- Revision
- 236171
- Author
- [email protected]
- Date
- 2018-09-19 05:33:39 -0700 (Wed, 19 Sep 2018)
Log Message
Merge r235721 - The width of an empty or nullptr TextRun should be zero
https://bugs.webkit.org/show_bug.cgi?id=189154
<rdar://problem/43685926>
Reviewed by Zalan Bujtas.
If a page has an empty TextRun and attempts to paint it we can crash with a nullptr.
This patch recognizes that an empty TextRun should always produce a zero width, rather than
attempt to compute this value from font data. It also prevents ListBox from attempting to
paint a null string.
Test: fast/text/null-string-textrun.html
* platform/graphics/FontCascade.cpp:
(WebCore::FontCascade::widthOfTextRange const): An empty TextRun has zero width.
(WebCore::FontCascade::width const): Ditto.
* platform/graphics/TextRun.h:
(WebCore::TextRun::TextRun): ASSERT that the supplied String is non-null.
(WebCore::TextRun::setText): Ditto.
* rendering/RenderListBox.cpp:
(WebCore::RenderListBox::paintItemForeground): Don't attempt to paint a null string.
Source/WTF:
The width of an empty or nullptr TextRun should be zero
https://bugs.webkit.org/show_bug.cgi?id=189154
<rdar://problem/43685926>
Reviewed by Zalan Bujtas.
Most accessors in WTFString.cpp, such as isAllASCII(), hash(), etc., perform a nullptr check
before using m_impl, but is8Bit() does not.
This patch adds a check in the is8Bit() implementation to be consistent with other methods,
and to address a small number of crashes observed in testing.
* wtf/text/WTFString.h:
(WTF::String::is8Bit const):
LayoutTests:
The width of a nullptr TextRun should be zero
https://bugs.webkit.org/show_bug.cgi?id=189154
<rdar://problem/43685926>
Reviewed by Zalan Bujtas.
* fast/text/null-string-textrun-expected.txt: Added.
* fast/text/null-string-textrun.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/LayoutTests/ChangeLog (236170 => 236171)
--- releases/WebKitGTK/webkit-2.22/LayoutTests/ChangeLog 2018-09-19 12:33:30 UTC (rev 236170)
+++ releases/WebKitGTK/webkit-2.22/LayoutTests/ChangeLog 2018-09-19 12:33:39 UTC (rev 236171)
@@ -1,3 +1,14 @@
+2018-09-05 Brent Fulgham <[email protected]>
+
+ The width of a nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ * fast/text/null-string-textrun-expected.txt: Added.
+ * fast/text/null-string-textrun.html: Added.
+
2018-09-04 Daniel Bates <[email protected]>
Remove redundant inline text boxes for empty combined text
Added: releases/WebKitGTK/webkit-2.22/LayoutTests/fast/text/null-string-textrun-expected.txt (0 => 236171)
--- releases/WebKitGTK/webkit-2.22/LayoutTests/fast/text/null-string-textrun-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.22/LayoutTests/fast/text/null-string-textrun-expected.txt 2018-09-19 12:33:39 UTC (rev 236171)
@@ -0,0 +1,6 @@
+This test confirms that a null text run doesn't trigger a crash. It passes if it loads without crashing.
+
+
+
+
+
Added: releases/WebKitGTK/webkit-2.22/LayoutTests/fast/text/null-string-textrun.html (0 => 236171)
--- releases/WebKitGTK/webkit-2.22/LayoutTests/fast/text/null-string-textrun.html (rev 0)
+++ releases/WebKitGTK/webkit-2.22/LayoutTests/fast/text/null-string-textrun.html 2018-09-19 12:33:39 UTC (rev 236171)
@@ -0,0 +1,19 @@
+<!doctype html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<head>
+<body>
+ <p>This test confirms that a null text run doesn't trigger a crash. It passes if it loads without crashing.</p>
+ <pre id="pre_tag" dir="RTL" >
+ <style _onload_="pre_tag.appendChild(meter_tag)"/></style>
+ <select multiple="multiple">
+ <optgroup/>
+ </select>
+ </pre>
+ <label>
+ <meter id="meter_tag">
+ </label>
+</body>
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.22/Source/WTF/ChangeLog (236170 => 236171)
--- releases/WebKitGTK/webkit-2.22/Source/WTF/ChangeLog 2018-09-19 12:33:30 UTC (rev 236170)
+++ releases/WebKitGTK/webkit-2.22/Source/WTF/ChangeLog 2018-09-19 12:33:39 UTC (rev 236171)
@@ -1,3 +1,20 @@
+2018-09-05 Brent Fulgham <[email protected]>
+
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ Most accessors in WTFString.cpp, such as isAllASCII(), hash(), etc., perform a nullptr check
+ before using m_impl, but is8Bit() does not.
+
+ This patch adds a check in the is8Bit() implementation to be consistent with other methods,
+ and to address a small number of crashes observed in testing.
