2010-01-26 Evan Martin <evan@chromium.org>
authorevan@chromium.org <evan@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 27 Jan 2011 00:49:04 +0000 (00:49 +0000)
committerevan@chromium.org <evan@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 27 Jan 2011 00:49:04 +0000 (00:49 +0000)
        Reviewed by Tony Chang.

        [chromium] crash on getBoundingClientRect in complex text
        https://bugs.webkit.org/show_bug.cgi?id=53199

        Add a test that reproduces the crash and verifies the resulting values
        are sane (when it didn't crash, it would get garbage values).

        * platform/chromium-linux/fast/text/international/complex-text-rectangle-expected.txt: Added.
        * platform/chromium-linux/fast/text/international/complex-text-rectangle.html: Added.
2011-01-26  Evan Martin  <evan@chromium.org>

        Reviewed by Tony Chang.

        [chromium] crash on getBoundingClientRect in complex text
        https://bugs.webkit.org/show_bug.cgi?id=53199

        Use the correct array bound; we want the number of characters processed by
        the shaper, not the longest continuous script run length.

        Test: platform/chromium-linux/fast/text/international/complex-text-rectangle.html

        * platform/graphics/chromium/ComplexTextControllerLinux.cpp:
        (WebCore::ComplexTextController::nextScriptRun):
        * platform/graphics/chromium/ComplexTextControllerLinux.h:
        (WebCore::ComplexTextController::numCodePoints):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@76732 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/platform/chromium-linux/fast/text/international/complex-text-rectangle-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium-linux/fast/text/international/complex-text-rectangle.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp
Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.h

index aa16f83..b7ed296 100644 (file)
@@ -1,3 +1,16 @@
+2010-01-26  Evan Martin  <evan@chromium.org>
+
+        Reviewed by Tony Chang.
+
+        [chromium] crash on getBoundingClientRect in complex text
+        https://bugs.webkit.org/show_bug.cgi?id=53199
+
+        Add a test that reproduces the crash and verifies the resulting values
+        are sane (when it didn't crash, it would get garbage values).
+
+        * platform/chromium-linux/fast/text/international/complex-text-rectangle-expected.txt: Added.
+        * platform/chromium-linux/fast/text/international/complex-text-rectangle.html: Added.
+
 2011-01-26  Emil A Eklund  <eae@chromium.org>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/platform/chromium-linux/fast/text/international/complex-text-rectangle-expected.txt b/LayoutTests/platform/chromium-linux/fast/text/international/complex-text-rectangle-expected.txt
new file mode 100644 (file)
index 0000000..dd75bc0
--- /dev/null
@@ -0,0 +1 @@
+A⃕A︠A⃕A⃕A⃕A⃕A⃕⃕A͋ This test passes if it doesn't crash or log a failure message to the console.
diff --git a/LayoutTests/platform/chromium-linux/fast/text/international/complex-text-rectangle.html b/LayoutTests/platform/chromium-linux/fast/text/international/complex-text-rectangle.html
new file mode 100644 (file)
index 0000000..4b2c86c
--- /dev/null
@@ -0,0 +1,25 @@
+<meta charset=utf-8>
+
+<span id="a">A&#x20d5;A&#xFE20;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;&#x20d5;A&#x034b;</span>
+
+This test passes if it doesn't crash or log a failure message to the console.
+
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var textNode = document.getElementById('a').firstChild;
+var length = textNode.textContent.length;
+for (var start = 0; start < length; ++start) {
+    for (var end = 0; end < length; ++end) {
+        var range = document.createRange();
+        range.setStart(textNode, start);
+        range.setEnd(textNode, end);
+        var rect = range.getBoundingClientRect();
+        if (rect.width < 0 || rect.width > 200) {
+            console.log('FAIL: rect.width is ' + rect.width);
+            break;
+        }
+    }
+}
+</script>
index b2ce4ff..d8499fa 100644 (file)
@@ -1,3 +1,20 @@
+2011-01-26  Evan Martin  <evan@chromium.org>
+
+        Reviewed by Tony Chang.
+
+        [chromium] crash on getBoundingClientRect in complex text
+        https://bugs.webkit.org/show_bug.cgi?id=53199
+
+        Use the correct array bound; we want the number of characters processed by
+        the shaper, not the longest continuous script run length.
+
+        Test: platform/chromium-linux/fast/text/international/complex-text-rectangle.html
+
+        * platform/graphics/chromium/ComplexTextControllerLinux.cpp:
+        (WebCore::ComplexTextController::nextScriptRun):
+        * platform/graphics/chromium/ComplexTextControllerLinux.h:
+        (WebCore::ComplexTextController::numCodePoints):
+
 2011-01-26  Emil A Eklund  <eae@chromium.org>
 
         Reviewed by Alexey Proskuryakov.
index 31fc4f7..6d15510 100644 (file)
@@ -149,7 +149,7 @@ bool ComplexTextController::nextScriptRun()
     // Ensure we're not pointing at the small caps buffer.
     m_item.string = m_run.characters();
 
-    if (!hb_utf16_script_run_next(&m_numCodePoints, &m_item.item, m_run.characters(), m_run.length(), &m_indexOfNextScriptRun))
+    if (!hb_utf16_script_run_next(0, &m_item.item, m_run.characters(), m_run.length(), &m_indexOfNextScriptRun))
         return false;
 
     // It is actually wrong to consider script runs at all in this code.
index 590816f..6a93878 100644 (file)
@@ -111,7 +111,7 @@ public:
     const unsigned short* logClusters() const { return m_item.log_clusters; }
 
     // return the number of code points in the current script run
-    const unsigned numCodePoints() const { return m_numCodePoints; }
+    const unsigned numCodePoints() const { return m_item.item.length; }
 
     // Return the current pixel position of the controller.
     const unsigned offsetX() const { return m_offsetX; }
@@ -141,7 +141,6 @@ private:
     ssize_t m_indexOfNextScriptRun; // Indexes the script run in |m_run|.
     unsigned m_offsetX; // Offset in pixels to the start of the next script run.
     unsigned m_pixelWidth; // Width (in px) of the current script run.
-    unsigned m_numCodePoints; // Code points in current script run.
     unsigned m_glyphsArrayCapacity; // Current size of all the Harfbuzz arrays.
 
     OwnPtr<TextRun> m_normalizedRun;