[webkit-changes] [242237] trunk

[mmaxfield]

Title: [242237] trunk

Revision

242237

Author

mmaxfi...@apple.com

Date

2019-02-28 15:42:22 -0800 (Thu, 28 Feb 2019)

Log Message

Use-after-move in RenderCombineText::combineTextIfNeeded()
https://bugs.webkit.org/show_bug.cgi?id=195188

Reviewed by Zalan Bujtas.

Source/WebCore:

r241288 uncovered an existing problem with our text-combine code. r242204 alleviated the
symptom, but this patch fixes the source of the problem (and reverts r242204).

The code in RenderCombineText::combineTextIfNeeded() has a bit that’s like:

FontDescription bestFitDescription;
while (...) {
    FontCascade compressedFont(WTFMove(bestFitDescription), ...);
    ...
}

Clearly this is wrong.

Test: fast/text/text-combine-crash-2.html

* platform/graphics/cocoa/FontDescriptionCocoa.cpp:
(WebCore::FontDescription::platformResolveGenericFamily):
* rendering/RenderCombineText.cpp:
(WebCore::RenderCombineText::combineTextIfNeeded):

LayoutTests:

* fast/text/text-combine-crash-2-expected.html: Added.
* fast/text/text-combine-crash-2.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/cocoa/FontDescriptionCocoa.cpp
• trunk/Source/WebCore/rendering/RenderCombineText.cpp

Added Paths

• trunk/LayoutTests/fast/text/text-combine-crash-2-expected.html
• trunk/LayoutTests/fast/text/text-combine-crash-2.html

Diff

Modified: trunk/LayoutTests/ChangeLog (242236 => 242237)

--- trunk/LayoutTests/ChangeLog	2019-02-28 23:37:43 UTC (rev 242236)
+++ trunk/LayoutTests/ChangeLog	2019-02-28 23:42:22 UTC (rev 242237)
@@ -1,3 +1,13 @@
+2019-02-28  Myles C. Maxfield  <mmaxfi...@apple.com>
+
+        Use-after-move in RenderCombineText::combineTextIfNeeded()
+        https://bugs.webkit.org/show_bug.cgi?id=195188
+
+        Reviewed by Zalan Bujtas.
+
+        * fast/text/text-combine-crash-2-expected.html: Added.
+        * fast/text/text-combine-crash-2.html: Added.
+
 2019-02-28  Devin Rousso  <drou...@apple.com>
 
         REGRESSION (r240644): Layout Test inspector/page/overrideSetting-ICECandidateFilteringEnabled.html is a flaky timeout

Added: trunk/LayoutTests/fast/text/text-combine-crash-2-expected.html (0 => 242237)

--- trunk/LayoutTests/fast/text/text-combine-crash-2-expected.html	                        (rev 0)
+++ trunk/LayoutTests/fast/text/text-combine-crash-2-expected.html	2019-02-28 23:42:22 UTC (rev 242237)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="ja">
+<head>
+<meta charset="utf-8">
+</head>
+<body>
+This test passes if there is no crash.
+<p xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: subpixel-antialiased;
+-webkit-hyphenate-limit-after: 3;
+-webkit-hyphenate-limit-before: 3;
+-webkit-hyphenate-limit-lines: 2;
+-webkit-hyphens: auto;
+-webkit-line-box-contain: block inline replaced;
+-webkit-locale: ja;
+display: block;
+font-family: serif;
+font-size: 22.399999618530273px;
+height: 636px;
+line-break: strict;
+margin-bottom: 0px;
+margin-left: 0px;
+margin-right: 0px;
+margin-top: 0px;
+orphans: 2;
+text-align: start;
+text-indent: 22.399999618530273px;
+text-rendering: auto;
+widows: 2;
+width: 33px;
+word-wrap: break-word;
+writing-mode: vertical-rl;">四桁文字<span class="tcy" style="-epub-text-combine:   horizontal;">ABCD</span></p>
+</body>
+</html>

Added: trunk/LayoutTests/fast/text/text-combine-crash-2.html (0 => 242237)

