Title: [186628] branches/safari-600.8-branch/Source/WebCore
- Revision
- 186628
- Author
- matthew_han...@apple.com
- Date
- 2015-07-09 14:03:23 -0700 (Thu, 09 Jul 2015)
Log Message
Merge r186567. rdar://problem/21716428
Modified Paths
Diff
Modified: branches/safari-600.8-branch/Source/WebCore/ChangeLog (186627 => 186628)
--- branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-09 21:03:20 UTC (rev 186627)
+++ branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-09 21:03:23 UTC (rev 186628)
@@ -1,5 +1,42 @@
2015-07-09 Matthew Hanson <matthew_han...@apple.com>
+ Merge r186567. rdar://problem/21716428
+
+ 2015-07-08 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r184965 rdar://problem/21716564
+
+ 2015-05-28 Myles C. Maxfield <mmaxfi...@apple.com>
+
+ Crash under ICU with ASAN during editing/selection/move-by-word-visually-crash-test-5.html
+ https://bugs.webkit.org/show_bug.cgi?id=145429
+ <rdar://problem/20992218>
+
+ Reviewed by Alexey Proskuryakov.
+
+ WebKit uses some strings which contain the lower 8-bits of UTF-16 (thereby saving space). However,
+ ICU doesn't understand this encoding. When we want to use ICU functions with strings in this encoding,
+ we create a UTextProvider which converts our encoded strings to UTF-16 for ICU, one chunk at a time.
+ This object contains a vtable which we populate to perform the conversion.
+
+ The WebKit function which actually returns the UTF-16 chunks has two relevant arguments: an index into
+ the encoded string which ICU is requesting, and a direction from that index which ICU is interested
+ in. This function populates a "chunk" which is characterized by a pointer to a buffer, the length of
+ the populated data in the buffer, and an offset into the chunk which represents the index that the
+ requested character was put into.
+
+ When ICU requests data going backward, we fill in the chunk accordingly, with the requested character
+ all the way at the end. We then set the offset equal to the length of the buffer. However, this length
+ value is stale from the previous time the function ran. Therefore, ICU was reading the wrong index in
+ the chunk when expecting the requested character.
+
+ Covered by editing/selection/move-by-word-visually-crash-test-5.html.
+
+ * platform/text/icu/UTextProviderLatin1.cpp:
+ (WebCore::uTextLatin1Access):
+
+2015-07-09 Matthew Hanson <matthew_han...@apple.com>
+
Merge r186560. rdar://problem/21716387
2015-07-08 Matthew Hanson <matthew_han...@apple.com>
Modified: branches/safari-600.8-branch/Source/WebCore/platform/text/icu/UTextProviderLatin1.cpp (186627 => 186628)
--- branches/safari-600.8-branch/Source/WebCore/platform/text/icu/UTextProviderLatin1.cpp 2015-07-09 21:03:20 UTC (rev 186627)
+++ branches/safari-600.8-branch/Source/WebCore/platform/text/icu/UTextProviderLatin1.cpp 2015-07-09 21:03:23 UTC (rev 186628)
@@ -104,7 +104,7 @@
}
if (index >= length && uText->chunkNativeLimit == length) {
// Off the end of the buffer, but we can't get it.
- uText->chunkOffset = uText->chunkLength;
+ uText->chunkOffset = static_cast<int32_t>(index - uText->chunkNativeStart);
return FALSE;
}
} else {
@@ -136,7 +136,7 @@
if (uText->chunkNativeStart < 0)
uText->chunkNativeStart = 0;
- uText->chunkOffset = uText->chunkLength;
+ uText->chunkOffset = static_cast<int32_t>(index - uText->chunkNativeStart);
}
uText->chunkLength = static_cast<int32_t>(uText->chunkNativeLimit - uText->chunkNativeStart);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
