Skip to site navigation (Press enter)

[webkit-changes] [118114] trunk

leviw Tue, 22 May 2012 20:59:54 -0700

Title: [118114] trunk

Revision: 118114
Author: [email protected]
Date: 2012-05-22 21:00:47 -0700 (Tue, 22 May 2012)

Log Message

NULL ptr in WebCore::RenderBlock::layoutRunsAndFloatsInRange
https://bugs.webkit.org/show_bug.cgi?id=77786


Reviewed by Ryosuke Niwa.

Source/WebCore:

InlineBidiResolver adds one fake TextRun for isolated inlines in the process of creating the
list of TextRuns to send to the UBA. After the UBA has been run and the TextRuns reordered,
we re-run InlineBidiResolver rooted in the isolate and replace the fake run with those
generated by the subsequent pass by calling the method BidiRunList::replaceRunWithRuns.
This method assumes there are runs to replace the fake run with.

Positioned inline children are ignored when creating TextRuns, so when an isolated inline
has only positioned children we end up with an empty set of runs to pass to replaceRunWithRuns.
Ideally, we'd remove the fake run and not replace it with anything, but BidiRunList keeps
a pointer to the logically last run, which we're unable to easily re-determine after the UBA
has been run. Instead, we leave the fake run in the list and simply avoid calling
replaceRunWithRuns when we don't have any replacement runs.

Test: fast/block/line-layout/crash-in-isolate-with-positioned-child.html

* rendering/RenderBlockLineLayout.cpp:
(WebCore::constructBidiRuns):

LayoutTests:

* fast/block/line-layout/crash-in-isolate-with-positioned-child-expected.txt: Added.
* fast/block/line-layout/crash-in-isolate-with-positioned-child.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp

Added Paths

trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child-expected.txt
trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child.html

Diff

Modified: trunk/LayoutTests/ChangeLog (118113 => 118114)


--- trunk/LayoutTests/ChangeLog	2012-05-23 03:56:44 UTC (rev 118113)
+++ trunk/LayoutTests/ChangeLog	2012-05-23 04:00:47 UTC (rev 118114)
@@ -1,3 +1,13 @@
+2012-05-22  Levi Weintraub  <[email protected]>
+
+        NULL ptr in WebCore::RenderBlock::layoutRunsAndFloatsInRange
+        https://bugs.webkit.org/show_bug.cgi?id=77786
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/block/line-layout/crash-in-isolate-with-positioned-child-expected.txt: Added.
+        * fast/block/line-layout/crash-in-isolate-with-positioned-child.html: Added.
+
 2012-05-22  Hayato Ito  <[email protected]>
 
         Make ComposedShadowTreeWalker traverse inactive insertion points correctly.

Added: trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child-expected.txt (0 => 118114)


--- trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child-expected.txt	2012-05-23 04:00:47 UTC (rev 118114)
@@ -0,0 +1 @@
+This tests that a positioned object as the only child of an isolated inline doesn't crash. See https://bugs.webkit.org/show_bug.cgi?id=77786 for details.

Added: trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child.html (0 => 118114)


--- trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/line-layout/crash-in-isolate-with-positioned-child.html	2012-05-23 04:00:47 UTC (rev 118114)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+This tests that a positioned object as the only child of an isolated inline doesn't crash. See https://bugs.webkit.org/show_bug.cgi?id=77786 for details.
+<span style="unicode-bidi:-webkit-isolate;"><div style="position:absolute;"></div></span>
+</body>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (118113 => 118114)


--- trunk/Source/WebCore/ChangeLog	2012-05-23 03:56:44 UTC (rev 118113)
+++ trunk/Source/WebCore/ChangeLog	2012-05-23 04:00:47 UTC (rev 118114)
@@ -1,3 +1,28 @@
+2012-05-22  Levi Weintraub  <[email protected]>
+
+        NULL ptr in WebCore::RenderBlock::layoutRunsAndFloatsInRange
+        https://bugs.webkit.org/show_bug.cgi?id=77786
+
+        Reviewed by Ryosuke Niwa.
+
+        InlineBidiResolver adds one fake TextRun for isolated inlines in the process of creating the
+        list of TextRuns to send to the UBA. After the UBA has been run and the TextRuns reordered,
+        we re-run InlineBidiResolver rooted in the isolate and replace the fake run with those
+        generated by the subsequent pass by calling the method BidiRunList::replaceRunWithRuns.
+        This method assumes there are runs to replace the fake run with.
+
+        Positioned inline children are ignored when creating TextRuns, so when an isolated inline
+        has only positioned children we end up with an empty set of runs to pass to replaceRunWithRuns.
+        Ideally, we'd remove the fake run and not replace it with anything, but BidiRunList keeps
+        a pointer to the logically last run, which we're unable to easily re-determine after the UBA
+        has been run. Instead, we leave the fake run in the list and simply avoid calling
+        replaceRunWithRuns when we don't have any replacement runs.
+
+        Test: fast/block/line-layout/crash-in-isolate-with-positioned-child.html
+
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::constructBidiRuns):
+
 2012-05-22  Kent Tamura  <[email protected]>
 
         [V8] Refactor generation code for non-standard functions

Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (118113 => 118114)


--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2012-05-23 03:56:44 UTC (rev 118113)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2012-05-23 04:00:47 UTC (rev 118114)
@@ -1001,7 +1001,11 @@
         // rniwa says previousLineBrokeCleanly is just a WinIE hack and could always be false here?
         isolatedResolver.createBidiRunsForLine(endOfLine, NoVisualOverride, previousLineBrokeCleanly);
         // Note that we do not delete the runs from the resolver.
-        bidiRuns.replaceRunWithRuns(isolatedRun, isolatedResolver.runs());
+        // We're not guarnateed to get any BidiRuns in the previous step. If we don't, we allow the placeholder
+        // itself to be turned into an InlineBox. We can't remove it here without potentially losing track of
+        // the logically last run.
+        if (isolatedResolver.runs().runCount())
+            bidiRuns.replaceRunWithRuns(isolatedRun, isolatedResolver.runs());
 
         // If we encountered any nested isolate runs, just move them
         // to the top resolver's list for later processing.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes