WebKit Bugzilla
Attachment 348349 Details for
Bug 184390
: REGRESSION (r226138): WebCore::subdivide() may return an empty vector; Web process can crash when performing find in Epiphany
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch and layout test
bug-184390-20180828151216.patch (text/plain), 4.11 KB, created by
Daniel Bates
on 2018-08-28 15:12:17 PDT
(
hide
)
Description:
Patch and layout test
Filename:
MIME Type:
Creator:
Daniel Bates
Created:
2018-08-28 15:12:17 PDT
Size:
4.11 KB
patch
obsolete
>Subversion Revision: 235381 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index a0b9a02d491d3c7440ace8a2241c4e5350c5f514..38a17a22f95fb7889becfd88dec05f55791d79ce 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,24 @@ >+2018-08-28 Daniel Bates <dabates@apple.com> >+ >+ REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany >+ https://bugs.webkit.org/show_bug.cgi?id=184390 >+ <rdar://problem/41804994> >+ And >+ <rdar://problem/39771867> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Speculative fix for Epiphany. >+ >+ The inline text box can be empty for combined text (i.e. RenderCombineText::combinedStringForRendering() >+ returns the empty string). When this happens WebCore::subdivide() will return an empty vector (since >+ there is nothing to subdivide). We need to take care to handle this case. >+ >+ Test: fast/text/text-combine-surroundContents-crash.html >+ >+ * rendering/InlineTextBox.cpp: >+ (WebCore::InlineTextBox::subdivideAndResolveStyle): >+ > 2018-08-27 Keith Rollin <krollin@apple.com> > > Build system support for LTO >diff --git a/Source/WebCore/rendering/InlineTextBox.cpp b/Source/WebCore/rendering/InlineTextBox.cpp >index 0a784ccc34af01db106486fbc7735133a504c6d4..59a7565652cfe8c1d65fba60bd469deb2c326c10 100644 >--- a/Source/WebCore/rendering/InlineTextBox.cpp >+++ b/Source/WebCore/rendering/InlineTextBox.cpp >@@ -792,6 +792,8 @@ auto InlineTextBox::subdivideAndResolveStyle(const Vector<MarkedText>& textsToSu > return { }; > > auto markedTexts = subdivide(textsToSubdivide); >+ if (markedTexts.isEmpty()) >+ return { }; > > // Compute frontmost overlapping styled marked texts. > Vector<StyledMarkedText> frontmostMarkedTexts; >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index cd12c8d77fabcb9d392c865c33ce6e3cac11d54c..3280b627d2a9ab2f15a3ad78fcce4fc9c3c459a6 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,18 @@ >+2018-08-28 Daniel Bates <dabates@apple.com> >+ >+ REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany >+ https://bugs.webkit.org/show_bug.cgi?id=184390 >+ <rdar://problem/41804994> >+ And >+ <rdar://problem/39771867> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Add a test to ensure that we do not crash when painting an empty inline text box. >+ >+ * fast/text/text-combine-surroundContents-crash-expected.txt: Added. >+ * fast/text/text-combine-surroundContents-crash.html: Added. >+ > 2018-08-27 Per Arne Vollan <pvollan@apple.com> > > Layout Test fast/events/dblclick-event-getModifierState.html is failing >diff --git a/LayoutTests/fast/text/text-combine-surroundContents-crash-expected.txt b/LayoutTests/fast/text/text-combine-surroundContents-crash-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..95cc1bc02dee1579ddf9b43868c093525a809604 >--- /dev/null >+++ b/LayoutTests/fast/text/text-combine-surroundContents-crash-expected.txt >@@ -0,0 +1,2 @@ >+ >+PASS, did not crash. >diff --git a/LayoutTests/fast/text/text-combine-surroundContents-crash.html b/LayoutTests/fast/text/text-combine-surroundContents-crash.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bf7056c9c08efa9f9757d2ee312025893aac7f59 >--- /dev/null >+++ b/LayoutTests/fast/text/text-combine-surroundContents-crash.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<style> >+#first { >+ writing-mode: vertical-rl; >+ -webkit-text-combine: horizontal; >+} >+</style> >+<script> >+if (window.testRunner) >+ testRunner.dumpAsText(); >+ >+function runTest() >+{ >+ var second = document.getElementById("second"); >+ var range = document.caretRangeFromPoint(); >+ range.surroundContents(second); // Crash >+} >+</script> >+</head> >+<body onload="runTest()"> >+<div id="first"> </div> >+<span id="second"></span> <!-- Must be an inline element. --> >+<div>PASS, did not crash.</div> >+</body> >+</html>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=348349">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
simon.fraser
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 184390
:
348337
| 348349