Changeset 205031 in webkit

Timestamp:

Aug 26, 2016 11:12:56 AM (8 years ago)

Author:

Brent Fulgham

Message:

Crash when getting font bounding rect
​https://bugs.webkit.org/show_bug.cgi?id=161202
<rdar://problem/27986981>

Reviewed by Myles C. Maxfield.

We should never store GlyphData objects for later use, because they contain raw pointers to Font elements
contained in caches, and those font caches get periodically purged.

Instead, we should hold onto the ‘key’ representing the GlyphData, and simply ask the system for the
GlyphData the next time it is needed.

Tested by existing MathML tests under ASAN and GuardMalloc.

• rendering/mathml/RenderMathMLToken.cpp:

(WebCore::RenderMathMLToken::RenderMathMLToken): Clean up constructors.
(WebCore::RenderMathMLToken::computePreferredLogicalWidths): Use keys to get correct GlyphData when needed.
(WebCore::RenderMathMLToken::updateMathVariantGlyph): Ditto.
(WebCore::RenderMathMLToken::firstLineBaseline): Ditto.
(WebCore::RenderMathMLToken::layoutBlock): Ditto.
(WebCore::RenderMathMLToken::paint): Ditto.
(WebCore::RenderMathMLToken::paintChildren): Ditto.

• rendering/mathml/RenderMathMLToken.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• rendering/mathml/RenderMathMLToken.cpp (modified) (11 diffs)
• rendering/mathml/RenderMathMLToken.h (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-08-25  Brent Fulgham  <bfulgham@apple.com>
+
+        Crash when getting font bounding rect
+        https://bugs.webkit.org/show_bug.cgi?id=161202
+        <rdar://problem/27986981>
+
+        Reviewed by Myles C. Maxfield.
+
+        We should never store GlyphData objects for later use, because they contain raw pointers to Font elements
+        contained in caches, and those font caches get periodically purged.
+
+        Instead, we should hold onto the ‘key’ representing the GlyphData, and simply ask the system for the
+        GlyphData the next time it is needed.
+
+        Tested by existing MathML tests under ASAN and GuardMalloc.
+
+        * rendering/mathml/RenderMathMLToken.cpp:
+        (WebCore::RenderMathMLToken::RenderMathMLToken): Clean up constructors.
+        (WebCore::RenderMathMLToken::computePreferredLogicalWidths): Use keys to get correct GlyphData when needed.
+        (WebCore::RenderMathMLToken::updateMathVariantGlyph): Ditto.
+        (WebCore::RenderMathMLToken::firstLineBaseline): Ditto.
+        (WebCore::RenderMathMLToken::layoutBlock): Ditto.
+        (WebCore::RenderMathMLToken::paint): Ditto.
+        (WebCore::RenderMathMLToken::paintChildren): Ditto.
+        * rendering/mathml/RenderMathMLToken.h:
+
 2016-08-26  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/rendering/mathml/RenderMathMLToken.cpp

@@ -2 +2 @@
  * Copyright (C) 2014 Frédéric Wang (fred.wang@free.fr). All rights reserved.
  * Copyright (C) 2016 Igalia S.L.
+ * Copyright (C) 2016 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43 +44 @@
 RenderMathMLToken::RenderMathMLToken(Element& element, RenderStyle&& style)
     : RenderMathMLBlock(element, WTFMove(style))
-    , m_mathVariantGlyph()
-    , m_mathVariantGlyphDirty(false)
 {
 }
@@ -50 +49 @@
 RenderMathMLToken::RenderMathMLToken(Document& document, RenderStyle&& style)
     : RenderMathMLBlock(document, WTFMove(style))
-    , m_mathVariantGlyph()
-    , m_mathVariantGlyphDirty(false)
 {
 }
@@ -504 +501 @@
         updateMathVariantGlyph();
 
-    if (m_mathVariantGlyph.font) {
-        m_maxPreferredLogicalWidth = m_minPreferredLogicalWidth = m_mathVariantGlyph.font->widthForGlyph(m_mathVariantGlyph.glyph);
-        setPreferredLogicalWidthsDirty(false);
-        return;
+    if (m_mathVariantCodePoint) {
+        auto mathVariantGlyph = style().fontCascade().glyphDataForCharacter(m_mathVariantCodePoint.value(), m_mathVariantIsMirrored);
+        if (mathVariantGlyph.font) {
+            m_maxPreferredLogicalWidth = m_minPreferredLogicalWidth = mathVariantGlyph.font->widthForGlyph(mathVariantGlyph.glyph);
+            setPreferredLogicalWidthsDirty(false);
+            return;
+        }
     }
 
@@ -517 +517 @@
     ASSERT(m_mathVariantGlyphDirty);
 
-    m_mathVariantGlyph = GlyphData();
+    m_mathVariantCodePoint = Nullopt;
     m_mathVariantGlyphDirty = false;
 
