Title: [163465] trunk
- Revision
- 163465
- Author
- mmaxfi...@apple.com
- Date
- 2014-02-05 12:04:59 -0800 (Wed, 05 Feb 2014)
Log Message
Move characterAt index checks from InlineIterator to RenderText
https://bugs.webkit.org/show_bug.cgi?id=128224
Source/WebCore:
Reviewed by Simon Fraser.
Move characterAt index checks from InlineIterator to RenderText
so that all RenderText calls are covered. Few safe instances are
now covered with uncheckedCharacterAt.
Merged from Blink:
http://src.chromium.org/viewvc/blink?view=revision&revision=150830
Test: fast/text/character-at-crash.html
* rendering/InlineIterator.h:
(WebCore::InlineIterator::characterAt):
* rendering/RenderText.cpp:
(WebCore::RenderText::computePreferredLogicalWidths):
* rendering/RenderText.h:
(WebCore::RenderText::operator[]):
(WebCore::RenderText::uncheckedCharacterAt):
(WebCore::RenderText::characterAt):
LayoutTests:
Move characterAt index checks from InlineIterator to RenderText
so that all RenderText calls are covered. Few safe instances are
now covered with uncheckedCharacterAt.
Merged from Blink:
http://src.chromium.org/viewvc/blink?view=revision&revision=150830
Reviewed by Simon Fraser.
* fast/text/character-at-crash-expected.txt: Added.
* fast/text/character-at-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (163464 => 163465)
--- trunk/LayoutTests/ChangeLog 2014-02-05 20:04:40 UTC (rev 163464)
+++ trunk/LayoutTests/ChangeLog 2014-02-05 20:04:59 UTC (rev 163465)
@@ -1,3 +1,20 @@
+2014-02-04 Myles C. Maxfield <mmaxfi...@apple.com>
+
+ Move characterAt index checks from InlineIterator to RenderText
+ https://bugs.webkit.org/show_bug.cgi?id=128224
+
+ Move characterAt index checks from InlineIterator to RenderText
+ so that all RenderText calls are covered. Few safe instances are
+ now covered with uncheckedCharacterAt.
+
+ Merged from Blink:
+ http://src.chromium.org/viewvc/blink?view=revision&revision=150830
+
+ Reviewed by Simon Fraser.
+
+ * fast/text/character-at-crash-expected.txt: Added.
+ * fast/text/character-at-crash.html: Added.
+
2014-02-05 Michał Pakuła vel Rutka <m.pak...@samsung.com>
Unreviewed EFL gardening
Added: trunk/LayoutTests/fast/text/character-at-crash-expected.txt (0 => 163465)
--- trunk/LayoutTests/fast/text/character-at-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/text/character-at-crash-expected.txt 2014-02-05 20:04:59 UTC (rev 163465)
@@ -0,0 +1 @@
+Pass. Test didn't crash.
Added: trunk/LayoutTests/fast/text/character-at-crash.html (0 => 163465)
--- trunk/LayoutTests/fast/text/character-at-crash.html (rev 0)
+++ trunk/LayoutTests/fast/text/character-at-crash.html 2014-02-05 20:04:59 UTC (rev 163465)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<style>
+div {
+ -webkit-writing-mode: vertical-lr;
+ -webkit-text-combine: horizontal;
+ height: 7px;
+ white-space: pre-wrap;
+}
+</style>
+<div>
+foo
+ <script></script>
+ <script></script>
+</div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.documentElement.offsetTop;
+document.documentElement.innerHTML = "Pass. Test didn't crash.";
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (163464 => 163465)
--- trunk/Source/WebCore/ChangeLog 2014-02-05 20:04:40 UTC (rev 163464)
+++ trunk/Source/WebCore/ChangeLog 2014-02-05 20:04:59 UTC (rev 163465)
@@ -1,3 +1,28 @@
+2014-02-04 Myles C. Maxfield <mmaxfi...@apple.com>
+
+ Move characterAt index checks from InlineIterator to RenderText
+ https://bugs.webkit.org/show_bug.cgi?id=128224
+
+ Reviewed by Simon Fraser.
+
+ Move characterAt index checks from InlineIterator to RenderText
+ so that all RenderText calls are covered. Few safe instances are
+ now covered with uncheckedCharacterAt.
