A TrailingObject's endpoint might get decremented twice

https://bugs.webkit.org/show_bug.cgi?id=130874

Reviewed by Darin Adler.

There are two places where we might shave off a trailing space from the end
of a line. We don't want to hit both codepaths for a single line.

Fixes fast/block/update-midpoints-for-trailing-boxes-crash.html after r166245.

* rendering/line/BreakingContextInlineHeaders.h:
(WebCore::checkMidpoints):
(WebCore::BreakingContext::handleEndOfLine):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166412 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 177663373885fc51904dd39f80a519145242a4cf..c1d2513f3e5e1d878698361a12b5e2e70ec79335 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2014-03-28  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        A TrailingObject's endpoint might get decremented twice
+        https://bugs.webkit.org/show_bug.cgi?id=130874
+
+        Reviewed by Darin Adler.
+
+        There are two places where we might shave off a trailing space from the end
+        of a line. We don't want to hit both codepaths for a single line.
+
+        Fixes fast/block/update-midpoints-for-trailing-boxes-crash.html after r166245.
+
+        * rendering/line/BreakingContextInlineHeaders.h:
+        (WebCore::checkMidpoints):
+        (WebCore::BreakingContext::handleEndOfLine):
+
 2014-03-28  Andreas Kling  <akling@apple.com>
 
         Inline JSDOMWrapper subclasses' finishCreation().

diff --git a/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h b/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h
index 25acb28f2b00f2aba2ed3951e210ac9ad75b06cb..83ac7a023022261eda6f4e21747f5c7cb052e6e1 100644 (file)
--- a/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h
+++ b/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h
@@ -1001,7 +1001,7 @@ inline void BreakingContext::commitAndUpdateLineBreakIfNeeded()
     }
 }
 
-inline void checkMidpoints(LineMidpointState& lineMidpointState, InlineIterator& lBreak)
+inline TrailingObjects::CollapseFirstSpaceOrNot checkMidpoints(LineMidpointState& lineMidpointState, InlineIterator& lBreak)
 {
     // Check to see if our last midpoint is a start point beyond the line break. If so,
     // shave it off the list, and shave off a trailing space if the previous end point doesn't
@@ -1016,10 +1016,13 @@ inline void checkMidpoints(LineMidpointState& lineMidpointState, InlineIterator&
         if (currpoint == lBreak) {
             // We hit the line break before the start point. Shave off the start point.
             lineMidpointState.decreaseNumMidpoints();
-            if (endpoint.renderer()->style().collapseWhiteSpace() && endpoint.renderer()->isText())
+            if (endpoint.renderer()->style().collapseWhiteSpace() && endpoint.renderer()->isText()) {
                 endpoint.fastDecrement();
+                return TrailingObjects::DoNotCollapseFirstSpace;
+            }
         }
     }
+    return TrailingObjects::CollapseFirstSpace;
 }
 
 inline InlineIterator BreakingContext::handleEndOfLine()
@@ -1048,9 +1051,9 @@ inline InlineIterator BreakingContext::handleEndOfLine()
     }
 
     // Sanity check our midpoints.
-    checkMidpoints(m_lineMidpointState, m_lineBreak);
+    TrailingObjects::CollapseFirstSpaceOrNot collapsed = checkMidpoints(m_lineMidpointState, m_lineBreak);
 
-    m_trailingObjects.updateMidpointsForTrailingBoxes(m_lineMidpointState, m_lineBreak, TrailingObjects::CollapseFirstSpace);
+    m_trailingObjects.updateMidpointsForTrailingBoxes(m_lineMidpointState, m_lineBreak, collapsed);
 
     // We might have made lineBreak an iterator that points past the end
     // of the object. Do this adjustment to make it point to the start