@@ -533 +533 @@
             mathvariant = tokenElement.hasTagName(MathMLNames::miTag) ? MathMLElement::MathVariant::Italic : MathMLElement::MathVariant::Normal;
         UChar32 transformedCodePoint = mathVariant(codePoint.value(), mathvariant);
-        if (transformedCodePoint != codePoint.value())
-            m_mathVariantGlyph = style().fontCascade().glyphDataForCharacter(transformedCodePoint, !style().isLeftToRightDirection());
+        if (transformedCodePoint != codePoint.value()) {
+            m_mathVariantCodePoint = mathVariant(codePoint.value(), mathvariant);
+            m_mathVariantIsMirrored = !style().isLeftToRightDirection();
+        }
     }
 }
@@ -552 +554 @@
 Optional<int> RenderMathMLToken::firstLineBaseline() const
 {
-    if (m_mathVariantGlyph.font)
-        return Optional<int>(static_cast<int>(lroundf(-m_mathVariantGlyph.font->boundsForGlyph(m_mathVariantGlyph.glyph).y())));
+    if (m_mathVariantCodePoint) {
+        auto mathVariantGlyph = style().fontCascade().glyphDataForCharacter(m_mathVariantCodePoint.value(), m_mathVariantIsMirrored);
+        if (mathVariantGlyph.font)
+            return Optional<int>(static_cast<int>(lroundf(-mathVariantGlyph.font->boundsForGlyph(mathVariantGlyph.glyph).y())));
+    }
     return RenderMathMLBlock::firstLineBaseline();
 }
@@ -564 +569 @@
         return;
 
-    if (!m_mathVariantGlyph.font) {
+    GlyphData mathVariantGlyph;
+    if (m_mathVariantCodePoint)
+        mathVariantGlyph = style().fontCascade().glyphDataForCharacter(m_mathVariantCodePoint.value(), m_mathVariantIsMirrored);
+
+    if (!mathVariantGlyph.font) {
         RenderMathMLBlock::layoutBlock(relayoutChildren, pageLogicalHeight);
         return;
@@ -572 +581 @@
         child->layoutIfNeeded();
 
-    setLogicalWidth(m_mathVariantGlyph.font->widthForGlyph(m_mathVariantGlyph.glyph));
-    setLogicalHeight(m_mathVariantGlyph.font->boundsForGlyph(m_mathVariantGlyph.glyph).height());
+    setLogicalWidth(mathVariantGlyph.font->widthForGlyph(mathVariantGlyph.glyph));
+    setLogicalHeight(mathVariantGlyph.font->boundsForGlyph(mathVariantGlyph.glyph).height());
 
     clearNeedsLayout();
@@ -583 +592 @@
 
     // FIXME: Instead of using DrawGlyph, we may consider using the more general TextPainter so that we can apply mathvariant to strings with an arbitrary number of characters and preserve advanced CSS effects (text-shadow, etc).
-    if (info.context().paintingDisabled() || info.phase != PaintPhaseForeground || style().visibility() != VISIBLE || !m_mathVariantGlyph.font)
+    if (info.context().paintingDisabled() || info.phase != PaintPhaseForeground || style().visibility() != VISIBLE || !m_mathVariantCodePoint)
+        return;
+
+    auto mathVariantGlyph = style().fontCascade().glyphDataForCharacter(m_mathVariantCodePoint.value(), m_mathVariantIsMirrored);
+    if (!mathVariantGlyph.font)
         return;
 
@@ -590 +603 @@
 
     GlyphBuffer buffer;
-    buffer.add(m_mathVariantGlyph.glyph, m_mathVariantGlyph.font, m_mathVariantGlyph.font->widthForGlyph(m_mathVariantGlyph.glyph));
-    LayoutUnit glyphAscent = static_cast<int>(lroundf(-m_mathVariantGlyph.font->boundsForGlyph(m_mathVariantGlyph.glyph).y()));
-    info.context().drawGlyphs(style().fontCascade(), *m_mathVariantGlyph.font, buffer, 0, 1, paintOffset + location() + LayoutPoint(0, glyphAscent));
+    buffer.add(mathVariantGlyph.glyph, mathVariantGlyph.font, mathVariantGlyph.font->widthForGlyph(mathVariantGlyph.glyph));
+    LayoutUnit glyphAscent = static_cast<int>(lroundf(-mathVariantGlyph.font->boundsForGlyph(mathVariantGlyph.glyph).y()));
+    info.context().drawGlyphs(style().fontCascade(), *mathVariantGlyph.font, buffer, 0, 1, paintOffset + location() + LayoutPoint(0, glyphAscent));
 }
 
 void RenderMathMLToken::paintChildren(PaintInfo& paintInfo, const LayoutPoint& paintOffset, PaintInfo& paintInfoForChild, bool usePrintRect)
 {
-    if (m_mathVariantGlyph.font)
-        return;
+    if (m_mathVariantCodePoint) {
+        auto mathVariantGlyph = style().fontCascade().glyphDataForCharacter(m_mathVariantCodePoint.value(), m_mathVariantIsMirrored);
+        if (mathVariantGlyph.font)
+            return;
+    }
+
     RenderMathMLBlock::paintChildren(paintInfo, paintOffset, paintInfoForChild, usePrintRect);
 }

trunk/Source/WebCore/rendering/mathml/RenderMathMLToken.h

@@ -2 +2 @@
  * Copyright (C) 2014 Frédéric Wang (fred.wang@free.fr). All rights reserved.
  * Copyright (C) 2016 Igalia S.L.
+ * Copyright (C) 2016 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -63 +64 @@
         setNeedsLayoutAndPrefWidthsRecalc();
     }
-    GlyphData m_mathVariantGlyph;
-    bool m_mathVariantGlyphDirty;
+    Optional<UChar32> m_mathVariantCodePoint { Nullopt };
+    bool m_mathVariantIsMirrored { false };
+    bool m_mathVariantGlyphDirty { false };
 };