Use-after-move in RenderCombineText::combineTextIfNeeded()
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Feb 2019 23:42:22 +0000 (23:42 +0000)
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Feb 2019 23:42:22 +0000 (23:42 +0000)
commite5cd80dd65240c5704df3cee2d4c3be1cbb5d382
tree850b023c0bad6f17aad348151895f502748ac55b
parent8bdda7733caef7198283b7c8f77af20a174b01a7
Use-after-move in RenderCombineText::combineTextIfNeeded()
https://bugs.webkit.org/show_bug.cgi?id=195188

Reviewed by Zalan Bujtas.

Source/WebCore:

r241288 uncovered an existing problem with our text-combine code. r242204 alleviated the
symptom, but this patch fixes the source of the problem (and reverts r242204).

The code in RenderCombineText::combineTextIfNeeded() has a bit that’s like:

FontDescription bestFitDescription;
while (...) {
    FontCascade compressedFont(WTFMove(bestFitDescription), ...);
    ...
}

Clearly this is wrong.

Test: fast/text/text-combine-crash-2.html

* platform/graphics/cocoa/FontDescriptionCocoa.cpp:
(WebCore::FontDescription::platformResolveGenericFamily):
* rendering/RenderCombineText.cpp:
(WebCore::RenderCombineText::combineTextIfNeeded):

LayoutTests:

* fast/text/text-combine-crash-2-expected.html: Added.
* fast/text/text-combine-crash-2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242237 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/text/text-combine-crash-2-expected.html [new file with mode: 0644]
LayoutTests/fast/text/text-combine-crash-2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/cocoa/FontDescriptionCocoa.cpp
Source/WebCore/rendering/RenderCombineText.cpp