Title: [99462] trunk
- Revision
- 99462
- Author
- commit-qu...@webkit.org
- Date
- 2011-11-07 12:48:35 -0800 (Mon, 07 Nov 2011)
Log Message
Crash due to mixed direction text runs
https://bugs.webkit.org/show_bug.cgi?id=66015
Patch by Ken Buchanan <ke...@chromium.org> on 2011-11-07
Reviewed by David Hyatt.
Source/WebCore:
Test for bug fix.
* fast/text/international/bidi-neutral-in-mixed-direction-run-crash.html: Added
* fast/text/international/bidi-neutral-in-mixed-direction-run-cras-expected.txt: Added
LayoutTests:
In some cases extra bidi runs were being added because appendRun() was being called
after the last run of the line was already appended.
This converts a previous fix for this bug to an ASSERT, because the check is
unnecessary, though it is a symptom that text runs have somehow gotten messed up.
* rendering/InlineIterator.h:
(WebCore::InlineBidiResolver::appendRun): Abort append if we've already appended the last
run of the line
* rendering/RenderBox.cpp:
(WebCore::RenderBox::positionLineBox): Revert the previous patch, change to an assert
Modified Paths
Added Paths
Property Changed
Diff
Modified: trunk/LayoutTests/ChangeLog (99461 => 99462)
--- trunk/LayoutTests/ChangeLog 2011-11-07 20:42:33 UTC (rev 99461)
+++ trunk/LayoutTests/ChangeLog 2011-11-07 20:48:35 UTC (rev 99462)
@@ -1,3 +1,22 @@
+2011-11-07 Ken Buchanan <ke...@chromium.org>
+
+ Crash due to mixed direction text runs
+ https://bugs.webkit.org/show_bug.cgi?id=66015
+
+ Reviewed by David Hyatt.
+
+ In some cases extra bidi runs were being added because appendRun() was being called
+ after the last run of the line was already appended.
+
+ This converts a previous fix for this bug to an ASSERT, because the check is
+ unnecessary, though it is a symptom that text runs have somehow gotten messed up.
+
+ * rendering/InlineIterator.h:
+ (WebCore::InlineBidiResolver::appendRun): Abort append if we've already appended the last
+ run of the line
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::positionLineBox): Revert the previous patch, change to an assert
+
2011-11-07 Tim Horton <timothy_hor...@apple.com>
getBBox() on a SVGPathElement with curves incorrectly includes control points
Property changes on: trunk/LayoutTests/ChangeLog
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/fast/text/international/bidi-neutral-in-mixed-direction-run-crash-expected.txt (0 => 99462)
--- trunk/LayoutTests/fast/text/international/bidi-neutral-in-mixed-direction-run-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/text/international/bidi-neutral-in-mixed-direction-run-crash-expected.txt 2011-11-07 20:48:35 UTC (rev 99462)
@@ -0,0 +1 @@
+PASS, if no crash or exceptions thrown
Added: trunk/LayoutTests/fast/text/international/bidi-neutral-in-mixed-direction-run-crash.html (0 => 99462)
--- trunk/LayoutTests/fast/text/international/bidi-neutral-in-mixed-direction-run-crash.html (rev 0)
+++ trunk/LayoutTests/fast/text/international/bidi-neutral-in-mixed-direction-run-crash.html 2011-11-07 20:48:35 UTC (rev 99462)
@@ -0,0 +1,25 @@
+<html>
+<style>
+ body { direction: rtl; padding-left: 100%; }
+</style>
+<script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ function runTest() {
+ document.body.innerHTML = "PASS, if no crash or exceptions thrown";
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+
+ setTimeout("runTest()", 0);
+</script>
+0<span>
+<image>
+A 0<div></div>
+</span>
+</html>
+
Property changes on: trunk/LayoutTests/fast/text/international/bidi-neutral-in-mixed-direction-run-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (99461 => 99462)
--- trunk/Source/WebCore/ChangeLog 2011-11-07 20:42:33 UTC (rev 99461)
+++ trunk/Source/WebCore/ChangeLog 2011-11-07 20:48:35 UTC (rev 99462)
@@ -1,3 +1,15 @@
+2011-11-07 Ken Buchanan <ke...@chromium.org>
+
+ Crash due to mixed direction text runs
+ https://bugs.webkit.org/show_bug.cgi?id=66015
+
+ Reviewed by David Hyatt.
+
+ Test for bug fix.
+
+ * fast/text/international/bidi-neutral-in-mixed-direction-run-crash.html: Added
+ * fast/text/international/bidi-neutral-in-mixed-direction-run-cras-expected.txt: Added
+
2011-11-07 Tim Horton <timothy_hor...@apple.com>
getBBox() on a SVGPathElement with curves incorrectly includes control points
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/rendering/InlineIterator.h (99461 => 99462)
--- trunk/Source/WebCore/rendering/InlineIterator.h 2011-11-07 20:42:33 UTC (rev 99461)
+++ trunk/Source/WebCore/rendering/InlineIterator.h 2011-11-07 20:48:35 UTC (rev 99462)
@@ -464,7 +464,7 @@
template <>
inline void InlineBidiResolver::appendRun()
{
- if (!m_emptyRun && !m_eor.atEnd()) {
+ if (!m_emptyRun && !m_eor.atEnd() && !m_reachedEndOfLine) {
// Keep track of when we enter/leave "unicode-bidi: isolate" inlines.
// Initialize our state depending on if we're starting in the middle of such an inline.
// FIXME: Could this initialize from this->inIsolate() instead of walking up the render tree?
Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (99461 => 99462)
--- trunk/Source/WebCore/rendering/RenderBox.cpp 2011-11-07 20:42:33 UTC (rev 99461)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2011-11-07 20:48:35 UTC (rev 99462)
@@ -1488,8 +1488,7 @@
box->destroy(renderArena());
} else if (isReplaced()) {
setLocation(roundedLayoutPoint(FloatPoint(box->x(), box->y())));
- if (m_inlineBoxWrapper)
- deleteLineBoxWrapper();
+ ASSERT(!m_inlineBoxWrapper);
m_inlineBoxWrapper = box;
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
