[webkit-changes] [276269] trunk

Mon, 19 Apr 2021 13:09:48 -0700

Title: [276269] trunk
Revision
276269
Author
[email protected]
Date
2021-04-19 13:09:04 -0700 (Mon, 19 Apr 2021)

Log Message

[LFC][IFC] LineCandidate.inlineContent should be ignored when reverting
https://bugs.webkit.org/show_bug.cgi?id=224771
<rdar://76760857>

Reviewed by Antti Koivisto.

Source/WebCore:

LineCandidate.inlineContent is a set of candidate runs for the line and when the line breaker says "please revert" (move back to an earlier position on the line)
these runs should all be ignored as they did not make it to the line.
(inlineContentIsFullyCommitted flag got confused when the number of candidate runs matched the number of runs we managed to put on the line as part of the revert. It did not take the "revert" bit into account.)

Test: fast/inline/crash-when-revert-has-trailing-line-break.html

* layout/inlineformatting/InlineLineBuilder.cpp:
(WebCore::Layout::LineBuilder::placeInlineContent):

LayoutTests:

* fast/inline/crash-when-revert-has-trailing-line-break-expected.txt: Added.
* fast/inline/crash-when-revert-has-trailing-line-break.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (276268 => 276269)


--- trunk/LayoutTests/ChangeLog	2021-04-19 19:42:44 UTC (rev 276268)
+++ trunk/LayoutTests/ChangeLog	2021-04-19 20:09:04 UTC (rev 276269)
@@ -1,3 +1,14 @@
+2021-04-19  Zalan Bujtas  <[email protected]>
+
+        [LFC][IFC] LineCandidate.inlineContent should be ignored when reverting
+        https://bugs.webkit.org/show_bug.cgi?id=224771
+        <rdar://76760857>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/inline/crash-when-revert-has-trailing-line-break-expected.txt: Added.
+        * fast/inline/crash-when-revert-has-trailing-line-break.html: Added.
+
 2021-04-19  Amir Mark Jr  <[email protected]>
 
         [ wk2 ] http/tests/security/contentSecurityPolicy/report-only-connect-src-xmlhttprequest-redirect-to-blocked.py is a constant text failure

Added: trunk/LayoutTests/fast/inline/crash-when-revert-has-trailing-line-break-expected.txt (0 => 276269)


--- trunk/LayoutTests/fast/inline/crash-when-revert-has-trailing-line-break-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/inline/crash-when-revert-has-trailing-line-break-expected.txt	2021-04-19 20:09:04 UTC (rev 276269)
@@ -0,0 +1,4 @@
+  a
+
+
+

Added: trunk/LayoutTests/fast/inline/crash-when-revert-has-trailing-line-break.html (0 => 276269)


--- trunk/LayoutTests/fast/inline/crash-when-revert-has-trailing-line-break.html	                        (rev 0)
+++ trunk/LayoutTests/fast/inline/crash-when-revert-has-trailing-line-break.html	2021-04-19 20:09:04 UTC (rev 276269)
@@ -0,0 +1,31 @@
+<style>
+  th, body, span, html {
+    padding-left: 250px;
+  }
+</style>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+
+  _onload_ = () => {
+    let div = document.createElement('div');
+    document.querySelector('style').appendChild(div);
+    document.styleSheets[0].insertRule(`pre { aspect-ratio: 1; }`);
+    document.body.appendChild(document.createElement('pre'));
+    let th = document.createElement('th');
+    document.body.appendChild(th);
+    document.designMode = 'on';
+    document.execCommand('SelectAll');
+    document.execCommand('InsertLineBreak');
+    getSelection().selectAllChildren(th);
+    document.execCommand('InsertText', false, 'a');
+    document.execCommand('UseCSS', false, 'false');
+    div.before(undefined);
+    document.execCommand('InsertLineBreak');
+    document.execCommand('SelectAll');
+    document.execCommand('Copy');
+    document.execCommand('PasteAndMatchStyle');
+    document.execCommand('JustifyFull');
+  };
+</script>
+<!-- PASS if no crash or assert. -->
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (276268 => 276269)


