- Revision
- 134683
- Author
- t...@chromium.org
- Date
- 2012-11-14 15:36:04 -0800 (Wed, 14 Nov 2012)
Log Message
Crash in flexbox when removing absolutely positioned children
https://bugs.webkit.org/show_bug.cgi?id=100465
Reviewed by Ojan Vafai.
Source/WebCore:
We use m_numberOfChildrenOnFirstLine when computing baseline alignment.
This value gets set during flexbox layout. When we remove an absolutely
positioned child, we don't relayout and this value would get stale.
Change m_numberOfChildrenOnFirstLine to m_numberOfInFlowChildrenOnFirstLine
so the value doesn't get stale when we remove absolutely positioned children.
Also change the loop in firstLineBoxBaseline to bail if we run off the end of
the iterator.
Test: css3/flexbox/crash-removing-out-of-flow-child.html
* rendering/RenderFlexibleBox.cpp:
(WebCore::RenderFlexibleBox::RenderFlexibleBox):
(WebCore::RenderFlexibleBox::firstLineBoxBaseline):
(WebCore::RenderFlexibleBox::layoutBlock):
(WebCore::RenderFlexibleBox::repositionLogicalHeightDependentFlexItems):
(WebCore::RenderFlexibleBox::layoutAndPlaceChildren):
* rendering/RenderFlexibleBox.h:
LayoutTests:
Test case for the crash.
* css3/flexbox/crash-removing-out-of-flow-child-expected.txt: Added.
* css3/flexbox/crash-removing-out-of-flow-child.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (134682 => 134683)
--- trunk/LayoutTests/ChangeLog 2012-11-14 23:34:19 UTC (rev 134682)
+++ trunk/LayoutTests/ChangeLog 2012-11-14 23:36:04 UTC (rev 134683)
@@ -1,3 +1,15 @@
+2012-11-14 Tony Chang <t...@chromium.org>
+
+ Crash in flexbox when removing absolutely positioned children
+ https://bugs.webkit.org/show_bug.cgi?id=100465
+
+ Reviewed by Ojan Vafai.
+
+ Test case for the crash.
+
+ * css3/flexbox/crash-removing-out-of-flow-child-expected.txt: Added.
+ * css3/flexbox/crash-removing-out-of-flow-child.html: Added.
+
2012-11-14 Dirk Schulze <k...@webkit.org>
[CSS Exclusions] Basic shapes on 'shape-inside' should be animatable
Added: trunk/LayoutTests/css3/flexbox/crash-removing-out-of-flow-child-expected.txt (0 => 134683)
--- trunk/LayoutTests/css3/flexbox/crash-removing-out-of-flow-child-expected.txt (rev 0)
+++ trunk/LayoutTests/css3/flexbox/crash-removing-out-of-flow-child-expected.txt 2012-11-14 23:36:04 UTC (rev 134683)
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+This test passes if it doesn't crash.
Added: trunk/LayoutTests/css3/flexbox/crash-removing-out-of-flow-child.html (0 => 134683)
--- trunk/LayoutTests/css3/flexbox/crash-removing-out-of-flow-child.html (rev 0)
+++ trunk/LayoutTests/css3/flexbox/crash-removing-out-of-flow-child.html 2012-11-14 23:36:04 UTC (rev 134683)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<link href="" rel="stylesheet">
+</head>
+<body>
+
+<p>This test passes if it doesn't crash.</p>
+
+<div id="outer" class="inline-flexbox"><div class="inline-flexbox"><div id="inner" style="position: absolute">absolute</div></div></div>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var outer = document.getElementById("outer");
+var inner = document.getElementById("inner");
+
+// Force layout.
+outer.offsetHeight;
+
+outer.firstChild.removeChild(inner);
+</script>
+
+<div>This test passes if it doesn't crash.</div>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (134682 => 134683)
--- trunk/Source/WebCore/ChangeLog 2012-11-14 23:34:19 UTC (rev 134682)
+++ trunk/Source/WebCore/ChangeLog 2012-11-14 23:36:04 UTC (rev 134683)
@@ -1,3 +1,29 @@
+2012-11-14 Tony Chang <t...@chromium.org>
+
+ Crash in flexbox when removing absolutely positioned children
+ https://bugs.webkit.org/show_bug.cgi?id=100465
+
+ Reviewed by Ojan Vafai.
+
+ We use m_numberOfChildrenOnFirstLine when computing baseline alignment.
+ This value gets set during flexbox layout. When we remove an absolutely
+ positioned child, we don't relayout and this value would get stale.
+
+ Change m_numberOfChildrenOnFirstLine to m_numberOfInFlowChildrenOnFirstLine
+ so the value doesn't get stale when we remove absolutely positioned children.
