[webkit-changes] [258761] trunk/Source/WebCore

[zalan]

Title: [258761] trunk/Source/WebCore

Revision

258761

Author

za...@apple.com

Date

2020-03-20 07:59:44 -0700 (Fri, 20 Mar 2020)

Log Message

[LFC][IFC] Avoid infinite loop when stuck on partial content
https://bugs.webkit.org/show_bug.cgi?id=209312
<rdar://problem/59954605>

Reviewed by Simon Fraser.

Speculative fix to address infinite loop/running out of inline run vector capacity at InlineFormattingContext::setDisplayBoxesForLine.
(Checking if we managed to progress on the content while having partial runs.)

* layout/inlineformatting/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::lineLayout):
* layout/inlineformatting/LineLayoutContext.cpp:
(WebCore::Layout::LineLayoutContext::nextContentForLine):
(WebCore::Layout::LineLayoutContext::handleFloatsAndInlineContent):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/layout/inlineformatting/InlineFormattingContext.cpp
• trunk/Source/WebCore/layout/inlineformatting/LineLayoutContext.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (258760 => 258761)

--- trunk/Source/WebCore/ChangeLog	2020-03-20 14:31:36 UTC (rev 258760)
+++ trunk/Source/WebCore/ChangeLog	2020-03-20 14:59:44 UTC (rev 258761)
@@ -1,3 +1,20 @@
+2020-03-20  Zalan Bujtas  <za...@apple.com>
+
+        [LFC][IFC] Avoid infinite loop when stuck on partial content
+        https://bugs.webkit.org/show_bug.cgi?id=209312
+        <rdar://problem/59954605>
+
+        Reviewed by Simon Fraser.
+
+        Speculative fix to address infinite loop/running out of inline run vector capacity at InlineFormattingContext::setDisplayBoxesForLine.
+        (Checking if we managed to progress on the content while having partial runs.)
+
+        * layout/inlineformatting/InlineFormattingContext.cpp:
+        (WebCore::Layout::InlineFormattingContext::lineLayout):
+        * layout/inlineformatting/LineLayoutContext.cpp:
+        (WebCore::Layout::LineLayoutContext::nextContentForLine):
+        (WebCore::Layout::LineLayoutContext::handleFloatsAndInlineContent):
+
 2020-03-20  Philippe Normand  <pnorm...@igalia.com>
 
         [GStreamer] White-list vp09 in the codec registry

Modified: trunk/Source/WebCore/layout/inlineformatting/InlineFormattingContext.cpp (258760 => 258761)

--- trunk/Source/WebCore/layout/inlineformatting/InlineFormattingContext.cpp	2020-03-20 14:31:36 UTC (rev 258760)
+++ trunk/Source/WebCore/layout/inlineformatting/InlineFormattingContext.cpp	2020-03-20 14:59:44 UTC (rev 258761)
@@ -139,29 +139,49 @@
 void InlineFormattingContext::lineLayout(InlineItems& inlineItems, LineLayoutContext::InlineItemRange layoutRange, const HorizontalConstraints& horizontalConstraints, const VerticalConstraints& verticalConstraints)
 {
     auto lineLogicalTop = verticalConstraints.logicalTop;
-    Optional<unsigned> partialLeadingContentLength;
+    struct PreviousLineEnd {
+        unsigned runIndex;
+        Optional<unsigned> overflowContentLength;
+    };
+    Optional<PreviousLineEnd> previousLineEnd;
     auto lineBuilder = LineBuilder { *this, root().style().textAlign(), LineBuilder::IntrinsicSizing::No };
     auto lineLayoutContext = LineLayoutContext { *this, root(), inlineItems };
 
     while (!layoutRange.isEmpty()) {
         lineBuilder.initialize(constraintsForLine(horizontalConstraints, lineLogicalTop));
-        auto lineContent = lineLayoutContext.layoutLine(lineBuilder, layoutRange, partialLeadingContentLength);
+        auto lineContent = lineLayoutContext.layoutLine(lineBuilder, layoutRange, previousLineEnd ? previousLineEnd->overflowContentLength : WTF::nullopt);
         setDisplayBoxesForLine(lineContent, horizontalConstraints);
 
-        partialLeadingContentLength = { };
         if (lineContent.trailingInlineItemIndex) {
             lineLogicalTop = lineContent.lineBox.logicalBottom();
-            // When the trailing content is partial, we need to reuse the last InlinItem.
+            // When the trailing content is partial, we need to reuse the last InlineTextItem.
+            auto trailingRunIndex = *lineContent.trailingInlineItemIndex;
             if (lineContent.partialContent) {
-                layoutRange.start = *lineContent.trailingInlineItemIndex;
+                ASSERT(lineContent.partialContent->overflowContentLength);
                 // Turn previous line's overflow content length into the next line's leading content partial length.
-                // "sp<->litcontent" -> overflow length: 10 -> leading partial content length: 10. 
-                partialLeadingContentLength = lineContent.partialContent->overflowContentLength;
-            } else
-                layoutRange.start = *lineContent.trailingInlineItemIndex + 1;
+                // "sp<->litcontent" -> overflow length: 10 -> leading partial content length: 10.
+                auto isNewInlineContent = !previousLineEnd
+                    || trailingRunIndex > previousLineEnd->runIndex
+                    || (previousLineEnd->overflowContentLength && *previousLineEnd->overflowContentLength > lineContent.partialContent->overflowContentLength);
+                if (isNewInlineContent) {
+                    // Strart the next line with the same, partial trailing InlineTextItem.
+                    previousLineEnd = PreviousLineEnd { trailingRunIndex, lineContent.partialContent->overflowContentLength };
+                    layoutRange.start = previousLineEnd->runIndex;
+                } else {
+                    ASSERT_NOT_REACHED();
+                    // Move over to the next run if we are stuck on this partial content (when the overflow content length remains the same).
+                    // We certainly lose some content, but we would be busy looping anyway.
+                    previousLineEnd = PreviousLineEnd { trailingRunIndex, { } };
+                    layoutRange.start = previousLineEnd->runIndex + 1;
+                }
+            } else {
+                previousLineEnd = PreviousLineEnd { trailingRunIndex, { } };
+                layoutRange.start = previousLineEnd->runIndex + 1;
+            }
             continue;
         }
         // Floats prevented us placing any content on the line.
+        ASSERT(lineContent.runList.isEmpty());
         ASSERT(lineBuilder.hasIntrusiveFloat());
         // Move the next line below the intrusive float.
         auto floatingContext = FloatingContext { root(), *this, formattingState().floatingState() };

Modified: trunk/Source/WebCore/layout/inlineformatting/LineLayoutContext.cpp (258760 => 258761)

--- trunk/Source/WebCore/layout/inlineformatting/LineLayoutContext.cpp	2020-03-20 14:31:36 UTC (rev 258760)
+++ trunk/Source/WebCore/layout/inlineformatting/LineLayoutContext.cpp	2020-03-20 14:59:44 UTC (rev 258761)
@@ -496,6 +496,7 @@
 
         auto partialRun = *result.partialTrailingContent->partialRun;
         auto& trailingInlineTextItem = downcast<InlineTextItem>(candidateRuns[trailingRunIndex].inlineItem);
+        ASSERT(partialRun.length < trailingInlineTextItem.length());
         auto overflowLength = trailingInlineTextItem.length() - partialRun.length;
         return { LineBreaker::IsEndOfLine::Yes, { committedInlineItemCount, false }, LineContent::PartialContent { partialRun.needsHyphen, overflowLength } };
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes