Title: [166412] trunk/Source/WebCore
- Revision
- 166412
- Author
- [email protected]
- Date
- 2014-03-28 10:32:01 -0700 (Fri, 28 Mar 2014)
Log Message
A TrailingObject's endpoint might get decremented twice
https://bugs.webkit.org/show_bug.cgi?id=130874
Reviewed by Darin Adler.
There are two places where we might shave off a trailing space from the end
of a line. We don't want to hit both codepaths for a single line.
Fixes fast/block/update-midpoints-for-trailing-boxes-crash.html after r166245.
* rendering/line/BreakingContextInlineHeaders.h:
(WebCore::checkMidpoints):
(WebCore::BreakingContext::handleEndOfLine):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (166411 => 166412)
--- trunk/Source/WebCore/ChangeLog 2014-03-28 17:02:40 UTC (rev 166411)
+++ trunk/Source/WebCore/ChangeLog 2014-03-28 17:32:01 UTC (rev 166412)
@@ -1,3 +1,19 @@
+2014-03-28 Myles C. Maxfield <[email protected]>
+
+ A TrailingObject's endpoint might get decremented twice
+ https://bugs.webkit.org/show_bug.cgi?id=130874
+
+ Reviewed by Darin Adler.
+
+ There are two places where we might shave off a trailing space from the end
+ of a line. We don't want to hit both codepaths for a single line.
+
+ Fixes fast/block/update-midpoints-for-trailing-boxes-crash.html after r166245.
+
+ * rendering/line/BreakingContextInlineHeaders.h:
+ (WebCore::checkMidpoints):
+ (WebCore::BreakingContext::handleEndOfLine):
+
2014-03-28 Andreas Kling <[email protected]>
Inline JSDOMWrapper subclasses' finishCreation().
Modified: trunk/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h (166411 => 166412)
--- trunk/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h 2014-03-28 17:02:40 UTC (rev 166411)
+++ trunk/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h 2014-03-28 17:32:01 UTC (rev 166412)
@@ -1001,7 +1001,7 @@
}
}
-inline void checkMidpoints(LineMidpointState& lineMidpointState, InlineIterator& lBreak)
+inline TrailingObjects::CollapseFirstSpaceOrNot checkMidpoints(LineMidpointState& lineMidpointState, InlineIterator& lBreak)
{
// Check to see if our last midpoint is a start point beyond the line break. If so,
// shave it off the list, and shave off a trailing space if the previous end point doesn't
@@ -1016,10 +1016,13 @@
if (currpoint == lBreak) {
// We hit the line break before the start point. Shave off the start point.
lineMidpointState.decreaseNumMidpoints();
- if (endpoint.renderer()->style().collapseWhiteSpace() && endpoint.renderer()->isText())
+ if (endpoint.renderer()->style().collapseWhiteSpace() && endpoint.renderer()->isText()) {
endpoint.fastDecrement();
+ return TrailingObjects::DoNotCollapseFirstSpace;
+ }
}
}
+ return TrailingObjects::CollapseFirstSpace;
}
inline InlineIterator BreakingContext::handleEndOfLine()
@@ -1048,9 +1051,9 @@
}
// Sanity check our midpoints.
- checkMidpoints(m_lineMidpointState, m_lineBreak);
+ TrailingObjects::CollapseFirstSpaceOrNot collapsed = checkMidpoints(m_lineMidpointState, m_lineBreak);
- m_trailingObjects.updateMidpointsForTrailingBoxes(m_lineMidpointState, m_lineBreak, TrailingObjects::CollapseFirstSpace);
+ m_trailingObjects.updateMidpointsForTrailingBoxes(m_lineMidpointState, m_lineBreak, collapsed);
// We might have made lineBreak an iterator that points past the end
// of the object. Do this adjustment to make it point to the start
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
