun.html: Added.
+
2018-09-06 Mark Lam <[email protected]>
Cherry-pick r235254, r235419, r235666. rdar://problem/44169332
Added: branches/safari-606-branch/LayoutTests/fast/text/null-string-textrun-expected.txt (0 => 235779)
--- branches/safari-606-branch/LayoutTests/fast/text/null-string-textrun-expected.txt (rev 0)
+++ branches/safari-606-branch/LayoutTests/fast/text/null-string-textrun-expected.txt 2018-09-07 05:54:58 UTC (rev 235779)
@@ -0,0 +1,6 @@
+This test confirms that a null text run doesn't trigger a crash. It passes if it loads without crashing.
+
+
+
+
+
Added: branches/safari-606-branch/LayoutTests/fast/text/null-string-textrun.html (0 => 235779)
--- branches/safari-606-branch/LayoutTests/fast/text/null-string-textrun.html (rev 0)
+++ branches/safari-606-branch/LayoutTests/fast/text/null-string-textrun.html 2018-09-07 05:54:58 UTC (rev 235779)
@@ -0,0 +1,19 @@
+<!doctype html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<head>
+<body>
+ <p>This test confirms that a null text run doesn't trigger a crash. It passes if it loads without crashing.</p>
+ <pre id="pre_tag" dir="RTL" >
+ <style _onload_="pre_tag.appendChild(meter_tag)"/></style>
+ <select multiple="multiple">
+ <optgroup/>
+ </select>
+ </pre>
+ <label>
+ <meter id="meter_tag">
+ </label>
+</body>
\ No newline at end of file
Modified: branches/safari-606-branch/Source/WTF/ChangeLog (235778 => 235779)
--- branches/safari-606-branch/Source/WTF/ChangeLog 2018-09-07 04:40:12 UTC (rev 235778)
+++ branches/safari-606-branch/Source/WTF/ChangeLog 2018-09-07 05:54:58 UTC (rev 235779)
@@ -1,3 +1,77 @@
+2018-09-06 Babak Shafiei <[email protected]>
+
+ Cherry-pick r235721. rdar://problem/44212406
+
+ Source/WebCore:
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ If a page has an empty TextRun and attempts to paint it we can crash with a nullptr.
+
+ This patch recognizes that an empty TextRun should always produce a zero width, rather than
+ attempt to compute this value from font data. It also prevents ListBox from attempting to
+ paint a null string.
+
+ Test: fast/text/null-string-textrun.html
+
+ * platform/graphics/FontCascade.cpp:
+ (WebCore::FontCascade::widthOfTextRange const): An empty TextRun has zero width.
+ (WebCore::FontCascade::width const): Ditto.
+ * platform/graphics/TextRun.h:
+ (WebCore::TextRun::TextRun): ASSERT that the supplied String is non-null.
+ (WebCore::TextRun::setText): Ditto.
+ * rendering/RenderListBox.cpp:
+ (WebCore::RenderListBox::paintItemForeground): Don't attempt to paint a null string.
+
+ Source/WTF:
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ Most accessors in WTFString.cpp, such as isAllASCII(), hash(), etc., perform a nullptr check
+ before using m_impl, but is8Bit() does not.
+
+ This patch adds a check in the is8Bit() implementation to be consistent with other methods,
+ and to address a small number of crashes observed in testing.
+
+ * wtf/text/WTFString.h:
+ (WTF::String::is8Bit const):
+
+ LayoutTests:
+ The width of a nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ * fast/text/null-string-textrun-expected.txt: Added.
+ * fast/text/null-string-textrun.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235721 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-05 Brent Fulgham <[email protected]>
+
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ Most accessors in WTFString.cpp, such as isAllASCII(), hash(), etc., perform a nullptr check
+ before using m_impl, but is8Bit() does not.
+
+ This patch adds a check in the is8Bit() implementation to be consistent with other methods,
+ and to address a small number of crashes observed in testing.
