Diff
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (168277 => 168278)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 11:23:51 UTC (rev 168278)
@@ -1,5 +1,27 @@
2014-04-02 David Kilzer <ddkil...@apple.com>
+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by j...@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.
+
+2014-04-02 David Kilzer <ddkil...@apple.com>
+
Add LayoutTest for crash with bidi isolates
Merged from Blink (patch by j...@chromium.org):
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt (168277 => 168278)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt 2014-05-05 11:23:51 UTC (rev 168278)
@@ -1,4 +1 @@
- bar
-
-
PASS did not crash
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (0 => 168278)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt 2014-05-05 11:23:51 UTC (rev 168278)
@@ -0,0 +1 @@
+PASS did not crash
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (0 => 168278)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html 2014-05-05 11:23:51 UTC (rev 168278)
@@ -0,0 +1,35 @@
+<!doctype html>
+<!-- This tests for regression of https://crbug.com/279277 where non-adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
+<script>
+window._onload_ = function() {
+ document.body.offsetTop;
+ b.lastChild.parentNode.removeChild(b.lastChild);
+ document.body.offsetTop;
+ a.nextSibling.parentNode.removeChild(a.nextSibling);
+ document.body.offsetTop;
+
+ document.write("PASS did not crash");
+}
+</script>
+
+<body>
+ <div id="a">foo</div><div>baz</div><div></div>
+ <div>
+ <output>
+ <span>
+ <output>bar</output>
+ <span id="b">
+ <span>
+ <div style="display:inline-block"></div>
+ <br><br>
+ </span>
+ </span>
+ </span>
+ </output>
+ </div>
+</body>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html (168277 => 168278)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html 2014-05-05 11:23:51 UTC (rev 168278)
@@ -1,19 +1,15 @@
+<!doctype html>
<!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
<script>
-function remove(node)
-{
- node.parentNode.removeChild(node);
-}
-
window._onload_ = function()
{
document.body.offsetTop;
- remove(b.lastChild);
+ b.lastChild.parentNode.removeChild(b.lastChild);
document.body.offsetTop;
- remove(a.firstChild);
+ a.firstChild.parentNode.removeChild(a.firstChild);
document.body.offsetTop;
- document.body.appendChild(document.createTextNode("PASS did not crash"));
+ document.write("PASS did not crash");
}
</script>
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (168277 => 168278)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 11:23:51 UTC (rev 168278)
@@ -1,3 +1,28 @@
+2014-04-02 David Kilzer <ddkil...@apple.com>
+
+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by j...@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
+ fast/text/international/unicode-bidi-isolate-nested-with-removes.html
+
+ * rendering/InlineIterator.h:
+ (WebCore::highestContainingIsolateWithinRoot):
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::constructBidiRunsForSegment):
+
2014-04-01 Daniel Bates <daba...@apple.com>
RenderQuote must destroy remaining text renderer before first letter renderer
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/InlineIterator.h (168277 => 168278)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/InlineIterator.h 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/InlineIterator.h 2014-05-05 11:23:51 UTC (rev 168278)
@@ -414,14 +414,11 @@
return object->isRenderInline() && isIsolated(object->style().unicodeBidi());
}
-static inline RenderObject* containingIsolate(RenderObject* object, RenderObject* root)
+static inline RenderObject* highestContainingIsolateWithinRoot(RenderObject* object, RenderObject* root)
{
ASSERT(object);
RenderObject* containingIsolateObject = 0;
while (object && object != root) {
- if (containingIsolateObject && !isIsolatedInline(object))
- break;
-
if (isIsolatedInline(object))
containingIsolateObject = object;
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp (168277 => 168278)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-05 11:23:51 UTC (rev 168278)
@@ -903,7 +903,9 @@
// tree to see which parent inline is the isolate. We could change enterIsolate
// to take a RenderObject and do this logic there, but that would be a layering
// violation for BidiResolver (which knows nothing about RenderObject).
- RenderInline* isolatedInline = toRenderInline(containingIsolate(&startObj, currentRoot));
+ RenderInline* isolatedInline = toRenderInline(highestContainingIsolateWithinRoot(&startObj, currentRoot));
+ ASSERT(isolatedInline);
+
InlineBidiResolver isolatedResolver;
EUnicodeBidi unicodeBidi = isolatedInline->style().unicodeBidi();
TextDirection direction;