+
+ * wtf/text/WTFString.h:
+ (WTF::String::is8Bit const):
+
2018-08-30 Tim Horton <[email protected]>
Bundle unified sources more tightly in projects with deep directory structures
Modified: releases/WebKitGTK/webkit-2.22/Source/WTF/wtf/text/WTFString.h (236170 => 236171)
--- releases/WebKitGTK/webkit-2.22/Source/WTF/wtf/text/WTFString.h 2018-09-19 12:33:30 UTC (rev 236170)
+++ releases/WebKitGTK/webkit-2.22/Source/WTF/wtf/text/WTFString.h 2018-09-19 12:33:39 UTC (rev 236171)
@@ -1,6 +1,6 @@
/*
* (C) 1999 Lars Knoll ([email protected])
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -154,7 +154,7 @@
// Return characters8() or characters16() depending on CharacterType.
template<typename CharacterType> const CharacterType* characters() const;
- bool is8Bit() const { return m_impl->is8Bit(); }
+ bool is8Bit() const { return !m_impl || m_impl->is8Bit(); }
unsigned sizeInBytes() const { return m_impl ? m_impl->length() * (is8Bit() ? sizeof(LChar) : sizeof(UChar)) : 0; }
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog (236170 => 236171)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog 2018-09-19 12:33:30 UTC (rev 236170)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog 2018-09-19 12:33:39 UTC (rev 236171)
@@ -1,3 +1,28 @@
+2018-09-05 Brent Fulgham <[email protected]>
+
+ The width of an empty or nullptr TextRun should be zero
+ https://bugs.webkit.org/show_bug.cgi?id=189154
+ <rdar://problem/43685926>
+
+ Reviewed by Zalan Bujtas.
+
+ If a page has an empty TextRun and attempts to paint it we can crash with a nullptr.
+
+ This patch recognizes that an empty TextRun should always produce a zero width, rather than
+ attempt to compute this value from font data. It also prevents ListBox from attempting to
+ paint a null string.
+
+ Test: fast/text/null-string-textrun.html
+
+ * platform/graphics/FontCascade.cpp:
+ (WebCore::FontCascade::widthOfTextRange const): An empty TextRun has zero width.
+ (WebCore::FontCascade::width const): Ditto.
+ * platform/graphics/TextRun.h:
+ (WebCore::TextRun::TextRun): ASSERT that the supplied String is non-null.
+ (WebCore::TextRun::setText): Ditto.
+ * rendering/RenderListBox.cpp:
+ (WebCore::RenderListBox::paintItemForeground): Don't attempt to paint a null string.
+
2018-09-04 Daniel Bates <[email protected]>
Attempt to fix failing tests following r235615 (https://bugs.webkit.org/show_bug.cgi?id=187925)
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/platform/graphics/FontCascade.cpp (236170 => 236171)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/platform/graphics/FontCascade.cpp 2018-09-19 12:33:30 UTC (rev 236170)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/platform/graphics/FontCascade.cpp 2018-09-19 12:33:39 UTC (rev 236171)
@@ -341,6 +341,9 @@
ASSERT(from <= to);
ASSERT(to <= run.length());
+ if (!run.length())
+ return 0;
+
float offsetBeforeRange = 0;
float offsetAfterRange = 0;
float totalWidth = 0;
@@ -385,6 +388,9 @@
float FontCascade::width(const TextRun& run, HashSet<const Font*>* fallbackFonts, GlyphOverflow* glyphOverflow) const
{
+ if (!run.length())
+ return 0;
+
CodePath codePathToUse = codePath(run);
if (codePathToUse != Complex) {
// The complex path is more restrictive about returning fallback fonts than the simple path, so we need an explicit test to make their behaviors match.
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/platform/graphics/TextRun.h (236170 => 236171)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/platform/graphics/TextRun.h 2018-09-19 12:33:30 UTC (rev 236170)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/platform/graphics/TextRun.h 2018-09-19 12:33:39 UTC (rev 236171)
@@ -57,6 +57,7 @@
, m_characterScanForCodePath(characterScanForCodePath)
, m_disableSpacing(false)
{
+ ASSERT(!m_text.isNull());
}
explicit TextRun(StringView stringView, float xpos = 0, float expansion = 0, ExpansionBehavior expansionBehavior = DefaultExpansion, TextDirection direction = TextDirection::LTR, bool directionalOverride = false, bool characterScanForCodePath = true)
@@ -89,7 +90,7 @@
void setText(const LChar* text, unsigned length) { setText({ text, length }); }
void setText(const UChar* text, unsigned length) { setText({ text, length }); }
- void setText(StringView text) { m_text = text.toStringWithoutCopying(); }
+ void setText(StringView text) { ASSERT(!text.isNull()); m_text = text.toStringWithoutCopying(); }
float horizontalGlyphStretch() const { return m_horizontalGlyphStretch; }
void setHorizontalGlyphStretch(float scale) { m_horizontalGlyphStretch = scale; }
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/rendering/RenderListBox.cpp (236170 => 236171)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/rendering/RenderListBox.cpp 2018-09-19 12:33:30 UTC (rev 236170)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/rendering/RenderListBox.cpp 2018-09-19 12:33:39 UTC (rev 236171)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2008, 2011, 2014-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
* 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
*
* Redistribution and use in source and binary forms, with or without
@@ -422,6 +422,9 @@
itemText = downcast<HTMLOptGroupElement>(*listItemElement).groupLabelText();
itemText = applyTextTransform(style(), itemText, ' ');
+ if (itemText.isNull())
+ return;
+
Color textColor = itemStyle.visitedDependentColorWithColorFilter(CSSPropertyColor);
if (isOptionElement && downcast<HTMLOptionElement>(*listItemElement).selected()) {
if (frame().selection().isFocusedAndActive() && document().focusedElement() == &selectElement())