+ Also change the loop in firstLineBoxBaseline to bail if we run off the end of
+ the iterator.
+
+ Test: css3/flexbox/crash-removing-out-of-flow-child.html
+
+ * rendering/RenderFlexibleBox.cpp:
+ (WebCore::RenderFlexibleBox::RenderFlexibleBox):
+ (WebCore::RenderFlexibleBox::firstLineBoxBaseline):
+ (WebCore::RenderFlexibleBox::layoutBlock):
+ (WebCore::RenderFlexibleBox::repositionLogicalHeightDependentFlexItems):
+ (WebCore::RenderFlexibleBox::layoutAndPlaceChildren):
+ * rendering/RenderFlexibleBox.h:
+
2012-11-14 Joshua Bell <jsb...@chromium.org>
IndexedDB: Remove magic numbers in record comparator, handle missing case
Modified: trunk/Source/WebCore/rendering/RenderFlexibleBox.cpp (134682 => 134683)
--- trunk/Source/WebCore/rendering/RenderFlexibleBox.cpp 2012-11-14 23:34:19 UTC (rev 134682)
+++ trunk/Source/WebCore/rendering/RenderFlexibleBox.cpp 2012-11-14 23:36:04 UTC (rev 134683)
@@ -132,7 +132,7 @@
RenderFlexibleBox::RenderFlexibleBox(Node* node)
: RenderBlock(node)
- , m_numberOfChildrenOnFirstLine(0)
+ , m_numberOfInFlowChildrenOnFirstLine(-1)
{
setChildrenInline(false); // All of our children must be block-level.
}
@@ -254,11 +254,11 @@
{
ASSERT(m_orderIterator);
- if (isWritingModeRoot() || !m_numberOfChildrenOnFirstLine)
+ if (isWritingModeRoot() || m_numberOfInFlowChildrenOnFirstLine <= 0)
return -1;
RenderBox* baselineChild = 0;
- RenderBox* child = m_orderIterator->first();
- for (size_t childNumber = 0; childNumber < m_numberOfChildrenOnFirstLine; ++childNumber, child = m_orderIterator->next()) {
+ int childNumber = 0;
+ for (RenderBox* child = m_orderIterator->first(); child; child = m_orderIterator->next()) {
if (child->isOutOfFlowPositioned())
continue;
if (alignmentForChild(child) == AlignBaseline && !hasAutoMarginsInCrossAxis(child)) {
@@ -267,6 +267,10 @@
}
if (!baselineChild)
baselineChild = child;
+
+ ++childNumber;
+ if (childNumber == m_numberOfInFlowChildrenOnFirstLine)
+ break;
}
if (!baselineChild)
@@ -320,6 +324,7 @@
setLogicalHeight(0);
updateLogicalWidth();
+ m_numberOfInFlowChildrenOnFirstLine = -1;
m_overflow.clear();
RenderBlock::startDelayUpdateScrollInfo();
@@ -386,8 +391,6 @@
flipForWrapReverse(iterator, lineContexts, crossAxisStartEdge);
}
- m_numberOfChildrenOnFirstLine = lineContexts.isEmpty() ? 0 : lineContexts[0].numberOfChildren;
-
// direction:rtl + flex-direction:column means the cross-axis direction is flipped.
flipForRightToLeftColumn(iterator);
}
@@ -1132,6 +1135,8 @@
layoutColumnReverse(children, crossAxisOffset, availableFreeSpace);
}
+ if (m_numberOfInFlowChildrenOnFirstLine == -1)
+ m_numberOfInFlowChildrenOnFirstLine = seenInFlowPositionedChildren;
lineContexts.append(LineContext(crossAxisOffset, maxChildCrossAxisExtent, children.size(), maxAscent));
crossAxisOffset += maxChildCrossAxisExtent;
}
Modified: trunk/Source/WebCore/rendering/RenderFlexibleBox.h (134682 => 134683)
--- trunk/Source/WebCore/rendering/RenderFlexibleBox.h 2012-11-14 23:34:19 UTC (rev 134682)
+++ trunk/Source/WebCore/rendering/RenderFlexibleBox.h 2012-11-14 23:36:04 UTC (rev 134683)
@@ -146,7 +146,7 @@
void flipForWrapReverse(OrderIterator&, const WTF::Vector<LineContext>&, LayoutUnit crossAxisStartEdge);
OwnPtr<OrderIterator> m_orderIterator;
- size_t m_numberOfChildrenOnFirstLine;
+ int m_numberOfInFlowChildrenOnFirstLine;
};
} // namespace WebCore