+
+ * wtf/text/WTFString.h:
+ (WTF::String::is8Bit const):
+
2018-09-05 Babak Shafiei <[email protected]>
Cherry-pick r234873. rdar://problem/44144063
Modified: branches/safari-606-branch/Source/WTF/wtf/text/WTFString.h (235778 => 235779)
--- branches/safari-606-branch/Source/WTF/wtf/text/WTFString.h 2018-09-07 04:40:12 UTC (rev 235778)
+++ branches/safari-606-branch/Source/WTF/wtf/text/WTFString.h 2018-09-07 05:54:58 UTC (rev 235779)
@@ -1,6 +1,6 @@
/*
* (C) 1999 Lars Knoll ([email protected])
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -154,7 +154,7 @@
// Return characters8() or characters16() depending on CharacterType.
template<typename CharacterType> const CharacterType* characters() const;
- bool is8Bit() const { return m_impl->is8Bit(); }
+ bool is8Bit() const { return !m_impl || m_impl->is8Bit(); }
unsigned sizeInBytes() const { return m_impl ? m_impl->length() * (is8Bit() ? sizeof(LChar) : sizeof(UChar)) : 0; }
Modified: branches/safari-606-branch/Source/WebCore/ChangeLog (235778 => 235779)
--- branches/safari-606-branch/Source/WebCore/ChangeLog 2018-09-07 04:40:12 UTC (rev 235778)
+++ branches/safari-606-branch/Source/WebCore/ChangeLog 2018-09-07 05:54:58 UTC (rev 235779)
@@ -1,3 +1,85 @@
+2018-09-06 Babak Shafiei <[email protected]>
+
+ Cherry-pick r235721. rdar://problem/44212406
+
+ Source/WebCore:
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ If a page has an empty TextRun and attempts to paint it we can crash with a nullptr.
+
+ This patch recognizes that an empty TextRun should always produce a zero width, rather than
+ attempt to compute this value from font data. It also prevents ListBox from attempting to
+ paint a null string.
+
+ Test: fast/text/null-string-textrun.html
+
+ * platform/graphics/FontCascade.cpp:
+ (WebCore::FontCascade::widthOfTextRange const): An empty TextRun has zero width.
+ (WebCore::FontCascade::width const): Ditto.
+ * platform/graphics/TextRun.h:
+ (WebCore::TextRun::TextRun): ASSERT that the supplied String is non-null.
+ (WebCore::TextRun::setText): Ditto.
+ * rendering/RenderListBox.cpp:
+ (WebCore::RenderListBox::paintItemForeground): Don't attempt to paint a null string.
+
+ Source/WTF:
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ Most accessors in WTFString.cpp, such as isAllASCII(), hash(), etc., perform a nullptr check
+ before using m_impl, but is8Bit() does not.
+
+ This patch adds a check in the is8Bit() implementation to be consistent with other methods,
+ and to address a small number of crashes observed in testing.
+
+ * wtf/text/WTFString.h:
+ (WTF::String::is8Bit const):
+
+ LayoutTests:
+ The width of a nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ * fast/text/null-string-textrun-expected.txt: Added.
+ * fast/text/null-string-textrun.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235721 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-05 Brent Fulgham <[email protected]>
+
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ If a page has an empty TextRun and attempts to paint it we can crash with a nullptr.
+
+ This patch recognizes that an empty TextRun should always produce a zero width, rather than
+ attempt to compute this value from font data. It also prevents ListBox from attempting to
+ paint a null string.
+
+ Test: fast/text/null-string-textrun.html
+
+ * platform/graphics/FontCascade.cpp:
+ (WebCore::FontCascade::widthOfTextRange const): An empty TextRun has zero width.
+ (WebCore::FontCascade::width const): Ditto.
+ * platform/graphics/TextRun.h:
+ (WebCore::TextRun::TextRun): ASSERT that the supplied String is non-null.
