[webkit-changes] [166650] trunk

Wed, 02 Apr 2014 10:21:30 -0700

Title: [166650] trunk
Revision
166650
Author
[email protected]
Date
2014-04-02 10:21:09 -0700 (Wed, 02 Apr 2014)

Log Message

Use outermost containing isolate when constructing bidi runs
<http://webkit.org/b/131107>
<rdar://problem/15690021>

Reviewed by Darin Adler.

Merged from Blink (patch by [email protected]):
https://src.chromium.org/viewvc/blink?revision=157268&view=revision
http://crbug.com/279277

    Update containingIsolate to go back all the way to top
    isolate from current root, rather than stopping at the first
    isolate it finds. This works because the current root is
    always updated with each isolate run.

Source/WebCore:

Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
       fast/text/international/unicode-bidi-isolate-nested-with-removes.html

* rendering/InlineIterator.h:
(WebCore::highestContainingIsolateWithinRoot):
* rendering/RenderBlockLineLayout.cpp:
(WebCore::constructBidiRunsForSegment):

LayoutTests:

* fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
* fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (166649 => 166650)


--- trunk/LayoutTests/ChangeLog	2014-04-02 16:31:15 UTC (rev 166649)
+++ trunk/LayoutTests/ChangeLog	2014-04-02 17:21:09 UTC (rev 166650)
@@ -1,3 +1,25 @@
+2014-04-02  David Kilzer  <[email protected]>
+
+        Use outermost containing isolate when constructing bidi runs
+        <http://webkit.org/b/131107>
+        <rdar://problem/15690021>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by [email protected]):
+        https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+        http://crbug.com/279277
+
+            Update containingIsolate to go back all the way to top
+            isolate from current root, rather than stopping at the first
+            isolate it finds. This works because the current root is
+            always updated with each isolate run.
+
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.
+
 2014-04-02  Chris Fleizach  <[email protected]>
 
         AX: Improve ARIA live region reliability by sending notifications when live regions are created/shown and hidden/destroyed

Modified: trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt (166649 => 166650)


--- trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt	2014-04-02 16:31:15 UTC (rev 166649)
+++ trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt	2014-04-02 17:21:09 UTC (rev 166650)
@@ -1,4 +1 @@
- bar                      
-
-
 PASS did not crash

Added: trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (0 => 166650)


--- trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt	2014-04-02 17:21:09 UTC (rev 166650)
@@ -0,0 +1 @@
+PASS did not crash

Added: trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (0 => 166650)


--- trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html	                        (rev 0)
+++ trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html	2014-04-02 17:21:09 UTC (rev 166650)
@@ -0,0 +1,35 @@
+<!doctype html>
+<!-- This tests for regression of https://crbug.com/279277 where non-adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
+<script>
+window._onload_ = function() {
+  document.body.offsetTop;
+  b.lastChild.parentNode.removeChild(b.lastChild);
+  document.body.offsetTop;
+  a.nextSibling.parentNode.removeChild(a.nextSibling);
+  document.body.offsetTop;
+
+  document.write("PASS did not crash");
+}
+</script>
+
+<body>
+  <div id="a">foo</div><div>baz</div><div></div>
+  <div>
+    <output>
+      <span>
+        <output>bar</output>
+        <span id="b">
+          <span>
+            <div style="display:inline-block"></div>
+            <br><br>
+          </span>
+        </span>
+      </span>
+    </output>
+  </div>
+</body>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>

Modified: trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html (166649 => 166650)


--- trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html	2014-04-02 16:31:15 UTC (rev 166649)
+++ trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html	2014-04-02 17:21:09 UTC (rev 166650)
@@ -1,19 +1,15 @@
+<!doctype html>
 <!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
 <script>
-function remove(node)
-{
-    node.parentNode.removeChild(node);
-}
-
 window._onload_ = function()
 {
     document.body.offsetTop;
-    remove(b.lastChild);
+    b.lastChild.parentNode.removeChild(b.lastChild);
     document.body.offsetTop;
-    remove(a.firstChild);
+    a.firstChild.parentNode.removeChild(a.firstChild);
     document.body.offsetTop;
 
-    document.body.appendChild(document.createTextNode("PASS did not crash"));
+    document.write("PASS did not crash");
 }
 </script>

Modified: trunk/Source/WebCore/ChangeLog (166649 => 166650)


--- trunk/Source/WebCore/ChangeLog	2014-04-02 16:31:15 UTC (rev 166649)
+++ trunk/Source/WebCore/ChangeLog	2014-04-02 17:21:09 UTC (rev 166650)
@@ -1,3 +1,28 @@
+2014-04-02  David Kilzer  <[email protected]>
+
+        Use outermost containing isolate when constructing bidi runs
+        <http://webkit.org/b/131107>
+        <rdar://problem/15690021>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by [email protected]):
+        https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+        http://crbug.com/279277
+
+            Update containingIsolate to go back all the way to top
+            isolate from current root, rather than stopping at the first
+            isolate it finds. This works because the current root is
+            always updated with each isolate run.
+
+        Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
+               fast/text/international/unicode-bidi-isolate-nested-with-removes.html
+
+        * rendering/InlineIterator.h:
+        (WebCore::highestContainingIsolateWithinRoot):
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::constructBidiRunsForSegment):
+
 2014-04-02  Chris Fleizach  <[email protected]>
 
         AX: Improve ARIA live region reliability by sending notifications when live regions are created/shown and hidden/destroyed

Modified: trunk/Source/WebCore/rendering/InlineIterator.h (166649 => 166650)


--- trunk/Source/WebCore/rendering/InlineIterator.h	2014-04-02 16:31:15 UTC (rev 166649)
+++ trunk/Source/WebCore/rendering/InlineIterator.h	2014-04-02 17:21:09 UTC (rev 166650)
@@ -448,14 +448,11 @@
     return object->isRenderInline() && isIsolated(object->style().unicodeBidi());
 }
 
-static inline RenderObject* containingIsolate(RenderObject* object, RenderObject* root)
+static inline RenderObject* highestContainingIsolateWithinRoot(RenderObject* object, RenderObject* root)
 {
     ASSERT(object);
     RenderObject* containingIsolateObject = 0;
     while (object && object != root) {
-        if (containingIsolateObject && !isIsolatedInline(object))
-            break;
-
         if (isIsolatedInline(object))
             containingIsolateObject = object;

Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (166649 => 166650)


--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2014-04-02 16:31:15 UTC (rev 166649)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp	2014-04-02 17:21:09 UTC (rev 166650)
@@ -876,7 +876,9 @@
         // tree to see which parent inline is the isolate. We could change enterIsolate
         // to take a RenderObject and do this logic there, but that would be a layering
         // violation for BidiResolver (which knows nothing about RenderObject).
-        RenderInline* isolatedInline = toRenderInline(containingIsolate(&startObj, currentRoot));
+        RenderInline* isolatedInline = toRenderInline(highestContainingIsolateWithinRoot(&startObj, currentRoot));
+        ASSERT(isolatedInline);
+
         InlineBidiResolver isolatedResolver;
         EUnicodeBidi unicodeBidi = isolatedInline->style().unicodeBidi();
         TextDirection direction;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to