<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[186337] releases/WebKitGTK/webkit-2.8/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/186337">186337</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-07-06 04:01:47 -0700 (Mon, 06 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/184965">r184965</a> - Crash under ICU with ASAN during editing/selection/move-by-word-visually-crash-test-5.html
https://bugs.webkit.org/show_bug.cgi?id=145429
<rdar://problem/20992218>
Reviewed by Alexey Proskuryakov.
WebKit uses some strings which contain the lower 8-bits of UTF-16 (thereby saving space). However,
ICU doesn't understand this encoding. When we want to use ICU functions with strings in this encoding,
we create a UTextProvider which converts our encoded strings to UTF-16 for ICU, one chunk at a time.
This object contains a vtable which we populate to perform the conversion.
The WebKit function which actually returns the UTF-16 chunks has two relevant arguments: an index into
the encoded string which ICU is requesting, and a direction from that index which ICU is interested
in. This function populates a "chunk" which is characterized by a pointer to a buffer, the length of
the populated data in the buffer, and an offset into the chunk which represents the index that the
requested character was put into.
When ICU requests data going backward, we fill in the chunk accordingly, with the requested character
all the way at the end. We then set the offset equal to the length of the buffer. However, this length
value is stale from the previous time the function ran. Therefore, ICU was reading the wrong index in
the chunk when expecting the requested character.
Covered by editing/selection/move-by-word-visually-crash-test-5.html.
* platform/text/icu/UTextProviderLatin1.cpp:
(WebCore::uTextLatin1Access):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreplatformtexticuUTextProviderLatin1cpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/text/icu/UTextProviderLatin1.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186336 => 186337)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-06 10:05:01 UTC (rev 186336)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-06 11:01:47 UTC (rev 186337)
</span><span class="lines">@@ -1,3 +1,32 @@
</span><ins>+2015-05-28 Myles C. Maxfield <mmaxfield@apple.com>
+
+ Crash under ICU with ASAN during editing/selection/move-by-word-visually-crash-test-5.html
+ https://bugs.webkit.org/show_bug.cgi?id=145429
+ <rdar://problem/20992218>
+
+ Reviewed by Alexey Proskuryakov.
+
+ WebKit uses some strings which contain the lower 8-bits of UTF-16 (thereby saving space). However,
+ ICU doesn't understand this encoding. When we want to use ICU functions with strings in this encoding,
+ we create a UTextProvider which converts our encoded strings to UTF-16 for ICU, one chunk at a time.
+ This object contains a vtable which we populate to perform the conversion.
+
+ The WebKit function which actually returns the UTF-16 chunks has two relevant arguments: an index into
+ the encoded string which ICU is requesting, and a direction from that index which ICU is interested
+ in. This function populates a "chunk" which is characterized by a pointer to a buffer, the length of
+ the populated data in the buffer, and an offset into the chunk which represents the index that the
+ requested character was put into.
+
+ When ICU requests data going backward, we fill in the chunk accordingly, with the requested character
+ all the way at the end. We then set the offset equal to the length of the buffer. However, this length
+ value is stale from the previous time the function ran. Therefore, ICU was reading the wrong index in
+ the chunk when expecting the requested character.
+
+ Covered by editing/selection/move-by-word-visually-crash-test-5.html.
+
+ * platform/text/icu/UTextProviderLatin1.cpp:
+ (WebCore::uTextLatin1Access):
+
</ins><span class="cx"> 2015-05-26 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> Overhanging float sets are not cleaned up properly when floating renderer is destroyed.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreplatformtexticuUTextProviderLatin1cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/text/icu/UTextProviderLatin1.cpp (186336 => 186337)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/text/icu/UTextProviderLatin1.cpp 2015-07-06 10:05:01 UTC (rev 186336)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/text/icu/UTextProviderLatin1.cpp 2015-07-06 11:01:47 UTC (rev 186337)
</span><span class="lines">@@ -104,7 +104,7 @@
</span><span class="cx"> }
</span><span class="cx"> if (index >= length && uText->chunkNativeLimit == length) {
</span><span class="cx"> // Off the end of the buffer, but we can't get it.
</span><del>- uText->chunkOffset = uText->chunkLength;
</del><ins>+ uText->chunkOffset = static_cast<int32_t>(index - uText->chunkNativeStart);
</ins><span class="cx"> return FALSE;
</span><span class="cx"> }
</span><span class="cx"> } else {
</span><span class="lines">@@ -136,7 +136,7 @@
</span><span class="cx"> if (uText->chunkNativeStart < 0)
</span><span class="cx"> uText->chunkNativeStart = 0;
</span><span class="cx">
</span><del>- uText->chunkOffset = uText->chunkLength;
</del><ins>+ uText->chunkOffset = static_cast<int32_t>(index - uText->chunkNativeStart);
</ins><span class="cx"> }
</span><span class="cx"> uText->chunkLength = static_cast<int32_t>(uText->chunkNativeLimit - uText->chunkNativeStart);
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>