--- trunk/LayoutTests/fast/text/text-combine-crash-2.html	                        (rev 0)
+++ trunk/LayoutTests/fast/text/text-combine-crash-2.html	2019-02-28 23:42:22 UTC (rev 242237)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="ja">
+<head>
+<meta charset="utf-8">
+</head>
+<body>
+This test passes if there is no crash.
+<p xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: subpixel-antialiased;
+-webkit-hyphenate-limit-after: 3;
+-webkit-hyphenate-limit-before: 3;
+-webkit-hyphenate-limit-lines: 2;
+-webkit-hyphens: auto;
+-webkit-line-box-contain: block inline replaced;
+-webkit-locale: ja;
+display: block;
+font-family: serif;
+font-size: 22.399999618530273px;
+height: 636px;
+line-break: strict;
+margin-bottom: 0px;
+margin-left: 0px;
+margin-right: 0px;
+margin-top: 0px;
+orphans: 2;
+text-align: start;
+text-indent: 22.399999618530273px;
+text-rendering: auto;
+widows: 2;
+width: 33px;
+word-wrap: break-word;
+writing-mode: vertical-rl;">四桁文字<span class="tcy" style="-epub-text-combine:   horizontal;">ABCD</span></p>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (242236 => 242237)

--- trunk/Source/WebCore/ChangeLog	2019-02-28 23:37:43 UTC (rev 242236)
+++ trunk/Source/WebCore/ChangeLog	2019-02-28 23:42:22 UTC (rev 242237)
@@ -1,3 +1,30 @@
+2019-02-28  Myles C. Maxfield  <mmaxfi...@apple.com>
+
+        Use-after-move in RenderCombineText::combineTextIfNeeded()
+        https://bugs.webkit.org/show_bug.cgi?id=195188
+
+        Reviewed by Zalan Bujtas.
+
+        r241288 uncovered an existing problem with our text-combine code. r242204 alleviated the
+        symptom, but this patch fixes the source of the problem (and reverts r242204).
+
+        The code in RenderCombineText::combineTextIfNeeded() has a bit that’s like:
+
+        FontDescription bestFitDescription;
+        while (...) {
+            FontCascade compressedFont(WTFMove(bestFitDescription), ...);
+            ...
+        }
+
+        Clearly this is wrong.
+
+        Test: fast/text/text-combine-crash-2.html
+
+        * platform/graphics/cocoa/FontDescriptionCocoa.cpp:
+        (WebCore::FontDescription::platformResolveGenericFamily):
+        * rendering/RenderCombineText.cpp:
+        (WebCore::RenderCombineText::combineTextIfNeeded):
+
 2019-02-28  Zalan Bujtas  <za...@apple.com>
 
         [ContentChangeObserver] Introduce observer subclasses to scope content change observing.

Modified: trunk/Source/WebCore/platform/graphics/cocoa/FontDescriptionCocoa.cpp (242236 => 242237)

--- trunk/Source/WebCore/platform/graphics/cocoa/FontDescriptionCocoa.cpp	2019-02-28 23:37:43 UTC (rev 242236)
+++ trunk/Source/WebCore/platform/graphics/cocoa/FontDescriptionCocoa.cpp	2019-02-28 23:42:22 UTC (rev 242237)
@@ -165,7 +165,8 @@
 
 AtomicString FontDescription::platformResolveGenericFamily(UScriptCode script, const AtomicString& locale, const AtomicString& familyName)
 {
-    if (locale.isNull() || script == USCRIPT_COMMON)
+    ASSERT((locale.isNull() && script == USCRIPT_COMMON) || !locale.isNull());
+    if (script == USCRIPT_COMMON)
         return nullAtom();
 
     static std::once_flag onceFlag;

Modified: trunk/Source/WebCore/rendering/RenderCombineText.cpp (242236 => 242237)

--- trunk/Source/WebCore/rendering/RenderCombineText.cpp	2019-02-28 23:37:43 UTC (rev 242236)
+++ trunk/Source/WebCore/rendering/RenderCombineText.cpp	2019-02-28 23:42:22 UTC (rev 242237)
@@ -174,7 +174,7 @@
             bestFitDescription.setComputedSize(computedSize);
             shouldUpdateFont = m_combineFontStyle->setFontDescription(FontCascadeDescription { bestFitDescription });
         
-            FontCascade compressedFont(WTFMove(bestFitDescription), style().fontCascade().letterSpacing(), style().fontCascade().wordSpacing());
+            FontCascade compressedFont(FontCascadeDescription(bestFitDescription), style().fontCascade().letterSpacing(), style().fontCascade().wordSpacing());
             compressedFont.update(fontSelector);
             
             glyphOverflow.left = glyphOverflow.top = glyphOverflow.right = glyphOverflow.bottom = 0;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes