Title: [101180] trunk
- Revision
- 101180
- Author
- rn...@webkit.org
- Date
- 2011-11-25 12:21:06 -0800 (Fri, 25 Nov 2011)
Log Message
Crash in BidiRunList<Run>::replaceRunWithRuns with an empty bdi element
https://bugs.webkit.org/show_bug.cgi?id=73116
Reviewed by Eric Seidel.
Source/WebCore:
The assertion failure was caused because isolatedResolver is initialized with
null start object due to the isolated run being empty.
Fixed the failure by skipping empty isolated runs.
Test: fast/text/empty-bdi-crash.html
* rendering/RenderBlockLineLayout.cpp:
(WebCore::constructBidiRuns):
LayoutTests:
Added a regression test.
* fast/text/empty-bdi-crash-expected.txt: Added.
* fast/text/empty-bdi-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (101179 => 101180)
--- trunk/LayoutTests/ChangeLog 2011-11-25 19:57:28 UTC (rev 101179)
+++ trunk/LayoutTests/ChangeLog 2011-11-25 20:21:06 UTC (rev 101180)
@@ -1,3 +1,15 @@
+2011-11-25 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in BidiRunList<Run>::replaceRunWithRuns with an empty bdi element
+ https://bugs.webkit.org/show_bug.cgi?id=73116
+
+ Reviewed by Eric Seidel.
+
+ Added a regression test.
+
+ * fast/text/empty-bdi-crash-expected.txt: Added.
+ * fast/text/empty-bdi-crash.html: Added.
+
2011-11-25 Yury Semikhatsky <yu...@chromium.org>
Unreviewed. Mark inspector/elements/remove-node.html test as crashing sometimes on Linux.
Added: trunk/LayoutTests/fast/text/empty-bdi-crash-expected.txt (0 => 101180)
--- trunk/LayoutTests/fast/text/empty-bdi-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/text/empty-bdi-crash-expected.txt 2011-11-25 20:21:06 UTC (rev 101180)
@@ -0,0 +1 @@
+This test ensures WebKit does not crash when encountering an empty bdi element.
Added: trunk/LayoutTests/fast/text/empty-bdi-crash.html (0 => 101180)
--- trunk/LayoutTests/fast/text/empty-bdi-crash.html (rev 0)
+++ trunk/LayoutTests/fast/text/empty-bdi-crash.html 2011-11-25 20:21:06 UTC (rev 101180)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<body>
+This test ensures WebKit does not crash when encountering an empty bdi element.
+<bdi></bdi>
+<script>
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (101179 => 101180)
--- trunk/Source/WebCore/ChangeLog 2011-11-25 19:57:28 UTC (rev 101179)
+++ trunk/Source/WebCore/ChangeLog 2011-11-25 20:21:06 UTC (rev 101180)
@@ -1,3 +1,20 @@
+2011-11-25 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in BidiRunList<Run>::replaceRunWithRuns with an empty bdi element
+ https://bugs.webkit.org/show_bug.cgi?id=73116
+
+ Reviewed by Eric Seidel.
+
+ The assertion failure was caused because isolatedResolver is initialized with
+ null start object due to the isolated run being empty.
+
+ Fixed the failure by skipping empty isolated runs.
+
+ Test: fast/text/empty-bdi-crash.html
+
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::constructBidiRuns):
+
2011-11-25 Antti Koivisto <an...@apple.com>
StyleGeneratedImage should ref CSSImageGeneratorValue
Modified: trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp (101179 => 101180)
--- trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2011-11-25 19:57:28 UTC (rev 101179)
+++ trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2011-11-25 20:21:06 UTC (rev 101180)
@@ -964,6 +964,8 @@
// FIXME: The fact that we have to construct an Iterator here
// currently prevents this code from moving into BidiResolver.
RenderObject* startObj = bidiFirstSkippingEmptyInlines(isolatedSpan, &isolatedResolver);
+ if (!startObj)
+ continue;
isolatedResolver.setPosition(InlineIterator(isolatedSpan, startObj, 0));
// FIXME: isolatedEnd should probably equal end or the last char in isolatedSpan.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
