Prevent break opportunity offset to surpass the item's range_end

When exploring breaking opportunities we were early return, and shaping to the end, when we detected that current candidate overflow and next breaking opportunity surpass the item's range end. However, since we landed in r807457 the new TextBreakIterator's behavior of breaking always after the space run, we can get some opportunities that surpass the item's range_end even if the candidate doesn't overflow. An example of this could be when trailing spaces are located in different items. This patch ensures that even when the candidate doesn't overflow, we never consider breaking opportunity offsets that surpass the item's range end; since we are not overflowing, we'll proceed with the shaping logic considering range_end as maximum of the breaking opportunity offset. Bug: 1128571 Change-Id: I704eb8091cdca00713fed15e22749bb633bacc71 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414196 Commit-Queue: Javier Fernandez <jfernandez@igalia.com> Reviewed-by: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#808007}

Prevent break opportunity offset to surpass the item's range_end
When exploring breaking opportunities we were early return, and shaping to the end, when we detected that current candidate overflow and next breaking opportunity surpass the item's range end. However, since we landed in r807457 the new TextBreakIterator's behavior of breaking always after the space run, we can get some opportunities that surpass the item's range_end even if the candidate doesn't overflow. An example of this could be when trailing spaces are located in different items. This patch ensures that even when the candidate doesn't overflow, we never consider breaking opportunity offsets that surpass the item's range end; since we are not overflowing, we'll proceed with the shaping logic considering range_end as maximum of the breaking opportunity offset. Bug: 1128571 Change-Id: I704eb8091cdca00713fed15e22749bb633bacc71 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414196 Commit-Queue: Javier Fernandez <jfernandez@igalia.com> Reviewed-by: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#808007}
f0e301a3 · Javier Fernández García-Boente · Commit Bot · 36e4acea · f0e301a3 · f0e301a3
Commit f0e301a3 authored Sep 17, 2020 by Javier Fernández García-Boente Committed by Commit Bot Sep 17, 2020
3 changed files
--- a/third_party/blink/renderer/platform/fonts/shaping/shaping_line_breaker.cc
+++ b/third_party/blink/renderer/platform/fonts/shaping/shaping_line_breaker.cc
@@ -308,7 +308,7 @@ scoped_refptr<const ShapeResultView> ShapingLineBreaker::ShapeLine(
  // We don't care whether this result contains only spaces if we
  // are breaking after any space. We shouldn't early return either
  // in that case.
-  if (!is_break_after_any_space &&
+  if (!is_break_after_any_space && break_opportunity.non_hangable_run_end &&
      break_opportunity.non_hangable_run_end <= start) {
    // TODO (jfenandez): There may be cases where candidate_break is
    // not a breakable space but we also want to early return for
@@ -332,6 +332,7 @@ scoped_refptr<const ShapeResultView> ShapingLineBreaker::ShapeLine(
    result_out->non_hangable_run_end = break_opportunity.non_hangable_run_end;
    if (result_out->is_overflow)
      return ShapeToEnd(start, first_safe, range_start, range_end);
+    break_opportunity.offset = range_end;
  }
  CheckBreakOffset(break_opportunity.offset, start, range_end);
@@ -369,9 +370,9 @@ scoped_refptr<const ShapeResultView> ShapingLineBreaker::ShapeLine(
  // early return if offset >= range_end ?
  if (break_opportunity.offset == range_end)
    reshape_line_end = false;
-  if (!is_break_after_any_space) {
+  if (!is_break_after_any_space && break_opportunity.non_hangable_run_end) {
    break_opportunity.offset =
-        std::max(start + 1, break_opportunity.non_hangable_run_end);
+        std::max(start + 1, *break_opportunity.non_hangable_run_end);
  }
  unsigned last_safe = break_opportunity.offset;
  if (reshape_line_end) {
@@ -381,9 +382,9 @@ scoped_refptr<const ShapeResultView> ShapingLineBreaker::ShapeLine(
    // preceding boundary is tried until the available space is sufficient.
    while (true) {
      DCHECK_LE(start, break_opportunity.offset);
-      if (!is_break_after_any_space) {
+      if (!is_break_after_any_space && break_opportunity.non_hangable_run_end) {
        break_opportunity.offset =
-            std::max(start + 1, break_opportunity.non_hangable_run_end);
+            std::max(start + 1, *break_opportunity.non_hangable_run_end);
      }
      last_safe =
          result_->CachedPreviousSafeToBreakOffset(break_opportunity.offset);

--- a/third_party/blink/renderer/platform/fonts/shaping/shaping_line_breaker.h
+++ b/third_party/blink/renderer/platform/fonts/shaping/shaping_line_breaker.h
@@ -115,7 +115,6 @@ class PLATFORM_EXPORT ShapingLineBreaker final {
   public:
    BreakOpportunity(unsigned new_offset, bool hyphenated)
        : offset(new_offset),
-          non_hangable_run_end(new_offset),
          is_hyphenated(hyphenated) {}
    BreakOpportunity(unsigned new_offset, unsigned run_end, bool hyphenated)
        : offset(new_offset),
@@ -123,7 +122,7 @@ class PLATFORM_EXPORT ShapingLineBreaker final {
          is_hyphenated(hyphenated) {}
    unsigned offset;
-    unsigned non_hangable_run_end;
+    base::Optional<unsigned> non_hangable_run_end;
    bool is_hyphenated;
  };
  BreakOpportunity PreviousBreakOpportunity(unsigned offset,

--- a/third_party/blink/web_tests/external/wpt/css/css-text/altering-dom-crash.html
+++ b/third_party/blink/web_tests/external/wpt/css/css-text/altering-dom-crash.html
+<!DOCTYPE html>
+<title>CSS Text Test: Altering the DOM generates empty text elements that cause line-breaking to crash</title>
+<link rel="help" href="https://crbug.com/972992">
+<style>
+    body {
+        width: 5pt;
+        hyphens: none;
+    }
+</style>
+<body onload=jsfuzzer()>
+    <table id="table1">x</table>
+    <content contenteditable="plaintext-only">
+</body>
+<script>
+    function jsfuzzer() {
+        document.all[0].appendChild(table1);
+    }
+</script>