Avoid Assertion Failure in HarfBuzzRun::characterIndexForXPosition
https://bugs.webkit.org/show_bug.cgi?id=92376
Patch by Dominik Röttsches <dominik.rottsches@intel.com> on 2012-07-30
Reviewed by Tony Chang.
.:
Added manual test to reliably reproduce assertion failure which is solved by this patch.
* ManualTests/harfbuzz-mouse-selection-crash.html: Added.
Source/WebCore:
Previously, the if condition in offsetForPosition gating the call to
characterIndexForXPosition was comparing a different value than what was actually used
as the argument to calling it. In some cases, this can lead to a minuscule difference
when comparing the two floats - enough to trigger the assertion. To resolve this,
the accuracy of the index calculation is improved by changing the types from int
to floats and rephrasing the if condition to be exactly the same as what is checked
for in the assertion.
Manual test ManualTests/harfbuzz-mouse-selection-crash.html added
which reliably reproduces the assertion failure before this change.
* platform/graphics/harfbuzz/ng/HarfBuzzShaper.cpp:
(WebCore::HarfBuzzShaper::HarfBuzzRun::characterIndexForXPosition): Types changed to float.
(WebCore::HarfBuzzShaper::offsetForPosition): Types changed to float, if condition rephrased.
* platform/graphics/harfbuzz/ng/HarfBuzzShaper.h:
(HarfBuzzRun):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124111 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/ManualTests/harfbuzz-mouse-selection-crash.html b/ManualTests/harfbuzz-mouse-selection-crash.html
new file mode 100644
index 0000000..a7e85a1
--- /dev/null
+++ b/ManualTests/harfbuzz-mouse-selection-crash.html
@@ -0,0 +1,54 @@
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<style type="text/css">
+#telugu {
+font-size: 2cm;
+line-height: 1.5em;
+font-family: "Lohit Telugu";
+}
+</style>
+<script>
+var ITERATIONS = 10000;
+
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+function mouseSelection() {
+ var body = document.body;
+ body.focus();
+
+ xStart = 0;
+ yStart = 0;
+
+ if (window.eventSender) {
+ eventSender.mouseMoveTo(xStart, yStart);
+ eventSender.mouseDown();
+ for(i=0;i<ITERATIONS;i++) {
+ randomCoord = randomCoordinate();
+ eventSender.mouseMoveTo(randomCoord.x, randomCoord.y);
+ }
+ }
+ if (window.testRunnder)
+ testRunner.notifyDone();
+}
+
+function randomCoordinate(axis) {
+ return { x: Math.floor(Math.random()*window.innerWidth),
+ y: Math.floor(Math.random()* window.innerHeight) }
+}
+
+</script>
+</head>
+<body onload="mouseSelection()"><p>
+ This test fuzzes HarfBuzzShaper::offsetForPosition to trigger an assertion in the downstream function characterIndexForXPosition().
+ See https://bugs.webkit.org/show_bug.cgi?id=92376 - reason of the assertion being hit is a minuscule floating point inaccuracy
+ between an if condition that gates the call to characterIndexForXPosition and the actual argument that's then given to the function.
+ This test works on WebKit EFL, with the Ubuntu Telugu Lohit font installed to the EFL jhbuild font directory, like:</p>
+ <pre>$ cp /usr/share/fonts/truetype/ttf-telugu-fonts/lohit_te.ttf WebKitBuild/Dependencies/Source/webkitgtk-test-fonts-0.0.3</pre>
+ <p>Run with:</p>
+ <pre>$ WebKitBuild/Debug/bin/DumpRenderTree ManualTests/harfbuzz-mouse-selection-crash.html</pre>
+ <p>Before the change, this would crash 10/10 times. Test passes if it does not crash.</p>
+<p id="telugu">చేనేత కార్మికుల సమస్యలను ప్రభుత్వం దృష్టికి తీసుకువెళ్లేందుకు సిరిసిల్లలో వైఎస్ఆర్ సిపి గౌరవాధ్యక్షురాలు విజయమ్మ చేపట్టినదీక్ష విజయవంతమైంది.</p>
+</body>
+</html>
