<http://webkit.org/b/131107>
<rdar://problem/
15690021>
Reviewed by Darin Adler.
Merged from Blink (patch by jww@chromium.org):
https://src.chromium.org/viewvc/blink?revision=157268&view=revision
http://crbug.com/279277
Update containingIsolate to go back all the way to top
isolate from current root, rather than stopping at the first
isolate it finds. This works because the current root is
always updated with each isolate run.
Source/WebCore:
Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
fast/text/international/unicode-bidi-isolate-nested-with-removes.html
* rendering/InlineIterator.h:
(WebCore::highestContainingIsolateWithinRoot):
* rendering/RenderBlockLineLayout.cpp:
(WebCore::constructBidiRunsForSegment):
LayoutTests:
* fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
* fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166650
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2014-04-02 David Kilzer <ddkilzer@apple.com>
+
+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by jww@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.
+
2014-04-02 Chris Fleizach <cfleizach@apple.com>
AX: Improve ARIA live region reliability by sending notifications when live regions are created/shown and hidden/destroyed
- bar
-
-
PASS did not crash
--- /dev/null
+PASS did not crash
--- /dev/null
+<!doctype html>
+<!-- This tests for regression of https://crbug.com/279277 where non-adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
+<script>
+window.onload = function() {
+ document.body.offsetTop;
+ b.lastChild.parentNode.removeChild(b.lastChild);
+ document.body.offsetTop;
+ a.nextSibling.parentNode.removeChild(a.nextSibling);
+ document.body.offsetTop;
+
+ document.write("PASS did not crash");
+}
+</script>
+
+<body>
+ <div id="a">foo</div><div>baz</div><div></div>
+ <div>
+ <output>
+ <span>
+ <output>bar</output>
+ <span id="b">
+ <span>
+ <div style="display:inline-block"></div>
+ <br><br>
+ </span>
+ </span>
+ </span>
+ </output>
+ </div>
+</body>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<!doctype html>
<!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
<script>
-function remove(node)
-{
- node.parentNode.removeChild(node);
-}
-
window.onload = function()
{
document.body.offsetTop;
- remove(b.lastChild);
+ b.lastChild.parentNode.removeChild(b.lastChild);
document.body.offsetTop;
- remove(a.firstChild);
+ a.firstChild.parentNode.removeChild(a.firstChild);
document.body.offsetTop;
- document.body.appendChild(document.createTextNode("PASS did not crash"));
+ document.write("PASS did not crash");
}
</script>
+2014-04-02 David Kilzer <ddkilzer@apple.com>
+
+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by jww@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
+ fast/text/international/unicode-bidi-isolate-nested-with-removes.html
+
+ * rendering/InlineIterator.h:
+ (WebCore::highestContainingIsolateWithinRoot):
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::constructBidiRunsForSegment):
+
2014-04-02 Chris Fleizach <cfleizach@apple.com>
AX: Improve ARIA live region reliability by sending notifications when live regions are created/shown and hidden/destroyed
return object->isRenderInline() && isIsolated(object->style().unicodeBidi());
}
-static inline RenderObject* containingIsolate(RenderObject* object, RenderObject* root)
+static inline RenderObject* highestContainingIsolateWithinRoot(RenderObject* object, RenderObject* root)
{
ASSERT(object);
RenderObject* containingIsolateObject = 0;
while (object && object != root) {
- if (containingIsolateObject && !isIsolatedInline(object))
- break;
-
if (isIsolatedInline(object))
containingIsolateObject = object;
// tree to see which parent inline is the isolate. We could change enterIsolate
// to take a RenderObject and do this logic there, but that would be a layering
// violation for BidiResolver (which knows nothing about RenderObject).
- RenderInline* isolatedInline = toRenderInline(containingIsolate(&startObj, currentRoot));
+ RenderInline* isolatedInline = toRenderInline(highestContainingIsolateWithinRoot(&startObj, currentRoot));
+ ASSERT(isolatedInline);
+
InlineBidiResolver isolatedResolver;
EUnicodeBidi unicodeBidi = isolatedInline->style().unicodeBidi();
TextDirection direction;
git://git.webkit.org / WebKit-https.git / commitdiff