Be more defensive at renderer type checking when initializing flow segments.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 13 Jun 2015 03:25:00 +0000 (03:25 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 13 Jun 2015 03:25:00 +0000 (03:25 +0000)
https://bugs.webkit.org/show_bug.cgi?id=145942

Reviewed by Simon Fraser.

FlowContents::initializeSegments should ignore unsupported renderers so that when we miss
a simple line layout path invalidation, we don't downcast the unsupported renderer to RenderText.

I have not reproduced this issue (but related to rdar://problem/21312452)

* rendering/SimpleLineLayoutFlowContents.cpp:
(WebCore::SimpleLineLayout::initializeSegments):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185531 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/rendering/SimpleLineLayoutFlowContents.cpp

index fdd6b1a..9674c34 100644 (file)
@@ -1,3 +1,18 @@
+2015-06-12  Zalan Bujtas  <zalan@apple.com>
+
+        Be more defensive at renderer type checking when initializing flow segments.
+        https://bugs.webkit.org/show_bug.cgi?id=145942
+
+        Reviewed by Simon Fraser.
+
+        FlowContents::initializeSegments should ignore unsupported renderers so that when we miss
+        a simple line layout path invalidation, we don't downcast the unsupported renderer to RenderText.
+
+        I have not reproduced this issue (but related to rdar://problem/21312452)
+
+        * rendering/SimpleLineLayoutFlowContents.cpp:
+        (WebCore::SimpleLineLayout::initializeSegments):
+
 2015-06-12  Anders Carlsson  <andersca@apple.com>
 
         deleteEmptyDirectory should delete .DS_Store files on OS X
index db0a89b..d8a2d6f 100644 (file)
@@ -36,7 +36,6 @@ namespace SimpleLineLayout {
 
 static Vector<FlowContents::Segment> initializeSegments(const RenderBlockFlow& flow)
 {
-
     unsigned numberOfChildren = 0;
     auto children = childrenOfType<RenderObject>(flow);
     for (auto it = children.begin(), end = children.end(); it != end; ++it)
@@ -45,15 +44,18 @@ static Vector<FlowContents::Segment> initializeSegments(const RenderBlockFlow& f
     segments.reserveCapacity(numberOfChildren);
     unsigned startPosition = 0;
     for (const auto& child : childrenOfType<RenderObject>(flow)) {
+        if (is<RenderText>(child)) {
+            const auto& textChild = downcast<RenderText>(child);
+            unsigned textLength = textChild.text()->length();
+            segments.append(FlowContents::Segment { startPosition, startPosition + textLength, textChild.text(), textChild });
+            startPosition += textLength;
+            continue;
+        }
         if (is<RenderLineBreak>(child)) {
             segments.append(FlowContents::Segment { startPosition, startPosition, String(), child });
             continue;
         }
-        ASSERT(is<RenderText>(child));
-        const auto& textChild = downcast<RenderText>(child);
-        unsigned textLength = textChild.text()->length();
-        segments.append(FlowContents::Segment { startPosition, startPosition + textLength, textChild.text(), textChild });
-        startPosition += textLength;
+        ASSERT_NOT_REACHED();
     }
     return segments;
 }