Nested isolates can cause an infinite loop when laying out bidi runs
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Sep 2015 00:30:38 +0000 (00:30 +0000)
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Sep 2015 00:30:38 +0000 (00:30 +0000)
commit9df99d89a18cb2cf4fa60aac8c9cba3388d78541
tree10142ab94c9061458eec45507d2eabbd1547aab8
parent66c31947d2c464a51b8bc8509d916354f9af9938
Nested isolates can cause an infinite loop when laying out bidi runs
https://bugs.webkit.org/show_bug.cgi?id=149153

Reviewed by David Hyatt.

Source/WebCore:

When traversing bidi runs, we might encounter a run which is supposed to be isolated. In this
situation, we will append a placeholder run in the run list, and remember a pointer to these
isolated runs inside BidiResolver. Then, once we're done traversing the bidi runs, we return
to the isolated runs and handle them separately (and replace the placeholder with the result).

However, due to the fact that our BidiRuns start at leaf nodes, we have to keep track of which
local root of the render tree we were inspecting (to ensure that we visit the same node
multiple times if there are nested isolate spans). We were not correctly keeping track of this
local root, which was leading us to consider the same root multiple times, thereby leading to
an infinite loop.

The solution is simply to keep root information alongside the isolated run information inside
BidiResolver. However, BidiResolver is inside platform/, which means that this new type should
be a template argument, just like how BidiRun itself is a template argument.

This new type, BidiIsolatedRun, holds all the information that our isolate-revisiting logic
needs inside constructBidiRunsForSegment(). It also holds a reference to the placeholder run
which we will replace.

Test: fast/text/international/unicode-bidi-isolate-nested-crash.html

* platform/graphics/GraphicsContext.cpp:
(WebCore::GraphicsContext::drawBidiText): BidiIsolatedRun template argument is unused, so pass
in Void.
* platform/text/BidiResolver.h: Add template argument.
(WebCore::BidiResolver::isolatedRuns):
(WebCore::IsolatedRun>::~BidiResolver):
(WebCore::IsolatedRun>::appendRun):
(WebCore::IsolatedRun>::embed):
(WebCore::IsolatedRun>::checkDirectionInLowerRaiseEmbeddingLevel):
(WebCore::IsolatedRun>::lowerExplicitEmbeddingLevel):
(WebCore::IsolatedRun>::raiseExplicitEmbeddingLevel):
(WebCore::IsolatedRun>::commitExplicitEmbedding):
(WebCore::IsolatedRun>::updateStatusLastFromCurrentDirection):
(WebCore::IsolatedRun>::reorderRunsFromLevels):
(WebCore::IsolatedRun>::createBidiRunsForLine):
(WebCore::IsolatedRun>::setMidpointForIsolatedRun): Use references instead of pointers.
(WebCore::IsolatedRun>::midpointForIsolatedRun): Ditto.
(WebCore::Run>::~BidiResolver): Deleted.
(WebCore::Run>::appendRun): Deleted.
(WebCore::Run>::embed): Deleted.
(WebCore::Run>::checkDirectionInLowerRaiseEmbeddingLevel): Deleted.
(WebCore::Run>::lowerExplicitEmbeddingLevel): Deleted.
(WebCore::Run>::raiseExplicitEmbeddingLevel): Deleted.
(WebCore::Run>::commitExplicitEmbedding): Deleted.
(WebCore::Run>::updateStatusLastFromCurrentDirection): Deleted.
(WebCore::Run>::reorderRunsFromLevels): Deleted.
(WebCore::Run>::createBidiRunsForLine): Deleted.
(WebCore::Run>::setMidpointForIsolatedRun): Deleted.
(WebCore::Run>::midpointForIsolatedRun): Deleted.
* rendering/InlineIterator.h:
(WebCore::BidiIsolatedRun::BidiIsolatedRun): New type.
(WebCore::addPlaceholderRunForIsolatedInline): Create new type, and include local root
information.
(WebCore::IsolateTracker::addFakeRunIfNecessary): Include local root information.
(WebCore::InlineBidiResolver::appendRun): Ditto.
* rendering/RenderBlockLineLayout.cpp: Update for new BidiIsolatedRun type.
(WebCore::setUpResolverToResumeInIsolate):
(WebCore::constructBidiRunsForSegment):
* rendering/line/TrailingObjects.h:

LayoutTests:

* fast/text/international/unicode-bidi-isolate-nested-crash-expected.html: Added.
* fast/text/international/unicode-bidi-isolate-nested-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@189832 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/text/international/unicode-bidi-isolate-nested-crash-expected.html [new file with mode: 0644]
LayoutTests/fast/text/international/unicode-bidi-isolate-nested-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/text/BidiResolver.h
Source/WebCore/rendering/InlineIterator.h
Source/WebCore/rendering/RenderBlockLineLayout.cpp
Source/WebCore/rendering/line/TrailingObjects.h