Fixing several incorrect assumptions with handling isolated inlines.
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jan 2014 21:53:22 +0000 (21:53 +0000)
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jan 2014 21:53:22 +0000 (21:53 +0000)
https://bugs.webkit.org/show_bug.cgi?id=127608

Reviewed by Dave Hyatt.

Source/WebCore:

First, when an isolated inline spans multiple lines, we aren't guaranteed
to exit BidiResolver with a nested inline count of zero. Removing the
assert that says otherwise.

Previously in constructBidiRunsForSegment, we called bidiFirst in
an attempt to properly setup the isolatedResolver for any dom/style
that applied, but this only worked on the first line the isolated
inline appeared in. Adding a function that approaches this properly
by recursing through the parents of the starting object for the line
and post-fixing direction attributes to the resolver.

Finally, addressing an issue where the line following a removed isolated
inline (with a continuation) failed to be marked dirty.

Blink: https://chromium.googlesource.com/chromium/blink/+/72698f203b1c50900e535b80945563b92b7eef23
Tests: fast/text/nested-bidi-assert.html
       fast/text/nested-bidi-with-continuation-crash.html

* platform/text/BidiResolver.h:
(WebCore::Run>::~BidiResolver):
* rendering/RenderBlockLineLayout.cpp:
(WebCore::setupResolverToResumeInIsolate):
(WebCore::constructBidiRunsForSegment):
* rendering/RenderLineBoxList.cpp:
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):

LayoutTests:

See file-specific info.

Blink: https://chromium.googlesource.com/chromium/blink/+/72698f203b1c50900e535b80945563b92b7eef23
* fast/text/nested-bidi-assert-expected.txt: Added.
* fast/text/nested-bidi-assert.html: Added. Tests that no crash occurs
when an isolated inline spans several lines
* fast/text/nested-bidi-with-continuation-crash-expected.txt: Added.
* fast/text/nested-bidi-with-continuation-crash.html: Added. Tests that
no crash occurs when additional isolates need to be set up for a
continuation

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@162956 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/text/nested-bidi-assert-expected.txt [new file with mode: 0644]
LayoutTests/fast/text/nested-bidi-assert.html [new file with mode: 0644]
LayoutTests/fast/text/nested-bidi-with-continuation-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/text/nested-bidi-with-continuation-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/text/BidiResolver.h
Source/WebCore/rendering/RenderBlockLineLayout.cpp
Source/WebCore/rendering/RenderLineBoxList.cpp

index 0bcb85ab7f4a23eef5cacebd3487b602b2dbc67c..2c1188b0c4a2505125effd9382a80134cd924b36 100644 (file)
@@ -1,3 +1,22 @@
+2014-01-28  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        Fixing several incorrect assumptions with handling isolated inlines.
+        https://bugs.webkit.org/show_bug.cgi?id=127608
+
+        Reviewed by Dave Hyatt.
+
+        See file-specific info.
+
+        Merged from Blink: https://chromium.googlesource.com/chromium/blink/+/72698f203b1c50900e535b80945563b92b7eef23
+
+        * fast/text/nested-bidi-assert-expected.txt: Added.
+        * fast/text/nested-bidi-assert.html: Added. Tests that no crash occurs
+        when an isolated inline spans several lines
+        * fast/text/nested-bidi-with-continuation-crash-expected.txt: Added.
+        * fast/text/nested-bidi-with-continuation-crash.html: Added. Tests that
+        no crash occurs when additional isolates need to be set up for a
+        continuation
+
 2014-01-28  Antti Koivisto  <antti@apple.com>
 
