Crash due to incorrect parsing of isolates
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Dec 2011 04:19:24 +0000 (04:19 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Dec 2011 04:19:24 +0000 (04:19 +0000)
commite1e70103166048e2fb1e42918bb2204e801c7f6f
treef31c1013c455b85b8f6ec43145ea13cdbe5b9341
parent90c595e17ba5e32ec1505e634da559a46b06eff9
Crash due to incorrect parsing of isolates
https://bugs.webkit.org/show_bug.cgi?id=74311
When <bdi> content is wrapped, all hell breaks loose
https://bugs.webkit.org/show_bug.cgi?id=74396

Patch by Ken Buchanan <kenrb@chromium.org> on 2011-12-14
Reviewed by Eric Seidel.

Source/WebCore:

When an isolate was encountered during run layout, the entire isolate
would be parsed, even if the run started in the middle of the isolate.
This would sometimes cause parts of the isolate to be added multiple
times as runs. This patch marks the starting position within the
isolate so nothing is parsed twice.

This patch changes appendRun() so that when a run is added that is
inside an isolate, it saves the start position of the run rather than
the root. This allows constructBidiRuns() to resume parsing the
isolate from the correct position.

The change to RenderBox partially reverts a previous change I had
done. It makes sense to screen for the condition, as was previously
the case.

This patch does not add the test case from 74396 because a separate
bug is preventing it from rendering correctly.

* rendering/InlineIterator.h:
(WebCore::addPlaceholderRunForIsolatedInline)
(WebCore::IsolateTracker::addFakeRunIfNecessary)
(WebCore::InlineBidiResolver::appendRun)
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlockLineLayout::constructBidiRuns)
* rendering/RenderBox.cpp:
(WebCore::RenderBox::positionLineBox)

LayoutTests:

Layout test has multiple lines inside an isolate to ensure each run
is created only once.

The test that is in bug 74396 will have to be added once bug 74489 is
fixed.

* LayoutTests/fast/text/international/multiline-and-object-inside-isolate-crash-expected.txt: Added
* LayoutTests/fast/text/international/multiline-and-object-inside-isolate-crash.html: Added

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@102875 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog [changed mode: 0644->0755]
LayoutTests/fast/text/international/embed-bidi-style-in-isolate-crash-expected.txt
LayoutTests/fast/text/international/multiline-and-object-inside-isolate-crash-expected.txt [new file with mode: 0755]
LayoutTests/fast/text/international/multiline-and-object-inside-isolate-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog [changed mode: 0644->0755]
Source/WebCore/rendering/InlineIterator.h [changed mode: 0644->0755]
Source/WebCore/rendering/RenderBlockLineLayout.cpp [changed mode: 0644->0755]
Source/WebCore/rendering/RenderBox.cpp