[webkit-changes] [147504] trunk

[leviw]

Title: [147504] trunk

Revision

147504

Author

le...@chromium.org

Date

2013-04-02 16:10:49 -0700 (Tue, 02 Apr 2013)

Log Message

Source/WebCore: InlineIterator needs to be updated when RenderCombineText shrinks at a line break
https://bugs.webkit.org/show_bug.cgi?id=113733

Reviewed by Emil A Eklund.

Update stale InlineIterators that point beyond the end of a RenderCombineText that's
shrunk when RenderCombineText::combineText() is called.

Test: fast/text/international/combine-at-line-break-crash.html

* rendering/BidiRun.h:
(WebCore::BidiRun::BidiRun): Adding an assertion that runs are created within
the bounds of their associated RenderText.
* rendering/RenderBlockLineLayout.cpp:
(WebCore::iteratorIsBeyondEndOfRenderCombineText): Added.
(WebCore::RenderBlock::LineBreaker::nextSegmentBreak): Update stale iterators.

LayoutTests: InlineIterator needs to be updated when RenderCombineText shrinks at a line break
https://bugs.webkit.org/show_bug.cgi?id=113732

Reviewed by Emil A Eklund.

* fast/text/international/combine-at-line-break-crash-expected.txt: Added.
* fast/text/international/combine-at-line-break-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/BidiRun.h
• trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp

Added Paths

• trunk/LayoutTests/fast/text/international/combine-at-line-break-crash-expected.txt
• trunk/LayoutTests/fast/text/international/combine-at-line-break-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (147503 => 147504)

--- trunk/LayoutTests/ChangeLog	2013-04-02 22:51:23 UTC (rev 147503)
+++ trunk/LayoutTests/ChangeLog	2013-04-02 23:10:49 UTC (rev 147504)
@@ -1,3 +1,13 @@
+2013-04-02  Levi Weintraub  <le...@chromium.org>
+
+        InlineIterator needs to be updated when RenderCombineText shrinks at a line break
+        https://bugs.webkit.org/show_bug.cgi?id=113732
+
+        Reviewed by Emil A Eklund.
+
+        * fast/text/international/combine-at-line-break-crash-expected.txt: Added.
+        * fast/text/international/combine-at-line-break-crash.html: Added.
+
 2013-04-02  Jochen Eisinger  <joc...@chromium.org>
 
         Use cross-port testRunner methods in fast/loader/url-selected-user-gesture.html

Added: trunk/LayoutTests/fast/text/international/combine-at-line-break-crash-expected.txt (0 => 147504)

--- trunk/LayoutTests/fast/text/international/combine-at-line-break-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/text/international/combine-at-line-break-crash-expected.txt	2013-04-02 23:10:49 UTC (rev 147504)
@@ -0,0 +1 @@
+Test passes if there's no crash.

Added: trunk/LayoutTests/fast/text/international/combine-at-line-break-crash.html (0 => 147504)

--- trunk/LayoutTests/fast/text/international/combine-at-line-break-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/text/international/combine-at-line-break-crash.html	2013-04-02 23:10:49 UTC (rev 147504)
@@ -0,0 +1,29 @@
+<html>
+<head>
+<style>
+body * {
+    -webkit-writing-mode: vertical-lr;
+    -webkit-text-combine: horizontal;
+}
+#test {
+    height: 7px;
+    white-space: pre-wrap;
+}
+</style>
+<script>
+function runTest() {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    document.body.offsetTop;
+    var testContainer = document.getElementById('test');
+    testContainer.parentNode.removeChild(testContainer);
+}
+</script>
+</head>
+<body _onload_='runTest()'><p>Test passes if there's no crash.</p>
+<!-- The empty scripts tags are needed to split the RenderCombineText and reproduce the bug. -->
+<div id="test"><p>foo   <script></script>
+  <script></script>
+</p>
+</div>
+</body>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (147503 => 147504)

--- trunk/Source/WebCore/ChangeLog	2013-04-02 22:51:23 UTC (rev 147503)
+++ trunk/Source/WebCore/ChangeLog	2013-04-02 23:10:49 UTC (rev 147504)
@@ -1,3 +1,22 @@
+2013-04-02  Levi Weintraub  <le...@chromium.org>
+
+        InlineIterator needs to be updated when RenderCombineText shrinks at a line break
+        https://bugs.webkit.org/show_bug.cgi?id=113733
+
+        Reviewed by Emil A Eklund.
+
+        Update stale InlineIterators that point beyond the end of a RenderCombineText that's
+        shrunk when RenderCombineText::combineText() is called.
+
+        Test: fast/text/international/combine-at-line-break-crash.html
+
+        * rendering/BidiRun.h:
+        (WebCore::BidiRun::BidiRun): Adding an assertion that runs are created within
+        the bounds of their associated RenderText.
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::iteratorIsBeyondEndOfRenderCombineText): Added.
+        (WebCore::RenderBlock::LineBreaker::nextSegmentBreak): Update stale iterators.
+
 2013-04-02  Max Vujovic  <mvujo...@adobe.com>
 
         [CSS Filters] Filter outsets clipped on composited layers when filter is applied after first layout

Modified: trunk/Source/WebCore/rendering/BidiRun.h (147503 => 147504)

--- trunk/Source/WebCore/rendering/BidiRun.h	2013-04-02 22:51:23 UTC (rev 147503)
+++ trunk/Source/WebCore/rendering/BidiRun.h	2013-04-02 23:10:49 UTC (rev 147504)
@@ -39,6 +39,7 @@
         , m_object(object)
         , m_box(0)
     {
+        ASSERT(!object->isText() || static_cast<unsigned>(stop) <= toRenderText(object)->textLength());
         // Stored in base class to save space.
         m_hasHyphen = false;
 #if ENABLE(CSS_EXCLUSIONS)

Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (147503 => 147504)

--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2013-04-02 22:51:23 UTC (rev 147503)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2013-04-02 23:10:49 UTC (rev 147504)
@@ -2618,6 +2618,11 @@
 #endif
 }
 
+static inline bool iteratorIsBeyondEndOfRenderCombineText(const InlineIterator& iter, RenderCombineText* renderer)
+{
+    return iter.m_obj == renderer && iter.m_pos >= renderer->textLength();
+}
+
 InlineIterator RenderBlock::LineBreaker::nextSegmentBreak(InlineBidiResolver& resolver, LineInfo& lineInfo, RenderTextInfo& renderTextInfo, FloatingObject* lastFloatFromPreviousLine, unsigned consecutiveHyphenatedLines, WordMeasurements& wordMeasurements)
 {
     reset();
@@ -2837,8 +2842,16 @@
             bool isSVGText = t->isSVGInlineText();
 #endif
 
-            if (t->style()->hasTextCombine() && current.m_obj->isCombineText() && !toRenderCombineText(current.m_obj)->isCombined())
-                toRenderCombineText(current.m_obj)->combineText();
+            if (t->style()->hasTextCombine() && current.m_obj->isCombineText() && !toRenderCombineText(current.m_obj)->isCombined()) {
+                RenderCombineText* combineRenderer = toRenderCombineText(current.m_obj);
+                combineRenderer->combineText();
+                // The length of the renderer's text may have changed. Increment stale iterator positions
+                if (iteratorIsBeyondEndOfRenderCombineText(lBreak, combineRenderer)) {
+                    ASSERT(iteratorIsBeyondEndOfRenderCombineText(resolver.position(), combineRenderer));
+                    lBreak.increment();
+                    resolver.increment();
+                }
+            }
 
             RenderStyle* style = t->style(lineInfo.isFirstLine());
             const Font& f = style->font();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes