Title: [142928] trunk
- Revision
- 142928
- Author
- [email protected]
- Date
- 2013-02-14 15:45:07 -0800 (Thu, 14 Feb 2013)
Log Message
Crash when selecting a HarfBuzz text run with SVG fonts included
https://bugs.webkit.org/show_bug.cgi?id=109833
Reviewed by Tony Chang.
Source/WebCore:
There is an assert in SimpleFontData::applyTransforms that should not
be there, as the code is valid for SVG fonts. If we get past this,
then the HarfBuzz text run shaping code assumes that font data has a
SkTypeface member, and SVG fonts do not. So we crash there too.
For now, we fix the crashes. This still leaves incorrect selection
rectangles in this situation, on all platforms, tracked in
https://bugs.webkit.org/show_bug.cgi?id=108133
Test: svg/css/font-face-crash.html
* platform/graphics/SimpleFontData.h:
(WebCore::SimpleFontData::applyTransforms): Remove ASSERT_NOT_REACHED as the code can legally be reached for SVG fonts.
* platform/graphics/harfbuzz/HarfBuzzShaper.cpp:
(WebCore::HarfBuzzShaper::shapeHarfBuzzRuns): Check for SVG fonts in the text run, and abort if we find them.
LayoutTests:
Only known to crash on Chromium Linux (without the patch), but other platforms may be affected.
* svg/css/font-face-crash-expected.txt: Added.
* svg/css/font-face-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (142927 => 142928)
--- trunk/LayoutTests/ChangeLog 2013-02-14 23:42:05 UTC (rev 142927)
+++ trunk/LayoutTests/ChangeLog 2013-02-14 23:45:07 UTC (rev 142928)
@@ -1,3 +1,15 @@
+2013-02-14 Stephen Chenney <[email protected]>
+
+ Crash when selecting a HarfBuzz text run with SVG fonts included
+ https://bugs.webkit.org/show_bug.cgi?id=109833
+
+ Reviewed by Tony Chang.
+
+ Only known to crash on Chromium Linux (without the patch), but other platforms may be affected.
+
+ * svg/css/font-face-crash-expected.txt: Added.
+ * svg/css/font-face-crash.html: Added.
+
2013-02-14 Abhishek Arya <[email protected]>
Bad cast in RenderBlock::splitBlocks.
Added: trunk/LayoutTests/svg/css/font-face-crash-expected.txt (0 => 142928)
--- trunk/LayoutTests/svg/css/font-face-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/css/font-face-crash-expected.txt 2013-02-14 23:45:07 UTC (rev 142928)
@@ -0,0 +1 @@
+This test passes if selecting the text does not crash.
Added: trunk/LayoutTests/svg/css/font-face-crash.html (0 => 142928)
--- trunk/LayoutTests/svg/css/font-face-crash.html (rev 0)
+++ trunk/LayoutTests/svg/css/font-face-crash.html 2013-02-14 23:45:07 UTC (rev 142928)
@@ -0,0 +1,39 @@
+<html>
+ <style>
+ @font-face {
+ font-family: test;
+ src: url(../custom/resources/ABCFont.svg) format("svg");
+ }
+ </style>
+ <style>
+ body {
+ font-family: test;
+ text-rendering: optimizelegibility;
+ }
+ </style>
+ <script>
+ window._onload_ = function() {
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+
+ setTimeout(function () {
+ if (window.eventSender) {
+ eventSender.mouseMoveTo(10, 10);
+ eventSender.mouseDown();
+ eventSender.mouseMoveTo(100, 10);
+ eventSender.mouseUp();
+ };
+ if (window.testRunner) {
+ testRunner.notifyDone();
+ }
+ }, 10);
+ }
+ </script>
+ <body>
+ <div id="output_div">
+ <p id="text_in_svg_font">This test passes if selecting the text does not crash.</p>
+ </div>
+ </body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (142927 => 142928)
--- trunk/Source/WebCore/ChangeLog 2013-02-14 23:42:05 UTC (rev 142927)
+++ trunk/Source/WebCore/ChangeLog 2013-02-14 23:45:07 UTC (rev 142928)
@@ -1,3 +1,26 @@
+2013-02-14 Stephen Chenney <[email protected]>
+
+ Crash when selecting a HarfBuzz text run with SVG fonts included
+ https://bugs.webkit.org/show_bug.cgi?id=109833
+
+ Reviewed by Tony Chang.
+
+ There is an assert in SimpleFontData::applyTransforms that should not
+ be there, as the code is valid for SVG fonts. If we get past this,
+ then the HarfBuzz text run shaping code assumes that font data has a
+ SkTypeface member, and SVG fonts do not. So we crash there too.
+
+ For now, we fix the crashes. This still leaves incorrect selection
+ rectangles in this situation, on all platforms, tracked in
+ https://bugs.webkit.org/show_bug.cgi?id=108133
+
+ Test: svg/css/font-face-crash.html
+
+ * platform/graphics/SimpleFontData.h:
+ (WebCore::SimpleFontData::applyTransforms): Remove ASSERT_NOT_REACHED as the code can legally be reached for SVG fonts.
+ * platform/graphics/harfbuzz/HarfBuzzShaper.cpp:
+ (WebCore::HarfBuzzShaper::shapeHarfBuzzRuns): Check for SVG fonts in the text run, and abort if we find them.
+
2013-02-13 Joe Mason <[email protected]>
[BlackBerry] Notify platform layer of failing to get authentication credentials
Modified: trunk/Source/WebCore/platform/graphics/SimpleFontData.h (142927 => 142928)
--- trunk/Source/WebCore/platform/graphics/SimpleFontData.h 2013-02-14 23:42:05 UTC (rev 142927)
+++ trunk/Source/WebCore/platform/graphics/SimpleFontData.h 2013-02-14 23:45:07 UTC (rev 142928)
@@ -208,7 +208,6 @@
UNUSED_PARAM(advances);
UNUSED_PARAM(glyphCount);
UNUSED_PARAM(typesettingFeatures);
- ASSERT_NOT_REACHED();
return false;
#else
wkCTFontTransformOptions options = (typesettingFeatures & Kerning ? wkCTFontTransformApplyPositioning : 0) | (typesettingFeatures & Ligatures ? wkCTFontTransformApplyShaping : 0);
Modified: trunk/Source/WebCore/platform/graphics/harfbuzz/HarfBuzzShaper.cpp (142927 => 142928)
--- trunk/Source/WebCore/platform/graphics/harfbuzz/HarfBuzzShaper.cpp 2013-02-14 23:42:05 UTC (rev 142927)
+++ trunk/Source/WebCore/platform/graphics/harfbuzz/HarfBuzzShaper.cpp 2013-02-14 23:45:07 UTC (rev 142928)
@@ -323,6 +323,8 @@
unsigned runIndex = m_run.rtl() ? m_harfBuzzRuns.size() - i - 1 : i;
HarfBuzzRun* currentRun = m_harfBuzzRuns[runIndex].get();
const SimpleFontData* currentFontData = currentRun->fontData();
+ if (currentFontData->isSVGFont())
+ return false;
hb_buffer_set_script(harfBuzzBuffer.get(), currentRun->script());
if (shouldSetDirection)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
