Diff
Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2017-10-16 11:06:37 UTC (rev 223384)
@@ -1,3 +1,14 @@
+2017-09-19 Zalan Bujtas <za...@apple.com>
+
+ Do not mutate RenderText content during layout.
+ https://bugs.webkit.org/show_bug.cgi?id=176219
+ <rdar://problem/34205724>
+
+ Reviewed by David Hyatt.
+
+ * fast/text/international/dynamic-text-combine-crash.html: Added.
+ * fast/text/text-combine-crash-expected.txt:
+
2017-09-15 Wenson Hsieh <wenson_hs...@apple.com>
createMarkupInternal should protect its pointer to the Range's common ancestor
Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/international/dynamic-text-combine-crash-expected.txt (0 => 223384)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/international/dynamic-text-combine-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/international/dynamic-text-combine-crash-expected.txt 2017-10-16 11:06:37 UTC (rev 223384)
@@ -0,0 +1,6 @@
+Pass if no crash.
+
+
+
+
+
Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/international/dynamic-text-combine-crash.html (0 => 223384)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/international/dynamic-text-combine-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/international/dynamic-text-combine-crash.html 2017-10-16 11:06:37 UTC (rev 223384)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+h3 {
+ max-height: 0;
+ -webkit-text-combine: horizontal;
+ -webkit-writing-mode: vertical-rl;
+}
+</style>
+</head>
+<body><listing>Pass if no crash.<dd contenteditable="true"><h3 id="h">foobar</h3></body>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ window.getSelection().setPosition(h, 1);
+ document.execCommand("delete", false);
+ document.execCommand("delete", false);
+</script>
+</html>
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/text-combine-crash-expected.txt (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/text-combine-crash-expected.txt 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/text/text-combine-crash-expected.txt 2017-10-16 11:06:37 UTC (rev 223384)
@@ -4,14 +4,14 @@

-
+
Errlog webtest_fn_1: TypeError: undefined is not an object (evaluating 'document.applets[0].addEventListener')
Errlog webtest_fn_2: TypeError: Argument 1 ('node') to Range.setStartBefore must be an instance of Node
Errlog webtest_fn_3: TypeError: undefined is not an object (evaluating 'document.images[2].contentEditable="true"')
Errlog webtest_fn_8: TypeError: null is not an object (evaluating 'lis.length')
-Errlog webtest_fn_9: TypeError: undefined is not an object (evaluating 'document.anchors[4].setAttribute')
+Errlog webtest_fn_9: TypeError: undefined is not an object (evaluating 'document.anchors[4].setAttribute')
Errlog webtest_fn_10: TypeError: Argument 1 ('node') to Range.setStartAfter must be an instance of Node
-Errlog webtest_fn_15: TypeError: Argument 1 ('node') to Range.setStart must be an instance of Node
+Errlog webtest_fn_15: TypeError: Argument 1 ('node') to Range.setStart must be an instance of Node
Errlog webtest_fn_16: TypeError: undefined is not an object (evaluating 'elem.parentNode')
Errlog webtest_fn_18: TypeError: undefined is not an object (evaluating 'document.applets[0].contentEditable="true"')
Errlog webtest_fn_21: TypeError: undefined is not an object (evaluating 'document.anchors[4].appendChild')
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog 2017-10-16 11:06:37 UTC (rev 223384)
@@ -1,3 +1,30 @@
+2017-09-19 Zalan Bujtas <za...@apple.com>
+
+ Do not mutate RenderText content during layout.
+ https://bugs.webkit.org/show_bug.cgi?id=176219
+ <rdar://problem/34205724>
+
+ Reviewed by David Hyatt.
+
+ Update combined text when the style/content change as opposed to lazily, during layout.
+ -content mutation during layout might make the inline tree go out of sync.
+
+ Test: fast/text/international/dynamic-text-combine-crash.html
+
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::RenderBlockFlow::computeInlinePreferredLogicalWidths const):
+ * rendering/RenderCombineText.cpp:
+ (WebCore::RenderCombineText::styleDidChange):
+ (WebCore::RenderCombineText::setRenderedText):
+ (WebCore::RenderCombineText::combineTextIfNeeded):
+ (WebCore::RenderCombineText::combineText): Deleted.