+ (WebCore::TextRun::setText): Ditto.
+ * rendering/RenderListBox.cpp:
+ (WebCore::RenderListBox::paintItemForeground): Don't attempt to paint a null string.
+
2018-09-06 Mark Lam <[email protected]>
Cherry-pick r235254, r235419, r235666. rdar://problem/44169332
Modified: branches/safari-606-branch/Source/WebCore/platform/graphics/FontCascade.cpp (235778 => 235779)
--- branches/safari-606-branch/Source/WebCore/platform/graphics/FontCascade.cpp 2018-09-07 04:40:12 UTC (rev 235778)
+++ branches/safari-606-branch/Source/WebCore/platform/graphics/FontCascade.cpp 2018-09-07 05:54:58 UTC (rev 235779)
@@ -341,6 +341,9 @@
ASSERT(from <= to);
ASSERT(to <= run.length());
+ if (!run.length())
+ return 0;
+
float offsetBeforeRange = 0;
float offsetAfterRange = 0;
float totalWidth = 0;
@@ -385,6 +388,9 @@
float FontCascade::width(const TextRun& run, HashSet<const Font*>* fallbackFonts, GlyphOverflow* glyphOverflow) const
{
+ if (!run.length())
+ return 0;
+
CodePath codePathToUse = codePath(run);
if (codePathToUse != Complex) {
// The complex path is more restrictive about returning fallback fonts than the simple path, so we need an explicit test to make their behaviors match.
Modified: branches/safari-606-branch/Source/WebCore/platform/graphics/TextRun.h (235778 => 235779)
--- branches/safari-606-branch/Source/WebCore/platform/graphics/TextRun.h 2018-09-07 04:40:12 UTC (rev 235778)
+++ branches/safari-606-branch/Source/WebCore/platform/graphics/TextRun.h 2018-09-07 05:54:58 UTC (rev 235779)
@@ -57,6 +57,7 @@
, m_characterScanForCodePath(characterScanForCodePath)
, m_disableSpacing(false)
{
+ ASSERT(!m_text.isNull());
}
explicit TextRun(StringView stringView, float xpos = 0, float expansion = 0, ExpansionBehavior expansionBehavior = DefaultExpansion, TextDirection direction = LTR, bool directionalOverride = false, bool characterScanForCodePath = true)
@@ -89,7 +90,7 @@
void setText(const LChar* text, unsigned length) { setText({ text, length }); }
void setText(const UChar* text, unsigned length) { setText({ text, length }); }
- void setText(StringView text) { m_text = text.toStringWithoutCopying(); }
+ void setText(StringView text) { ASSERT(!text.isNull()); m_text = text.toStringWithoutCopying(); }
float horizontalGlyphStretch() const { return m_horizontalGlyphStretch; }
void setHorizontalGlyphStretch(float scale) { m_horizontalGlyphStretch = scale; }
Modified: branches/safari-606-branch/Source/WebCore/rendering/RenderListBox.cpp (235778 => 235779)
--- branches/safari-606-branch/Source/WebCore/rendering/RenderListBox.cpp 2018-09-07 04:40:12 UTC (rev 235778)
+++ branches/safari-606-branch/Source/WebCore/rendering/RenderListBox.cpp 2018-09-07 05:54:58 UTC (rev 235779)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2008, 2011, 2014-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
* 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
*
* Redistribution and use in source and binary forms, with or without
@@ -422,6 +422,9 @@
itemText = downcast<HTMLOptGroupElement>(*listItemElement).groupLabelText();
itemText = applyTextTransform(style(), itemText, ' ');
+ if (itemText.isNull())
+ return;
+
Color textColor = itemStyle.visitedDependentColorWithColorFilter(CSSPropertyColor);
if (isOptionElement && downcast<HTMLOptionElement>(*listItemElement).selected()) {
if (frame().selection().isFocusedAndActive() && document().focusedElement() == &selectElement())
