Closed Bug 1794567 Opened 2 years ago Closed 2 years ago

[wpt-sync] Sync PR 36396 - CSS highlight painting: no OffsetInContainerNode for generated text

Categories

(Core :: Layout: Generated Content, Lists, and Counters, task, P4)

Product:
Core
Component:
Layout: Generated Content, Lists, and Counters
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox108 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 36396 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/36396
Details from upstream follow.

Delan Azabani <dazabani@igalia.com> wrote:

CSS highlight painting: no OffsetInContainerNode for generated text

CL:3793072 fixed a bug where we treated marker-based highlights as if
they applied to soft hyphens (and other fragments with generated text)
in a text node, so we stopped rendering incorrectly or crashing in
these situations.

CL:3804327 added an optimisation for marker-based highlights, which
involved converting a pair of canonical text offsets to DOM offsets.
This is an operation that doesn’t make sense for generated text, but
we did it regardless of whether the fragment was generated text.

Usually that’s harmless (albeit a waste of time), because CL:3793072
ensures that we don’t pass any markers to ComputeEdges in this case,
so the variables will never get read anyway.

But if there’s an atomic inline nearby, such as an \<img> or \<button>,
then trying to do GetLastPosition(0) and GetFirstPosition(1) for the
soft hyphen might return beforeAnchor and afterAnchor the atomic
inline, both of which violate the assertion in OffsetInContainerNode
that the positions are of the offsetInAnchor kind.

For example, in <https://bucket.daz.cat/work/igalia/0/59.html>...

\<img>\<s>aaaaaaaaaaaaa­a
\<script>
document.body.style.width = 0;
document.execCommand("selectall");
\</script>

...the text that those operations are run against is effectively...

 [OBJ]aaaaaaaaaaaaa[SHY]a
 U+FFFC            U+00AD

...where [OBJ] represents the atomic inline, rather than the text for
the generated hyphen, yielding beforeAnchor IMG and afterAnchor IMG.

Fixed: 1367860
Change-Id: I0b033a15a58fed661f5ebc9981a726b0850029fa
Reviewed-on: https://chromium-review.googlesource.com/3944075
WPT-Export-Revision: 4c61be76c8c0341fb63816cda5dd7cbbf2dd7125

Component: web-platform-tests → Layout: Generated Content, Lists, and Counters
Product: Testing → Core
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2ec287971f94 [wpt PR 36396] - CSS highlight painting: no OffsetInContainerNode for generated text, a=testonly
Test result changes from PR not available.

https://hg.mozilla.org/mozilla-central/rev/2ec287971f94

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox108: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
You need to log in before you can comment on or make changes to this bug.