Nested isolates can cause an infinite loop when laying out bidi runs
https://bugs.webkit.org/show_bug.cgi?id=149153
Reviewed by David Hyatt.
Source/WebCore:
When traversing bidi runs, we might encounter a run which is supposed to be isolated. In this
situation, we will append a placeholder run in the run list, and remember a pointer to these
isolated runs inside BidiResolver. Then, once we're done traversing the bidi runs, we return
to the isolated runs and handle them separately (and replace the placeholder with the result).
However, due to the fact that our BidiRuns start at leaf nodes, we have to keep track of which
local root of the render tree we were inspecting (to ensure that we visit the same node
multiple times if there are nested isolate spans). We were not correctly keeping track of this
local root, which was leading us to consider the same root multiple times, thereby leading to
an infinite loop.
The solution is simply to keep root information alongside the isolated run information inside
BidiResolver. However, BidiResolver is inside platform/, which means that this new type should
be a template argument, just like how BidiRun itself is a template argument.
This new type, BidiIsolatedRun, holds all the information that our isolate-revisiting logic
needs inside constructBidiRunsForSegment(). It also holds a reference to the placeholder run
which we will replace.
Test: fast/text/international/unicode-bidi-isolate-nested-crash.html
* platform/graphics/GraphicsContext.cpp:
(WebCore::GraphicsContext::drawBidiText): BidiIsolatedRun template argument is unused, so pass
in Void.
* platform/text/BidiResolver.h: Add template argument.
(WebCore::BidiResolver::isolatedRuns):
(WebCore::IsolatedRun>::~BidiResolver):
(WebCore::IsolatedRun>::appendRun):
(WebCore::IsolatedRun>::embed):
(WebCore::IsolatedRun>::checkDirectionInLowerRaiseEmbeddingLevel):
(WebCore::IsolatedRun>::lowerExplicitEmbeddingLevel):
(WebCore::IsolatedRun>::raiseExplicitEmbeddingLevel):
(WebCore::IsolatedRun>::commitExplicitEmbedding):
(WebCore::IsolatedRun>::updateStatusLastFromCurrentDirection):
(WebCore::IsolatedRun>::reorderRunsFromLevels):
(WebCore::IsolatedRun>::createBidiRunsForLine):
(WebCore::IsolatedRun>::setMidpointForIsolatedRun): Use references instead of pointers.
(WebCore::IsolatedRun>::midpointForIsolatedRun): Ditto.
(WebCore::Run>::~BidiResolver): Deleted.
(WebCore::Run>::appendRun): Deleted.
(WebCore::Run>::embed): Deleted.
(WebCore::Run>::checkDirectionInLowerRaiseEmbeddingLevel): Deleted.
(WebCore::Run>::lowerExplicitEmbeddingLevel): Deleted.
(WebCore::Run>::raiseExplicitEmbeddingLevel): Deleted.
(WebCore::Run>::commitExplicitEmbedding): Deleted.
(WebCore::Run>::updateStatusLastFromCurrentDirection): Deleted.
(WebCore::Run>::reorderRunsFromLevels): Deleted.
(WebCore::Run>::createBidiRunsForLine): Deleted.
(WebCore::Run>::setMidpointForIsolatedRun): Deleted.
(WebCore::Run>::midpointForIsolatedRun): Deleted.
* rendering/InlineIterator.h:
(WebCore::BidiIsolatedRun::BidiIsolatedRun): New type.
(WebCore::addPlaceholderRunForIsolatedInline): Create new type, and include local root
information.
(WebCore::IsolateTracker::addFakeRunIfNecessary): Include local root information.
(WebCore::InlineBidiResolver::appendRun): Ditto.
* rendering/RenderBlockLineLayout.cpp: Update for new BidiIsolatedRun type.
(WebCore::setUpResolverToResumeInIsolate):
(WebCore::constructBidiRunsForSegment):
* rendering/line/TrailingObjects.h:
LayoutTests:
* fast/text/international/unicode-bidi-isolate-nested-crash-expected.html: Added.
* fast/text/international/unicode-bidi-isolate-nested-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@189832 268f45cc-cd09-0410-ab3c-d52691b4dbfc
8 files changed
