Title: [101406] trunk
- Revision
- 101406
- Author
- rn...@webkit.org
- Date
- 2011-11-29 12:37:24 -0800 (Tue, 29 Nov 2011)
Log Message
Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1)
in IsolateTracker::exitIsolate()
https://bugs.webkit.org/show_bug.cgi?id=69275
Reviewed by Eric Seidel.
Source/WebCore:
The crash was caused by our false assumption that at most one isolated container exists between the start
and the root when appending a new run. Fixed the crash by computing the actual number of isolated containers
between the start and the root.
Test: fast/text/nested-bidi-isolate-crash.html
* rendering/InlineIterator.h:
(WebCore::numberOfIsolateAncestors):
(WebCore::IsolateTracker::IsolateTracker):
(WebCore::InlineBidiResolver::appendRun):
LayoutTests:
Add a regression test.
* fast/text/nested-bidi-isolate-crash-expected.txt: Added.
* fast/text/nested-bidi-isolate-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (101405 => 101406)
--- trunk/LayoutTests/ChangeLog 2011-11-29 20:31:11 UTC (rev 101405)
+++ trunk/LayoutTests/ChangeLog 2011-11-29 20:37:24 UTC (rev 101406)
@@ -1,3 +1,16 @@
+2011-11-28 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1)
+ in IsolateTracker::exitIsolate()
+ https://bugs.webkit.org/show_bug.cgi?id=69275
+
+ Reviewed by Eric Seidel.
+
+ Add a regression test.
+
+ * fast/text/nested-bidi-isolate-crash-expected.txt: Added.
+ * fast/text/nested-bidi-isolate-crash.html: Added.
+
2011-11-29 Xiaomei Ji <x...@chromium.org>
Rebase after r100819.
Added: trunk/LayoutTests/fast/text/nested-bidi-isolate-crash-expected.txt (0 => 101406)
--- trunk/LayoutTests/fast/text/nested-bidi-isolate-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/text/nested-bidi-isolate-crash-expected.txt 2011-11-29 20:37:24 UTC (rev 101406)
@@ -0,0 +1,4 @@
+This tests nesting two spans with -webkit-isolate followed by a br. The test passes if WebKit doesn't crash.
+
+a
+
Added: trunk/LayoutTests/fast/text/nested-bidi-isolate-crash.html (0 => 101406)
--- trunk/LayoutTests/fast/text/nested-bidi-isolate-crash.html (rev 0)
+++ trunk/LayoutTests/fast/text/nested-bidi-isolate-crash.html 2011-11-29 20:37:24 UTC (rev 101406)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<p>This tests nesting two spans with -webkit-isolate followed by a br. The test passes if WebKit doesn't crash.</p>
+<span style="unicode-bidi:-webkit-isolate;"><span style="unicode-bidi:-webkit-isolate;">a</span></span><br>
+<script>
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+</script>
Modified: trunk/Source/WebCore/ChangeLog (101405 => 101406)
--- trunk/Source/WebCore/ChangeLog 2011-11-29 20:31:11 UTC (rev 101405)
+++ trunk/Source/WebCore/ChangeLog 2011-11-29 20:37:24 UTC (rev 101406)
@@ -1,3 +1,22 @@
+2011-11-28 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1)
+ in IsolateTracker::exitIsolate()
+ https://bugs.webkit.org/show_bug.cgi?id=69275
+
+ Reviewed by Eric Seidel.
+
+ The crash was caused by our false assumption that at most one isolated container exists between the start
+ and the root when appending a new run. Fixed the crash by computing the actual number of isolated containers
+ between the start and the root.
+
+ Test: fast/text/nested-bidi-isolate-crash.html
+
+ * rendering/InlineIterator.h:
+ (WebCore::numberOfIsolateAncestors):
+ (WebCore::IsolateTracker::IsolateTracker):
+ (WebCore::InlineBidiResolver::appendRun):
+
2011-11-29 Oliver Hunt <oli...@apple.com>
Revert that last change, apparently it destroys everything in the world.
Modified: trunk/Source/WebCore/rendering/InlineIterator.h (101405 => 101406)
--- trunk/Source/WebCore/rendering/InlineIterator.h 2011-11-29 20:31:11 UTC (rev 101405)
+++ trunk/Source/WebCore/rendering/InlineIterator.h 2011-11-29 20:37:24 UTC (rev 101406)
@@ -406,6 +406,18 @@
return 0;
}
+static inline unsigned numberOfIsolateAncestors(RenderObject* object, RenderObject* root)
+{
+ ASSERT(object);
+ unsigned count = 0;
+ while (object && object != root) {
+ if (isIsolatedInline(object))
+ count++;
+ object = object->parent();
+ }
+ return count;
+}
+
// FIXME: This belongs on InlineBidiResolver, except it's a template specialization
// of BidiResolver which knows nothing about RenderObjects.
static inline void addPlaceholderRunForIsolatedInline(InlineBidiResolver& resolver, RenderObject* isolatedInline)
@@ -420,8 +432,8 @@
class IsolateTracker {
public:
- explicit IsolateTracker(bool inIsolate)
- : m_nestedIsolateCount(inIsolate ? 1 : 0)
+ explicit IsolateTracker(unsigned nestedIsolateCount)
+ : m_nestedIsolateCount(nestedIsolateCount)
, m_haveAddedFakeRunForRootIsolate(false)
{
}
@@ -470,7 +482,7 @@
// Keep track of when we enter/leave "unicode-bidi: isolate" inlines.
// Initialize our state depending on if we're starting in the middle of such an inline.
// FIXME: Could this initialize from this->inIsolate() instead of walking up the render tree?
- IsolateTracker isolateTracker(containingIsolate(m_sor.m_obj, m_sor.root()));
+ IsolateTracker isolateTracker(numberOfIsolateAncestors(m_sor.m_obj, m_sor.root()));
int start = m_sor.m_pos;
RenderObject* obj = m_sor.m_obj;
while (obj && obj != m_eor.m_obj && obj != endOfLine.m_obj) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
