2011-06-27 Ryosuke Niwa <rniwa@webkit.org>
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Jun 2011 17:21:39 +0000 (17:21 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Jun 2011 17:21:39 +0000 (17:21 +0000)
        Reviewed by Kent Tamura.

        Crash in TextIterator
        https://bugs.webkit.org/show_bug.cgi?id=63334

        Fix a crash in TextIterator. Keep m_sortedTextBoxes and renderer consistent
        and check !m_offset when handling first letter.

        Also add more assertions to help detecting similar bugs.

        Test: editing/text-iterator/first-letter-rtl-crash.html

        * editing/TextIterator.cpp:
        (WebCore::TextIterator::handleTextNode):
        (WebCore::TextIterator::emitText):
2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>

        Reviewed by Kent Tamura.

        Crash in TextIterator
        https://bugs.webkit.org/show_bug.cgi?id=63334

        Added a test to ensure WebKit does not crash when iterating through letters in a RTL block
        with first-letter rule applied where letters are not contiguous.

        * editing/text-iterator/first-letter-rtl-crash-expected.txt: Added.
        * editing/text-iterator/first-letter-rtl-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@89831 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/text-iterator/first-letter-rtl-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/text-iterator/first-letter-rtl-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/TextIterator.cpp

index f338726..a91a96b 100644 (file)
@@ -1,3 +1,16 @@
+2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Kent Tamura.
+
+        Crash in TextIterator
+        https://bugs.webkit.org/show_bug.cgi?id=63334
+
+        Added a test to ensure WebKit does not crash when iterating through letters in a RTL block
+        with first-letter rule applied where letters are not contiguous.
+
+        * editing/text-iterator/first-letter-rtl-crash-expected.txt: Added.
+        * editing/text-iterator/first-letter-rtl-crash.html: Added.
+
 2011-06-27  Balazs Kelemen  <kbalazs@webkit.org>
 
         Reviewed by Kenneth Rohde Christiansen.
diff --git a/LayoutTests/editing/text-iterator/first-letter-rtl-crash-expected.txt b/LayoutTests/editing/text-iterator/first-letter-rtl-crash-expected.txt
new file mode 100644 (file)
index 0000000..8957002
--- /dev/null
@@ -0,0 +1,3 @@
+
+This test ensures WebKit does not crash when first-letter rule is applied to LTR letters that are not visually contiguous to each other.
+PASS
diff --git a/LayoutTests/editing/text-iterator/first-letter-rtl-crash.html b/LayoutTests/editing/text-iterator/first-letter-rtl-crash.html
new file mode 100644 (file)
index 0000000..8abb966
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<style>
+body:first-letter { color: black; }
+</style>
+<script>
+
+function run() {
+    document.execCommand('findString', false, '!ABC');
+    document.body.innerHTML = '<br>This test ensures WebKit does not crash when first-letter rule is applied to LTR letters that ' +
+    ' are not visually contiguous to each other.<br>PASS';
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+}
+
+</script>
+<body style="direction: rtl;" onload="run()">!ABC&#x202E;</body>
index 1cab2bd..67ba54e 100644 (file)
@@ -1,3 +1,21 @@
+2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Reviewed by Kent Tamura.
+
+        Crash in TextIterator
+        https://bugs.webkit.org/show_bug.cgi?id=63334
+
+        Fix a crash in TextIterator. Keep m_sortedTextBoxes and renderer consistent
+        and check !m_offset when handling first letter.
+
+        Also add more assertions to help detecting similar bugs.
+
+        Test: editing/text-iterator/first-letter-rtl-crash.html
+
+        * editing/TextIterator.cpp:
+        (WebCore::TextIterator::handleTextNode):
+        (WebCore::TextIterator::emitText):
+
 2011-06-27  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
 
         Reviewed by Andreas Kling.
index 7697aff..fc17962 100644 (file)
@@ -459,7 +459,7 @@ bool TextIterator::handleTextNode()
             emitCharacter(' ', m_node, 0, runStart, runStart);
             return false;
         }
-        if (!m_handledFirstLetter && renderer->isTextFragment()) {
+        if (!m_handledFirstLetter && renderer->isTextFragment() && !m_offset) {
             handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
             if (m_firstLetterText) {
                 String firstLetter = m_firstLetterText->text();
@@ -496,6 +496,14 @@ bool TextIterator::handleTextNode()
         return true;
     }
 
+    
+    m_textBox = renderer->firstTextBox();
+    if (!m_handledFirstLetter && renderer->isTextFragment() && !m_offset)
+        handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
+
+    if (m_firstLetterText)
+        renderer = m_firstLetterText;
+
     // Used when text boxes are out of order (Hebrew/Arabic w/ embeded LTR text)
     if (renderer->containsReversedText()) {
         m_sortedTextBoxes.clear();
@@ -504,11 +512,9 @@ bool TextIterator::handleTextNode()
         }
         std::sort(m_sortedTextBoxes.begin(), m_sortedTextBoxes.end(), InlineTextBox::compareByStart); 
         m_sortedTextBoxesPosition = 0;
+        m_textBox = m_sortedTextBoxes.isEmpty() ? 0 : m_sortedTextBoxes[0];
     }
-    
-    m_textBox = renderer->containsReversedText() ? (m_sortedTextBoxes.isEmpty() ? 0 : m_sortedTextBoxes[0]) : renderer->firstTextBox();
-    if (!m_handledFirstLetter && renderer->isTextFragment() && !m_offset)
-        handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
+
     handleTextBox();
     return true;
 }
@@ -975,6 +981,9 @@ void TextIterator::emitText(Node* textNode, RenderObject* renderObject, int text
     RenderText* renderer = toRenderText(renderObject);
     m_text = m_emitsTextWithoutTranscoding ? renderer->textWithoutTranscoding() : renderer->text();
     ASSERT(m_text.characters());
+    ASSERT(0 <= textStartOffset && textStartOffset < static_cast<int>(m_text.length()));
+    ASSERT(0 <= textEndOffset && textEndOffset <= static_cast<int>(m_text.length()));
+    ASSERT(textStartOffset <= textEndOffset);
 
     m_positionNode = textNode;
     m_positionOffsetBaseNode = 0;