Changeset 166650 in webkit

Timestamp:

Apr 2, 2014 10:21:09 AM (10 years ago)

Author:

ddkilzer@apple.com

Message:

Use outermost containing isolate when constructing bidi runs
<​http://webkit.org/b/131107>
<rdar://problem/15690021>

Reviewed by Darin Adler.

Merged from Blink (patch by ​jww@chromium.org):
​https://src.chromium.org/viewvc/blink?revision=157268&view=revision
​http://crbug.com/279277

Update containingIsolate to go back all the way to top
isolate from current root, rather than stopping at the first
isolate it finds. This works because the current root is
always updated with each isolate run.

Source/WebCore:

Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html

fast/text/international/unicode-bidi-isolate-nested-with-removes.html

• rendering/InlineIterator.h:

(WebCore::highestContainingIsolateWithinRoot):

• rendering/RenderBlockLineLayout.cpp:

(WebCore::constructBidiRunsForSegment):

LayoutTests:

• fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
• fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
• fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
• fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt (modified) (1 diff)
• LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (added)
• LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (added)
• LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/InlineIterator.h (modified) (1 diff)
• Source/WebCore/rendering/RenderBlockLineLayout.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-04-02  David Kilzer  <ddkilzer@apple.com>
+
+        Use outermost containing isolate when constructing bidi runs
+        <http://webkit.org/b/131107>
+        <rdar://problem/15690021>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by jww@chromium.org):
+        https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+        http://crbug.com/279277
+
+            Update containingIsolate to go back all the way to top
+            isolate from current root, rather than stopping at the first
+            isolate it finds. This works because the current root is
+            always updated with each isolate run.
+
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
+        * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.
+
 2014-04-02  Chris Fleizach  <cfleizach@apple.com>
 

trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt

@@ -1 @@
- bar                      
-
-
 PASS did not crash

trunk/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html

@@ +1 @@
+<!doctype html>
 <!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
 <script>
-function remove(node)
-{
-    node.parentNode.removeChild(node);
-}
-
 window.onload = function()
 {
     document.body.offsetTop;
-    remove(b.lastChild);
+    b.lastChild.parentNode.removeChild(b.lastChild);
     document.body.offsetTop;
-    remove(a.firstChild);
+    a.firstChild.parentNode.removeChild(a.firstChild);
     document.body.offsetTop;
 
-    document.body.appendChild(document.createTextNode("PASS did not crash"));
+    document.write("PASS did not crash");
 }
 </script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-04-02  David Kilzer  <ddkilzer@apple.com>
+
+        Use outermost containing isolate when constructing bidi runs
+        <http://webkit.org/b/131107>
+        <rdar://problem/15690021>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by jww@chromium.org):
+        https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+        http://crbug.com/279277
+
+            Update containingIsolate to go back all the way to top
+            isolate from current root, rather than stopping at the first
+            isolate it finds. This works because the current root is
+            always updated with each isolate run.
+
+        Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
+               fast/text/international/unicode-bidi-isolate-nested-with-removes.html
+
+        * rendering/InlineIterator.h:
+        (WebCore::highestContainingIsolateWithinRoot):
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::constructBidiRunsForSegment):
+
 2014-04-02  Chris Fleizach  <cfleizach@apple.com>
 

trunk/Source/WebCore/rendering/InlineIterator.h

@@ -449 +449 @@
 }
 
-static inline RenderObject* containingIsolate(RenderObject* object, RenderObject* root)
+static inline RenderObject* highestContainingIsolateWithinRoot(RenderObject* object, RenderObject* root)
 {
     ASSERT(object);
     RenderObject* containingIsolateObject = 0;
     while (object && object != root) {
-        if (containingIsolateObject && !isIsolatedInline(object))
-            break;
-
         if (isIsolatedInline(object))
             containingIsolateObject = object;

trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp

@@ -877 +877 @@
         // to take a RenderObject and do this logic there, but that would be a layering
         // violation for BidiResolver (which knows nothing about RenderObject).
-        RenderInline* isolatedInline = toRenderInline(containingIsolate(&startObj, currentRoot));
+        RenderInline* isolatedInline = toRenderInline(highestContainingIsolateWithinRoot(&startObj, currentRoot));
+        ASSERT(isolatedInline);
+
         InlineBidiResolver isolatedResolver;
         EUnicodeBidi unicodeBidi = isolatedInline->style().unicodeBidi();