         Rebase fast/repaint/background-shorthand-with-gradient-and-height-changes.html after https://trac.webkit.org/r162947
diff --git a/LayoutTests/fast/text/nested-bidi-assert-expected.txt b/LayoutTests/fast/text/nested-bidi-assert-expected.txt
new file mode 100644 (file)
index 0000000..2217249
--- /dev/null
@@ -0,0 +1 @@
+Test passes if there are no asserts in debug builds.
diff --git a/LayoutTests/fast/text/nested-bidi-assert.html b/LayoutTests/fast/text/nested-bidi-assert.html
new file mode 100644 (file)
index 0000000..45f9fd9
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<div id="test"><output><br><output>foo<br>bar<output>baz</output></output></output><br></div>
+<div>Test passes if there are no asserts in debug builds.</div>
+<script>
+if (window.testRunner)
+       testRunner.dumpAsText();
+var div = document.getElementById("test");
+div.offsetTop;
+div.parentNode.removeChild(div);
+</script>
\ No newline at end of file
diff --git a/LayoutTests/fast/text/nested-bidi-with-continuation-crash-expected.txt b/LayoutTests/fast/text/nested-bidi-with-continuation-crash-expected.txt
new file mode 100644 (file)
index 0000000..40a3f69
--- /dev/null
@@ -0,0 +1 @@
+Test passes if no crashes with asan.
diff --git a/LayoutTests/fast/text/nested-bidi-with-continuation-crash.html b/LayoutTests/fast/text/nested-bidi-with-continuation-crash.html
new file mode 100644 (file)
index 0000000..2c0c2db
--- /dev/null
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<body onload="runTest();">
+<script>
+function reference(domNode)
+{
+    this.domNode = domNode;
+}
+function walk(a, currentPrefix, index, domNode)
+{
+    if (domNode == null)
+        return;
+    newPrefix = currentPrefix + "_" + index;
+    walk(a, currentPrefix, index + 1, domNode.nextSibling);
+    walk(a, newPrefix, 0, domNode.firstChild);
+    a[newPrefix] = new reference(domNode);
+}
+function clearAllNodes()
+{
+    var a = new Array();
+    walk(a, "", 0, document.body);
+    for (key in a)
+    {
+        document.body.offsetTop;
+        a[key].domNode.parentNode.removeChild(a[key].domNode);
+    }
+}
+function runTest() {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    clearAllNodes();
+    document.write("Test passes if no crashes with asan.")
+}
+</script>
+<output> <div> <pre> <div> </div></div>f<div> </div>
+<output>o</output>
+<a><u><textarea></textarea>
+<br></br>
+</u>
index 0be2ae547d3520f33bb2ec83b413e66926f26615..76b1c95c1da6e39c8077792886894efc75f85c52 100644 (file)
@@ -1,3 +1,37 @@
+2014-01-28  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        Fixing several incorrect assumptions with handling isolated inlines.
+        https://bugs.webkit.org/show_bug.cgi?id=127608
+
+        Reviewed by Dave Hyatt.
+
+        First, when an isolated inline spans multiple lines, we aren't guaranteed
+        to exit BidiResolver with a nested inline count of zero. Removing the
+        assert that says otherwise.
+        
+        Previously in constructBidiRunsForSegment, we called bidiFirst in
+        an attempt to properly setup the isolatedResolver for any dom/style
+        that applied, but this only worked on the first line the isolated
+        inline appeared in. Adding a function that approaches this properly
+        by recursing through the parents of the starting object for the line
+        and post-fixing direction attributes to the resolver.
+        
+        Finally, addressing an issue where the line following a removed isolated
+        inline (with a continuation) failed to be marked dirty.
+
+        Merged from Blink: https://chromium.googlesource.com/chromium/blink/+/72698f203b1c50900e535b80945563b92b7eef23
+
+        Tests: fast/text/nested-bidi-assert.html
+               fast/text/nested-bidi-with-continuation-crash.html
+
+        * platform/text/BidiResolver.h:
+        (WebCore::Run>::~BidiResolver):
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::setupResolverToResumeInIsolate):
+        (WebCore::constructBidiRunsForSegment):
+        * rendering/RenderLineBoxList.cpp:
+        (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):
+
 2014-01-28  Antti Koivisto  <antti@apple.com>
 
         REGRESSION(r162837): 5% regression on html5-full-render and 3% regression in DoYouEvenBench
index c8841a67758da7bfd3f708024fc8a7000c92a16f..9b13941c7fd5ea92705fc0a722b397032c010111 100644 (file)
@@ -307,10 +307,8 @@ private:
 template <class Iterator, class Run>
 BidiResolver<Iterator, Run>::~BidiResolver()
 {
-    // The owner of this resolver should have handled the isolated runs
-    // or should never have called enterIsolate().
+    // The owner of this resolver should have handled the isolated runs.
     ASSERT(m_isolatedRuns.isEmpty());
-    ASSERT(!m_nestedIsolateCount);
 }
 #endif
 
index e469408f14325ffc9c7e280d1a416250e49634c1..684a990961cfd096ed66060db16efbb7cdb960ff 100644 (file)
@@ -872,6 +872,15 @@ void RenderBlockFlow::appendFloatingObjectToLastLine(FloatingObject* floatingObj
     lastRootBox()->appendFloat(floatingObject->renderer());
 }
 
+static inline void setupResolverToResumeInIsolate(InlineBidiResolver& resolver, RenderObject* root, RenderObject* startObject)
+{
+    if (root != startObject) {
+        RenderObject* parent = startObject->parent();
+        setupResolverToResumeInIsolate(resolver, root, parent);
+        notifyObserverEnteredObject(&resolver, startObject);
+    }
+}
+
 // FIXME: BidiResolver should have this logic.
 static inline void constructBidiRunsForSegment(InlineBidiResolver& topResolver, BidiRunList<BidiRun>& bidiRuns, const InlineIterator& endOfRuns, VisualDirectionOverride override, bool previousLineBrokeCleanly)
 {
@@ -906,10 +915,7 @@ static inline void constructBidiRunsForSegment(InlineBidiResolver& topResolver,
         }
         isolatedResolver.setStatus(BidiStatus(direction, isOverride(unicodeBidi)));
 
-        // FIXME: The fact that we have to construct an Iterator here
-        // currently prevents this code from moving into BidiResolver.
-        if (!bidiFirstSkippingEmptyInlines(*isolatedInline, &isolatedResolver))
-            continue;
+        setupResolverToResumeInIsolate(isolatedResolver, isolatedInline, &startObj);
 
         // The starting position is the beginning of the first run within the isolate that was identified
         // during the earlier call to createBidiRunsForLine. This can be but is not necessarily the
index 8600bbb65b68dabd68076cb79f3e2fa508892df5..9c4ceb0a9ecd837110a575b5f2c954129b3bb7d8 100644 (file)
@@ -396,7 +396,8 @@ void RenderLineBoxList::dirtyLinesFromChangedChild(RenderBoxModelObject* contain
         // space, the search for |child|'s linebox will go past the leading space to the previous linebox and select that
         // one as |box|. If we hit that situation here, dirty the |box| actually containing the child too. 
         bool insertedAfterLeadingSpace = box->lineBreakObj() == child->previousSibling();
-        if (adjacentBox && (adjacentBox->lineBreakObj() == child || child->isBR() || (curr && curr->isBR()) || insertedAfterLeadingSpace))
+        if (adjacentBox && (adjacentBox->lineBreakObj() == child || child->isBR() || (curr && curr->isBR())
+            || insertedAfterLeadingSpace || isIsolated(container->style().unicodeBidi())))
             adjacentBox->markDirty();
     }
 }