+ * rendering/RenderCombineText.h:
+ * rendering/RenderText.h:
+ * rendering/line/BreakingContext.h:
+ (WebCore::BreakingContext::handleText):
+ * rendering/line/LineBreaker.cpp:
+ (WebCore::LineBreaker::skipLeadingWhitespace):
+
2017-09-15 Wenson Hsieh <wenson_hs...@apple.com>
createMarkupInternal should protect its pointer to the Range's common ancestor
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderBlockFlow.cpp (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderBlockFlow.cpp 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderBlockFlow.cpp 2017-10-16 11:06:37 UTC (rev 223384)
@@ -4398,7 +4398,7 @@
RenderText& renderText = downcast<RenderText>(*child);
if (renderText.style().hasTextCombine() && renderText.isCombineText())
- downcast<RenderCombineText>(renderText).combineText();
+ downcast<RenderCombineText>(renderText).combineTextIfNeeded();
// Determine if we have a breakable character. Pass in
// whether or not we should ignore any spaces at the front
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderCombineText.cpp (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderCombineText.cpp 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderCombineText.cpp 2017-10-16 11:06:37 UTC (rev 223384)
@@ -54,6 +54,7 @@
}
m_needsFontUpdate = true;
+ combineTextIfNeeded();
}
void RenderCombineText::setRenderedText(const String& text)
@@ -61,6 +62,7 @@
RenderText::setRenderedText(text);
m_needsFontUpdate = true;
+ combineTextIfNeeded();
}
float RenderCombineText::width(unsigned from, unsigned length, const FontCascade& font, float xPosition, HashSet<const Font*>* fallbackFonts, GlyphOverflow* glyphOverflow) const
@@ -95,7 +97,7 @@
return { };
}
-void RenderCombineText::combineText()
+void RenderCombineText::combineTextIfNeeded()
{
if (!m_needsFontUpdate)
return;
@@ -192,6 +194,8 @@
m_combinedTextWidth = combinedTextWidth;
m_combinedTextAscent = glyphOverflow.top;
m_combinedTextDescent = glyphOverflow.bottom;
+ m_lineBoxes.dirtyRange(*this, 0, originalText().length(), originalText().length());
+ setNeedsLayout();
}
}
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderCombineText.h (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderCombineText.h 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderCombineText.h 2017-10-16 11:06:37 UTC (rev 223384)
@@ -32,7 +32,7 @@
Text& textNode() const { return downcast<Text>(nodeForNonAnonymous()); }
- void combineText();
+ void combineTextIfNeeded();
std::optional<FloatPoint> computeTextOrigin(const FloatRect& boxRect) const;
String combinedStringForRendering() const;
bool isCombined() const { return m_isCombined; }
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderText.cpp (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderText.cpp 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderText.cpp 2017-10-16 11:06:37 UTC (rev 223384)
@@ -69,6 +69,7 @@
namespace WebCore {
struct SameSizeAsRenderText : public RenderObject {
+ void* pointers[2];
uint32_t bitfields : 16;
#if ENABLE(TEXT_AUTOSIZING)
float candidateTextSize;
@@ -75,7 +76,6 @@
#endif
float widths[4];
String text;
- void* pointers[2];
};
COMPILE_ASSERT(sizeof(RenderText) == sizeof(SameSizeAsRenderText), RenderText_should_stay_small);
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderText.h (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderText.h 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/RenderText.h 2017-10-16 11:06:37 UTC (rev 223384)
@@ -186,6 +186,8 @@
virtual void setRenderedText(const String&);
virtual UChar previousCharacter() const;
+ RenderTextLineBoxes m_lineBoxes;
+
private:
RenderText(Node&, const String&);
@@ -243,8 +245,6 @@
float m_endMinWidth;
String m_text;
-
- RenderTextLineBoxes m_lineBoxes;
};
inline UChar RenderText::uncheckedCharacterAt(unsigned i) const
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/line/BreakingContext.h (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/line/BreakingContext.h 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/line/BreakingContext.h 2017-10-16 11:06:37 UTC (rev 223384)
@@ -773,7 +773,7 @@
if (renderText.style().hasTextCombine() && is<RenderCombineText>(*m_current.renderer())) {
auto& combineRenderer = downcast<RenderCombineText>(*m_current.renderer());
- combineRenderer.combineText();
+ combineRenderer.combineTextIfNeeded();
// The length of the renderer's text may have changed. Increment stale iterator positions
if (iteratorIsBeyondEndOfRenderCombineText(m_lineBreakHistory.current(), combineRenderer)) {
ASSERT(iteratorIsBeyondEndOfRenderCombineText(m_resolver.position(), combineRenderer));
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/line/LineBreaker.cpp (223383 => 223384)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/line/LineBreaker.cpp 2017-10-16 11:02:19 UTC (rev 223383)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/rendering/line/LineBreaker.cpp 2017-10-16 11:06:37 UTC (rev 223384)
@@ -68,7 +68,7 @@
} else if (object.isFloating())
m_block.positionNewFloatOnLine(*m_block.insertFloatingObject(downcast<RenderBox>(object)), lastFloatFromPreviousLine, lineInfo, width);
else if (object.style().hasTextCombine() && is<RenderCombineText>(object)) {
- downcast<RenderCombineText>(object).combineText();
+ downcast<RenderCombineText>(object).combineTextIfNeeded();
if (downcast<RenderCombineText>(object).isCombined())
continue;
}
