[IFC][Partial layout] Unbalanced InlineBoxStart/End may cause unexpec…

…ted state in InlineItemsBuilder https://bugs.webkit.org/show_bug.cgi?id=271430 <rdar://125183454> Reviewed by Antti Koivisto. This change ensures graceful recovery when partial layout produces unbalanced InlineBoxStart/End pairs with more InlineBoxEnd items than InlineBoxStart ones. * LayoutTests/TestExpectations: * LayoutTests/fast/text/bidi-text-and-partial-layout-crash-expected.txt: Added. * LayoutTests/fast/text/bidi-text-and-partial-layout-crash.html: Added. * Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp: (WebCore::Layout::handleEnterExitBidiContext): (WebCore::Layout::rewindBidiContextStack): Canonical link: https://commits.webkit.org/276535@main
WebKit · Mar 22, 2024 · 9ca509f · 9ca509f
1 parent b7d8be7
commit 9ca509f
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 0 deletions.
diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations
@@ -7410,6 +7410,8 @@ http/wpt/opener/parent-access-child-via-windowproxy.html [ Skip ]
 
 webkit.org/b/266477 compositing/layer-creation/scale-rotation-transition-overlap.html [ Failure Timeout ]
 
+webkit.org/b/271428 fast/text/bidi-text-and-partial-layout-crash.html [ Skip ]
+
 # At the time of writing this test consumes all available IOSurfaces. If the next test is image-buffer-backend-variants.html, that will fail.
 fast/canvas/2d.context.many.small.html [ Slow Skip ]
 

diff --git a/LayoutTests/fast/text/bidi-text-and-partial-layout-crash-expected.txt b/LayoutTests/fast/text/bidi-text-and-partial-layout-crash-expected.txt
@@ -0,0 +1,7 @@
+
+
+PASS if no crash.
+
+
+
+
diff --git a/LayoutTests/fast/text/bidi-text-and-partial-layout-crash.html b/LayoutTests/fast/text/bidi-text-and-partial-layout-crash.html
@@ -0,0 +1,36 @@
+<style>
+#container {
+  text-indent: 200px each-line;
+  white-space: pre;
+  widows: 1;
+}
+
+.writing-mode { 
+  height: 102px;
+  writing-mode: tb-rl;
+}
+
+*:nth-last-child(1) { 
+  -webkit-column-span: all;
+}
+
+*:read-only {
+  -webkit-user-modify: read-write;
+  padding: 10px;
+  column-width: 100px;
+}
+</style>
+<span id=container><b class=writing-mode dir="auto">
+<span style="unicode-bidi: isolate">
+PASS if no crash.
+</span>
+</b>
+<span></span>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+
+document.dir = "rtl";
+window.getSelection().selectAllChildren(container);
+document.execCommand("justifyLeft", false, null);
+</script>
diff --git a/Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp b/Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp
@@ -338,6 +338,12 @@ enum class EnterExitType : uint8_t {
 };
 static inline void handleEnterExitBidiContext(StringBuilder& paragraphContentBuilder, UnicodeBidi unicodeBidi, bool isLTR, EnterExitType enterExitType, BidiContextStack& bidiContextStack)
 {
+    if (enterExitType == EnterExitType::ExitingInlineBox && bidiContextStack.size() == 1) {
+        // Refuse to pop the initial block entry off of the stack. It indicates unbalanced InlineBoxStart/End pairs.
+        ASSERT_NOT_REACHED();
+        return;
+    }
+
     auto isEnteringBidi = enterExitType == EnterExitType::EnteringBlock || enterExitType == EnterExitType::EnteringInlineBox;
     switch (unicodeBidi) {
     case UnicodeBidi::Normal:
@@ -410,6 +416,11 @@ static inline void unwindBidiContextStack(StringBuilder& paragraphContentBuilder
 
 static inline void rewindBidiContextStack(StringBuilder& paragraphContentBuilder, BidiContextStack& bidiContextStack, const BidiContextStack& copyOfBidiStack, size_t blockLevelBidiContextIndex)
 {
+    if (copyOfBidiStack.isEmpty()) {
+        ASSERT_NOT_REACHED();
+        return;
+    }
+
     for (size_t blockLevelIndex = 0; blockLevelIndex <= blockLevelBidiContextIndex; ++blockLevelIndex) {
         handleEnterExitBidiContext(paragraphContentBuilder
             , copyOfBidiStack[blockLevelIndex].unicodeBidi