Changeset 101406 in webkit

Timestamp:

Nov 29, 2011 12:37:24 PM (12 years ago)

Author:

rniwa@webkit.org

Message:

Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1)
in IsolateTracker::exitIsolate()
​https://bugs.webkit.org/show_bug.cgi?id=69275

Reviewed by Eric Seidel.

Source/WebCore:

The crash was caused by our false assumption that at most one isolated container exists between the start
and the root when appending a new run. Fixed the crash by computing the actual number of isolated containers
between the start and the root.

Test: fast/text/nested-bidi-isolate-crash.html

• rendering/InlineIterator.h:

(WebCore::numberOfIsolateAncestors):
(WebCore::IsolateTracker::IsolateTracker):
(WebCore::InlineBidiResolver::appendRun):

LayoutTests:

Add a regression test.

• fast/text/nested-bidi-isolate-crash-expected.txt: Added.
• fast/text/nested-bidi-isolate-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/text/nested-bidi-isolate-crash-expected.txt (added)
• LayoutTests/fast/text/nested-bidi-isolate-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/InlineIterator.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-11-28  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1)
+        in IsolateTracker::exitIsolate()
+        https://bugs.webkit.org/show_bug.cgi?id=69275
+
+        Reviewed by Eric Seidel.
+
+        Add a regression test.
+
+        * fast/text/nested-bidi-isolate-crash-expected.txt: Added.
+        * fast/text/nested-bidi-isolate-crash.html: Added.
+
 2011-11-29  Xiaomei Ji  <xji@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-11-28  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1)
+        in IsolateTracker::exitIsolate()
+        https://bugs.webkit.org/show_bug.cgi?id=69275
+
+        Reviewed by Eric Seidel.
+
+        The crash was caused by our false assumption that at most one isolated container exists between the start
+        and the root when appending a new run. Fixed the crash by computing the actual number of isolated containers
+        between the start and the root.
+
+        Test: fast/text/nested-bidi-isolate-crash.html
+
+        * rendering/InlineIterator.h:
+        (WebCore::numberOfIsolateAncestors):
+        (WebCore::IsolateTracker::IsolateTracker):
+        (WebCore::InlineBidiResolver::appendRun):
+
 2011-11-29  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/WebCore/rendering/InlineIterator.h

@@ -407 +407 @@
 }
 
+static inline unsigned numberOfIsolateAncestors(RenderObject* object, RenderObject* root)
+{
+    ASSERT(object);
+    unsigned count = 0;
+    while (object && object != root) {
+        if (isIsolatedInline(object))
+            count++;
+        object = object->parent();
+    }
+    return count;
+}
+
 // FIXME: This belongs on InlineBidiResolver, except it's a template specialization
 // of BidiResolver which knows nothing about RenderObjects.
@@ -421 +433 @@
 class IsolateTracker {
 public:
-    explicit IsolateTracker(bool inIsolate)
-        : m_nestedIsolateCount(inIsolate ? 1 : 0)
+    explicit IsolateTracker(unsigned nestedIsolateCount)
+        : m_nestedIsolateCount(nestedIsolateCount)
         , m_haveAddedFakeRunForRootIsolate(false)
     {
@@ -471 +483 @@
         // Initialize our state depending on if we're starting in the middle of such an inline.
         // FIXME: Could this initialize from this->inIsolate() instead of walking up the render tree?
-        IsolateTracker isolateTracker(containingIsolate(m_sor.m_obj, m_sor.root()));
+        IsolateTracker isolateTracker(numberOfIsolateAncestors(m_sor.m_obj, m_sor.root()));
         int start = m_sor.m_pos;
         RenderObject* obj = m_sor.m_obj;