--- trunk/Source/WebCore/ChangeLog	2021-04-19 19:42:44 UTC (rev 276268)
+++ trunk/Source/WebCore/ChangeLog	2021-04-19 20:09:04 UTC (rev 276269)
@@ -1,3 +1,20 @@
+2021-04-19  Zalan Bujtas  <[email protected]>
+
+        [LFC][IFC] LineCandidate.inlineContent should be ignored when reverting
+        https://bugs.webkit.org/show_bug.cgi?id=224771
+        <rdar://76760857>
+
+        Reviewed by Antti Koivisto.
+
+        LineCandidate.inlineContent is a set of candidate runs for the line and when the line breaker says "please revert" (move back to an earlier position on the line)
+        these runs should all be ignored as they did not make it to the line.
+        (inlineContentIsFullyCommitted flag got confused when the number of candidate runs matched the number of runs we managed to put on the line as part of the revert. It did not take the "revert" bit into account.) 
+
+        Test: fast/inline/crash-when-revert-has-trailing-line-break.html
+
+        * layout/inlineformatting/InlineLineBuilder.cpp:
+        (WebCore::Layout::LineBuilder::placeInlineContent):
+
 2021-04-19  Chris Dumez  <[email protected]>
 
         SVG Images launch the GPUProcess unnecessarily

Modified: trunk/Source/WebCore/layout/inlineformatting/InlineLineBuilder.cpp (276268 => 276269)


--- trunk/Source/WebCore/layout/inlineformatting/InlineLineBuilder.cpp	2021-04-19 19:42:44 UTC (rev 276268)
+++ trunk/Source/WebCore/layout/inlineformatting/InlineLineBuilder.cpp	2021-04-19 20:09:04 UTC (rev 276269)
@@ -313,27 +313,30 @@
             // Floats never terminate the line.
         } else
             result = handleInlineContent(inlineContentBreaker, needsLayoutRange, lineCandidate);
-        committedInlineItemCount = result.committedCount.isRevert ? result.committedCount.value : committedInlineItemCount + result.committedCount.value;
-        auto& inlineContent = lineCandidate.inlineContent;
-        auto inlineContentIsFullyCommitted = inlineContent.continuousContent().runs().size() == result.committedCount.value && !result.partialTrailingContentLength;
         auto isEndOfLine = result.isEndOfLine == InlineContentBreaker::IsEndOfLine::Yes;
+        if (!result.committedCount.isRevert) {
+            committedInlineItemCount += result.committedCount.value;
+            auto& inlineContent = lineCandidate.inlineContent;
+            auto inlineContentIsFullyCommitted = inlineContent.continuousContent().runs().size() == result.committedCount.value && !result.partialTrailingContentLength;
+            if (inlineContentIsFullyCommitted) {
+                if (auto* wordBreakOpportunity = inlineContent.trailingWordBreakOpportunity()) {
+                    // <wbr> needs to be on the line as an empty run so that we can construct an inline box and compute basic geometry.
+                    ++committedInlineItemCount;
+                    m_line.append(*wordBreakOpportunity, { });
+                }
+                if (inlineContent.trailingLineBreak()) {
+                    // Fully committed (or empty) content followed by a line break means "end of line".
+                    // FIXME: This will put the line break box at the end of the line while in case of some inline boxes, the line break
+                    // could very well be at an earlier position. This has no visual implications at this point though (only geometry correctness on the line break box).
+                    // e.g. <span style="border-right: 10px solid green">text<br></span> where the <br>'s horizontal position is before the right border and not after.
+                    m_line.append(*inlineContent.trailingLineBreak(), { });
+                    ++committedInlineItemCount;
+                    isEndOfLine = true;
+                }
+            }
+        } else
+            committedInlineItemCount = result.committedCount.value;
 
-        if (inlineContentIsFullyCommitted) {
-            if (auto* wordBreakOpportunity = inlineContent.trailingWordBreakOpportunity()) {
-                // <wbr> needs to be on the line as an empty run so that we can construct an inline box and compute basic geometry.
-                ++committedInlineItemCount;
-                m_line.append(*wordBreakOpportunity, { });
-            }
-            if (inlineContent.trailingLineBreak()) {
-                // Fully committed (or empty) content followed by a line break means "end of line".
-                // FIXME: This will put the line break box at the end of the line while in case of some inline boxes, the line break
-                // could very well be at an earlier position. This has no visual implications at this point though (only geometry correctness on the line break box).
-                // e.g. <span style="border-right: 10px solid green">text<br></span> where the <br>'s horizontal position is before the right border and not after.
-                m_line.append(*inlineContent.trailingLineBreak(), { });
-                ++committedInlineItemCount;
-                isEndOfLine = true;
-            }
-        }
         if (isEndOfLine) {
             // We can't place any more items on the current line.
             return { committedInlineItemCount, result.partialTrailingContentLength, result.overflowLogicalWidth };

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to