Diff
Modified: branches/safari-537.76-branch/LayoutTests/ChangeLog (168095 => 168096)
--- branches/safari-537.76-branch/LayoutTests/ChangeLog 2014-05-01 13:31:46 UTC (rev 168095)
+++ branches/safari-537.76-branch/LayoutTests/ChangeLog 2014-05-01 15:27:54 UTC (rev 168096)
@@ -1,3 +1,29 @@
+2014-05-01 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r166650.
+
+ 2014-04-02 David Kilzer <ddkil...@apple.com>
+
+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by j...@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.
+
2014-04-30 Matthew Hanson <matthew_han...@apple.com>
Merge r166645.
Modified: branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt (168095 => 168096)
--- branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt 2014-05-01 13:31:46 UTC (rev 168095)
+++ branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt 2014-05-01 15:27:54 UTC (rev 168096)
@@ -1,4 +1 @@
- bar
-
-
PASS did not crash
Copied: branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (from rev 166650, trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt) (0 => 168096)
--- branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (rev 0)
+++ branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt 2014-05-01 15:27:54 UTC (rev 168096)
@@ -0,0 +1 @@
+PASS did not crash
Copied: branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (from rev 166650, trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html) (0 => 168096)
--- branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (rev 0)
+++ branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html 2014-05-01 15:27:54 UTC (rev 168096)
@@ -0,0 +1,35 @@
+<!doctype html>
+<!-- This tests for regression of https://crbug.com/279277 where non-adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
+<script>
+window._onload_ = function() {
+ document.body.offsetTop;
+ b.lastChild.parentNode.removeChild(b.lastChild);
+ document.body.offsetTop;
+ a.nextSibling.parentNode.removeChild(a.nextSibling);
+ document.body.offsetTop;
+
+ document.write("PASS did not crash");
+}
+</script>
+
+<body>
+ <div id="a">foo</div><div>baz</div><div></div>
+ <div>
+ <output>
+ <span>
+ <output>bar</output>
+ <span id="b">
+ <span>
+ <div style="display:inline-block"></div>
+ <br><br>
+ </span>
+ </span>
+ </span>
+ </output>
+ </div>
+</body>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
Modified: branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html (168095 => 168096)
--- branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html 2014-05-01 13:31:46 UTC (rev 168095)
+++ branches/safari-537.76-branch/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html 2014-05-01 15:27:54 UTC (rev 168096)
@@ -1,19 +1,15 @@
+<!doctype html>
<!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
<script>
-function remove(node)
-{
- node.parentNode.removeChild(node);
-}
-
window._onload_ = function()
{
document.body.offsetTop;
- remove(b.lastChild);
+ b.lastChild.parentNode.removeChild(b.lastChild);
document.body.offsetTop;
- remove(a.firstChild);
+ a.firstChild.parentNode.removeChild(a.firstChild);
document.body.offsetTop;
- document.body.appendChild(document.createTextNode("PASS did not crash"));
+ document.write("PASS did not crash");
}
</script>
Modified: branches/safari-537.76-branch/Source/WebCore/ChangeLog (168095 => 168096)
--- branches/safari-537.76-branch/Source/WebCore/ChangeLog 2014-05-01 13:31:46 UTC (rev 168095)
+++ branches/safari-537.76-branch/Source/WebCore/ChangeLog 2014-05-01 15:27:54 UTC (rev 168096)
@@ -1,3 +1,32 @@
+2014-05-01 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r166650.
+
+ 2014-04-02 David Kilzer <ddkil...@apple.com>
+
+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by j...@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
+ fast/text/international/unicode-bidi-isolate-nested-with-removes.html
+
+ * rendering/InlineIterator.h:
+ (WebCore::highestContainingIsolateWithinRoot):
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::constructBidiRunsForSegment):
+
2014-04-30 Lucas Forschler <lforsch...@apple.com>
Merge r167211
Modified: branches/safari-537.76-branch/Source/WebCore/rendering/InlineIterator.h (168095 => 168096)
--- branches/safari-537.76-branch/Source/WebCore/rendering/InlineIterator.h 2014-05-01 13:31:46 UTC (rev 168095)
+++ branches/safari-537.76-branch/Source/WebCore/rendering/InlineIterator.h 2014-05-01 15:27:54 UTC (rev 168096)
@@ -413,14 +413,11 @@
return object->isRenderInline() && isIsolated(object->style()->unicodeBidi());
}
-static inline RenderObject* containingIsolate(RenderObject* object, RenderObject* root)
+static inline RenderObject* highestContainingIsolateWithinRoot(RenderObject* object, RenderObject* root)
{
ASSERT(object);
RenderObject* containingIsolateObject = 0;
while (object && object != root) {
- if (containingIsolateObject && !isIsolatedInline(object))
- break;
-
if (isIsolatedInline(object))
containingIsolateObject = object;
Modified: branches/safari-537.76-branch/Source/WebCore/rendering/RenderBlockLineLayout.cpp (168095 => 168096)
--- branches/safari-537.76-branch/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-01 13:31:46 UTC (rev 168095)
+++ branches/safari-537.76-branch/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-01 15:27:54 UTC (rev 168096)
@@ -1312,7 +1312,9 @@
// tree to see which parent inline is the isolate. We could change enterIsolate
// to take a RenderObject and do this logic there, but that would be a layering
// violation for BidiResolver (which knows nothing about RenderObject).
- RenderInline* isolatedInline = toRenderInline(containingIsolate(startObj, currentRoot));
+ RenderInline* isolatedInline = toRenderInline(highestContainingIsolateWithinRoot(startObj, currentRoot));
+ ASSERT(isolatedInline);
+
InlineBidiResolver isolatedResolver;
EUnicodeBidi unicodeBidi = isolatedInline->style()->unicodeBidi();
TextDirection direction;
