Modified: trunk/LayoutTests/ChangeLog (111491 => 111492)
--- trunk/LayoutTests/ChangeLog 2012-03-21 03:50:37 UTC (rev 111491)
+++ trunk/LayoutTests/ChangeLog 2012-03-21 03:56:05 UTC (rev 111492)
@@ -1,3 +1,13 @@
+2012-03-20 Xiaomei Ji <[email protected]>
+
+ Crash introduced in r110965.
+ https://bugs.webkit.org/show_bug.cgi?id=81720
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/selection/move-by-word-visually-crash-test-5-expected.txt: Added.
+ * editing/selection/move-by-word-visually-crash-test-5.html: Added.
+
2012-03-20 Keishi Hattori <[email protected]>
[chromium] Marking integer-division-neg2tothe32-by-neg1.html as crashing.
Added: trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-5.html (0 => 111492)
--- trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-5.html (rev 0)
+++ trunk/LayoutTests/editing/selection/move-by-word-visually-crash-test-5.html 2012-03-21 03:56:05 UTC (rev 111492)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<script src=""
+<script>
+_onload_ = function() {
+ try {
+ runTest();
+ document.body.innerHTML = "Crash test passed";
+ } finally {
+ }
+};
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setEditingBehavior('win');
+}
+</script>
+
+<div dir=ltr title="0|0"
+class="test_move_by_word"
+><plaintext>class="test_move_by_word"
+style="-wap-marquee-style:mix; marker:sliderthumb-vertical; position:-0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001; border-top-style:rl-tb; -webkit-padding-after:absolute; position:destination-atop; border:ethiopic-halehame-ti-et; clip-rule:absolute; position:menulist-text; color-profile:-webkit-activelink; position:reset-size; margin-right:message-box; filter:absolute; position:no-punctuation; -webkit-border-end:no-punctuation; border-bottom-style:absolute; position:line-through; text-underline-mode:repeat-y; clip-rule:absolute; position:amharic-abegede; -webkit-text-fill-color:nowrap; -webkit-text-decorations-in-effect:absolute; position:sliderthumb-horizontal; border-top-right-radius:wave; border-top:absolute; position:up; border-right:not-allowed; enable-background:absolute; position:caption; max-height:ne-resize;
Modified: trunk/Source/WebCore/ChangeLog (111491 => 111492)
--- trunk/Source/WebCore/ChangeLog 2012-03-21 03:50:37 UTC (rev 111491)
+++ trunk/Source/WebCore/ChangeLog 2012-03-21 03:56:05 UTC (rev 111492)
@@ -1,3 +1,20 @@
+2012-03-20 Xiaomei Ji <[email protected]>
+
+ Crash introduced in r110965.
+ https://bugs.webkit.org/show_bug.cgi?id=81720
+
+ Reviewed by Ryosuke Niwa.
+
+ Since word break iterator just keeps a pointer to the UChar array given to the constructor,
+ we need to allocate the UChar array deeper in the stack than the iterator.
+
+ Test: editing/selection/move-by-word-visually-crash-test-5.html
+
+ * editing/visible_units.cpp:
+ (WebCore::wordBreakIteratorForMinOffsetBoundary):
+ (WebCore::wordBreakIteratorForMaxOffsetBoundary):
+ (WebCore::visualWordPosition):
+
2012-03-20 W. James MacLean <[email protected]>
[chromium] Convert TouchFlingPlatformGestureCurve to a 2-D Bezier for better control of curve shape.
Modified: trunk/Source/WebCore/editing/visible_units.cpp (111491 => 111492)
--- trunk/Source/WebCore/editing/visible_units.cpp 2012-03-21 03:50:37 UTC (rev 111491)
+++ trunk/Source/WebCore/editing/visible_units.cpp 2012-03-21 03:56:05 UTC (rev 111492)
@@ -280,7 +280,7 @@
}
static TextBreakIterator* wordBreakIteratorForMinOffsetBoundary(const VisiblePosition& visiblePosition, const InlineTextBox* textBox,
- int& previousBoxLength, bool& previousBoxInDifferentBlock)
+ int& previousBoxLength, bool& previousBoxInDifferentBlock, Vector<UChar, 1024>& string)
{
previousBoxInDifferentBlock = false;
@@ -288,7 +288,7 @@
const InlineTextBox* previousBox = logicallyPreviousBox(visiblePosition, textBox, previousBoxInDifferentBlock);
int len = 0;
- Vector<UChar, 1024> string;
+ string.clear();
if (previousBox) {
previousBoxLength = previousBox->len();
string.append(previousBox->textRenderer()->text()->characters() + previousBox->start(), previousBoxLength);
@@ -300,7 +300,8 @@
return wordBreakIterator(string.data(), len);
}
-static TextBreakIterator* wordBreakIteratorForMaxOffsetBoundary(const VisiblePosition& visiblePosition, const InlineTextBox* textBox, bool& nextBoxInDifferentBlock)
+static TextBreakIterator* wordBreakIteratorForMaxOffsetBoundary(const VisiblePosition& visiblePosition, const InlineTextBox* textBox,
+ bool& nextBoxInDifferentBlock, Vector<UChar, 1024>& string)
{
nextBoxInDifferentBlock = false;
@@ -308,7 +309,7 @@
const InlineTextBox* nextBox = logicallyNextBox(visiblePosition, textBox, nextBoxInDifferentBlock);
int len = 0;
- Vector<UChar, 1024> string;
+ string.clear();
string.append(textBox->textRenderer()->text()->characters() + textBox->start(), textBox->len());
len += textBox->len();
if (nextBox) {
@@ -370,15 +371,19 @@
bool nextBoxInDifferentBlock = false;
bool movingIntoNewBox = previouslyVisitedBox != box;
+ Vector<UChar, 1024> string;
if (offsetInBox == box->caretMinOffset())
- iter = wordBreakIteratorForMinOffsetBoundary(visiblePosition, textBox, previousBoxLength, previousBoxInDifferentBlock);
+ iter = wordBreakIteratorForMinOffsetBoundary(visiblePosition, textBox, previousBoxLength, previousBoxInDifferentBlock, string);
else if (offsetInBox == box->caretMaxOffset())
- iter = wordBreakIteratorForMaxOffsetBoundary(visiblePosition, textBox, nextBoxInDifferentBlock);
+ iter = wordBreakIteratorForMaxOffsetBoundary(visiblePosition, textBox, nextBoxInDifferentBlock, string);
else if (movingIntoNewBox) {
iter = wordBreakIterator(textBox->textRenderer()->text()->characters() + textBox->start(), textBox->len());
previouslyVisitedBox = box;
}
+ if (!iter)
+ break;
+
textBreakFirst(iter);
int offsetInIterator = offsetInBox - textBox->start() + previousBoxLength;
