<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[168278] releases/WebKitGTK/webkit-2.4</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/168278">168278</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2014-05-05 04:23:51 -0700 (Mon, 05 May 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/166650">r166650</a> - Use outermost containing isolate when constructing bidi runs
<http://webkit.org/b/131107>
<rdar://problem/15690021>
Reviewed by Darin Adler.
Merged from Blink (patch by jww@chromium.org):
https://src.chromium.org/viewvc/blink?revision=157268&view=revision
http://crbug.com/279277
Update containingIsolate to go back all the way to top
isolate from current root, rather than stopping at the first
isolate it finds. This works because the current root is
always updated with each isolate run.
Source/WebCore:
Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
fast/text/international/unicode-bidi-isolate-nested-with-removes.html
* rendering/InlineIterator.h:
(WebCore::highestContainingIsolateWithinRoot):
* rendering/RenderBlockLineLayout.cpp:
(WebCore::constructBidiRunsForSegment):
LayoutTests:
* fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
* fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
* fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremovesexpectedtxt">releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremoveshtml">releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html</a></li>
<li><a href="#releasesWebKitGTKwebkit24SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit24SourceWebCorerenderingInlineIteratorh">releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/InlineIterator.h</a></li>
<li><a href="#releasesWebKitGTKwebkit24SourceWebCorerenderingRenderBlockLineLayoutcpp">releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremovesnotadjacentexpectedtxt">releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremovesnotadjacenthtml">releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit24LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (168277 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -1,5 +1,27 @@
</span><span class="cx"> 2014-04-02 David Kilzer <ddkilzer@apple.com>
</span><span class="cx">
</span><ins>+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by jww@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt: Updated.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html: Added.
+ * fast/text/international/unicode-bidi-isolate-nested-with-removes.html: Updated.
+
+2014-04-02 David Kilzer <ddkilzer@apple.com>
+
</ins><span class="cx"> Add LayoutTest for crash with bidi isolates
</span><span class="cx">
</span><span class="cx"> Merged from Blink (patch by jww@chromium.org):
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremovesexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt (168277 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-expected.txt 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -1,4 +1 @@
</span><del>- bar
-
-
</del><span class="cx"> PASS did not crash
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremovesnotadjacentexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (0 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent-expected.txt 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+PASS did not crash
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremovesnotadjacenthtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (0 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+<!doctype html>
+<!-- This tests for regression of https://crbug.com/279277 where non-adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
+<script>
+window.onload = function() {
+ document.body.offsetTop;
+ b.lastChild.parentNode.removeChild(b.lastChild);
+ document.body.offsetTop;
+ a.nextSibling.parentNode.removeChild(a.nextSibling);
+ document.body.offsetTop;
+
+ document.write("PASS did not crash");
+}
+</script>
+
+<body>
+ <div id="a">foo</div><div>baz</div><div></div>
+ <div>
+ <output>
+ <span>
+ <output>bar</output>
+ <span id="b">
+ <span>
+ <div style="display:inline-block"></div>
+ <br><br>
+ </span>
+ </span>
+ </span>
+ </output>
+ </div>
+</body>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsfasttextinternationalunicodebidiisolatenestedwithremoveshtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html (168277 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/text/international/unicode-bidi-isolate-nested-with-removes.html 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -1,19 +1,15 @@
</span><ins>+<!doctype html>
</ins><span class="cx"> <!-- This tests for regression of https://crbug.com/265838 where adjacent, nested isolates caused a use-after-free if the elements were later removed. -->
</span><span class="cx"> <script>
</span><del>-function remove(node)
-{
- node.parentNode.removeChild(node);
-}
-
</del><span class="cx"> window.onload = function()
</span><span class="cx"> {
</span><span class="cx"> document.body.offsetTop;
</span><del>- remove(b.lastChild);
</del><ins>+ b.lastChild.parentNode.removeChild(b.lastChild);
</ins><span class="cx"> document.body.offsetTop;
</span><del>- remove(a.firstChild);
</del><ins>+ a.firstChild.parentNode.removeChild(a.firstChild);
</ins><span class="cx"> document.body.offsetTop;
</span><span class="cx">
</span><del>- document.body.appendChild(document.createTextNode("PASS did not crash"));
</del><ins>+ document.write("PASS did not crash");
</ins><span class="cx"> }
</span><span class="cx"> </script>
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (168277 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2014-04-02 David Kilzer <ddkilzer@apple.com>
+
+ Use outermost containing isolate when constructing bidi runs
+ <http://webkit.org/b/131107>
+ <rdar://problem/15690021>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by jww@chromium.org):
+ https://src.chromium.org/viewvc/blink?revision=157268&view=revision
+ http://crbug.com/279277
+
+ Update containingIsolate to go back all the way to top
+ isolate from current root, rather than stopping at the first
+ isolate it finds. This works because the current root is
+ always updated with each isolate run.
+
+ Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html
+ fast/text/international/unicode-bidi-isolate-nested-with-removes.html
+
+ * rendering/InlineIterator.h:
+ (WebCore::highestContainingIsolateWithinRoot):
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::constructBidiRunsForSegment):
+
</ins><span class="cx"> 2014-04-01 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><span class="cx"> RenderQuote must destroy remaining text renderer before first letter renderer
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24SourceWebCorerenderingInlineIteratorh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/InlineIterator.h (168277 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/InlineIterator.h 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/InlineIterator.h 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -414,14 +414,11 @@
</span><span class="cx"> return object->isRenderInline() && isIsolated(object->style().unicodeBidi());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static inline RenderObject* containingIsolate(RenderObject* object, RenderObject* root)
</del><ins>+static inline RenderObject* highestContainingIsolateWithinRoot(RenderObject* object, RenderObject* root)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(object);
</span><span class="cx"> RenderObject* containingIsolateObject = 0;
</span><span class="cx"> while (object && object != root) {
</span><del>- if (containingIsolateObject && !isIsolatedInline(object))
- break;
-
</del><span class="cx"> if (isIsolatedInline(object))
</span><span class="cx"> containingIsolateObject = object;
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24SourceWebCorerenderingRenderBlockLineLayoutcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp (168277 => 168278)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-05 11:20:54 UTC (rev 168277)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-05 11:23:51 UTC (rev 168278)
</span><span class="lines">@@ -903,7 +903,9 @@
</span><span class="cx"> // tree to see which parent inline is the isolate. We could change enterIsolate
</span><span class="cx"> // to take a RenderObject and do this logic there, but that would be a layering
</span><span class="cx"> // violation for BidiResolver (which knows nothing about RenderObject).
</span><del>- RenderInline* isolatedInline = toRenderInline(containingIsolate(&startObj, currentRoot));
</del><ins>+ RenderInline* isolatedInline = toRenderInline(highestContainingIsolateWithinRoot(&startObj, currentRoot));
+ ASSERT(isolatedInline);
+
</ins><span class="cx"> InlineBidiResolver isolatedResolver;
</span><span class="cx"> EUnicodeBidi unicodeBidi = isolatedInline->style().unicodeBidi();
</span><span class="cx"> TextDirection direction;
</span></span></pre>
</div>
</div>
</body>
</html>