+
+ Merged from Blink:
+ http://src.chromium.org/viewvc/blink?view=revision&revision=150830
+
+ Test: fast/text/character-at-crash.html
+
+ * rendering/InlineIterator.h:
+ (WebCore::InlineIterator::characterAt):
+ * rendering/RenderText.cpp:
+ (WebCore::RenderText::computePreferredLogicalWidths):
+ * rendering/RenderText.h:
+ (WebCore::RenderText::operator[]):
+ (WebCore::RenderText::uncheckedCharacterAt):
+ (WebCore::RenderText::characterAt):
+
2014-02-05 Andreas Kling <akl...@apple.com>
Remove leftover seamless iframe logic from containerForRepaint().
Modified: trunk/Source/WebCore/rendering/InlineIterator.h (163464 => 163465)
--- trunk/Source/WebCore/rendering/InlineIterator.h 2014-02-05 20:04:40 UTC (rev 163464)
+++ trunk/Source/WebCore/rendering/InlineIterator.h 2014-02-05 20:04:59 UTC (rev 163465)
@@ -375,11 +375,7 @@
if (!m_renderer || !m_renderer->isText())
return 0;
- RenderText* text = toRenderText(m_renderer);
- if (index >= text->textLength())
- return 0;
-
- return text->characterAt(index);
+ return toRenderText(m_renderer)->characterAt(index);
}
inline UChar InlineIterator::current() const
Modified: trunk/Source/WebCore/rendering/RenderText.cpp (163464 => 163465)
--- trunk/Source/WebCore/rendering/RenderText.cpp 2014-02-05 20:04:40 UTC (rev 163464)
+++ trunk/Source/WebCore/rendering/RenderText.cpp 2014-02-05 20:04:59 UTC (rev 163465)
@@ -722,7 +722,7 @@
bool breakAll = (style.wordBreak() == BreakAllWordBreak || style.wordBreak() == BreakWordBreak) && style.autoWrap();
for (int i = 0; i < len; i++) {
- UChar c = characterAt(i);
+ UChar c = uncheckedCharacterAt(i);
bool previousCharacterIsSpace = isSpace;
@@ -774,7 +774,7 @@
j++;
if (j == len)
break;
- c = characterAt(j);
+ c = uncheckedCharacterAt(j);
if (isBreakable(breakIterator, j, nextBreakable, breakNBSP) && characterAt(j - 1) != softHyphen)
break;
if (breakAll) {
Modified: trunk/Source/WebCore/rendering/RenderText.h (163464 => 163465)
--- trunk/Source/WebCore/rendering/RenderText.h 2014-02-05 20:04:40 UTC (rev 163464)
+++ trunk/Source/WebCore/rendering/RenderText.h 2014-02-05 20:04:59 UTC (rev 163465)
@@ -78,8 +78,9 @@
const LChar* characters8() const { return m_text.impl()->characters8(); }
const UChar* characters16() const { return m_text.impl()->characters16(); }
const UChar* deprecatedCharacters() const { return m_text.impl()->deprecatedCharacters(); }
- UChar characterAt(unsigned i) const { return is8Bit() ? characters8()[i] : characters16()[i]; }
- UChar operator[](unsigned i) const { return characterAt(i); }
+ UChar characterAt(unsigned) const;
+ UChar uncheckedCharacterAt(unsigned) const;
+ UChar operator[](unsigned i) const { return uncheckedCharacterAt(i); }
unsigned textLength() const { return m_text.impl()->length(); } // non virtual implementation of length()
void positionLineBox(InlineTextBox&);
@@ -217,6 +218,20 @@
RenderTextLineBoxes m_lineBoxes;
};
+inline UChar RenderText::uncheckedCharacterAt(unsigned i) const
+{
+ ASSERT_WITH_SECURITY_IMPLICATION(i < textLength());
+ return is8Bit() ? characters8()[i] : characters16()[i];
+}
+
+inline UChar RenderText::characterAt(unsigned i) const
+{
+ if (i >= textLength())
+ return 0;
+
+ return uncheckedCharacterAt(i);
+}
+
template <> inline bool isRendererOfType<const RenderText>(const RenderObject& renderer) { return renderer.isText(); }
RENDER_OBJECT_TYPE_CASTS(RenderText, isText())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
