Skip to site navigation (Press enter)

[webkit-changes] [175345] trunk

zalan Wed, 29 Oct 2014 14:13:30 -0700

Title: [175345] trunk

Revision: 175345
Author: [email protected]
Date: 2014-10-29 14:13:12 -0700 (Wed, 29 Oct 2014)

Log Message

Remove invalid float from RootInlineBox.
https://bugs.webkit.org/show_bug.cgi?id=137707


Reviewed by Antti Koivisto.

In certain cases, floating boxes get attached to the last (root) inline box.
When this particular floating box gets destroyed, it also needs to be detached
from the last inline box.
Source/WebCore:

1. Introduce RootInlineBox::removeFloat() (vs. RootInlineBox::appendFloat())
2. Ensure that it is called when the floating box is being destroyed.

Test: fast/inline/crash-when-inline-box-has-invalid-float.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::removeFloatingObject):
(WebCore::RenderBlockFlow::markAllDescendantsWithFloatsForLayout): During style recalc, while
tearing down the render tree, we can get to a state where a block element has both inline and block children.
It happens when the style change on an element makes sibling anonymous block wrappers detached.
In that case the markAllDescendantsWithFloatsForLayout() call does not get propagated down on the
block child elements as we return early at the childrenInline() check.
* rendering/RootInlineBox.h:
(WebCore::RootInlineBox::removeFloat):

LayoutTests:

* fast/inline/crash-when-inline-box-has-invalid-float-expected.txt: Added.
* fast/inline/crash-when-inline-box-has-invalid-float.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlockFlow.cpp
trunk/Source/WebCore/rendering/RootInlineBox.h

Added Paths

trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float-expected.txt
trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float.html

Diff

Modified: trunk/LayoutTests/ChangeLog (175344 => 175345)


--- trunk/LayoutTests/ChangeLog	2014-10-29 21:04:28 UTC (rev 175344)
+++ trunk/LayoutTests/ChangeLog	2014-10-29 21:13:12 UTC (rev 175345)
@@ -1,3 +1,17 @@
+2014-10-29  Zalan Bujtas  <[email protected]>
+
+        Remove invalid float from RootInlineBox.
+        https://bugs.webkit.org/show_bug.cgi?id=137707
+
+        Reviewed by Antti Koivisto.
+
+        In certain cases, floating boxes get attached to the last (root) inline box.
+        When this particular floating box gets destroyed, it also needs to be detached
+        from the last inline box.
+
+        * fast/inline/crash-when-inline-box-has-invalid-float-expected.txt: Added.
+        * fast/inline/crash-when-inline-box-has-invalid-float.html: Added.
+
 2014-10-29  Alexey Proskuryakov  <[email protected]>
 
         Update Mavericks results after https://bugs.webkit.org/show_bug.cgi?id=137275

Added: trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float-expected.txt (0 => 175345)


--- trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float-expected.txt	2014-10-29 21:13:12 UTC (rev 175345)
@@ -0,0 +1,6 @@
+PASS, if no crash or ASSERT in debug. 
+
+
+
+
+BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAA

Added: trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float.html (0 => 175345)


--- trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float.html	                        (rev 0)
+++ trunk/LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float.html	2014-10-29 21:13:12 UTC (rev 175345)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that floating elments are cleaned up properly.</title>
+<style>
+  :last-child {float:left;}
+</style>
+</head>
+
+<body>
+PASS, if no crash or ASSERT in debug.
+<br>
+<br>
+<br>
+<article>
+<pre></pre>
+<br>
+<content>
+<br>
+<select></select>
+<script>
+document.body.contentEditable = "true";
+document.execCommand("SelectAll");
+document.execCommand("StrikeThrough");
+if (window.testRunner)
+	testRunner.dumpAsText();
+</script>
+BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAA
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (175344 => 175345)


--- trunk/Source/WebCore/ChangeLog	2014-10-29 21:04:28 UTC (rev 175344)
+++ trunk/Source/WebCore/ChangeLog	2014-10-29 21:13:12 UTC (rev 175345)
@@ -1,3 +1,28 @@
+2014-10-29  Zalan Bujtas  <[email protected]>
+
+        Remove invalid float from RootInlineBox.
+        https://bugs.webkit.org/show_bug.cgi?id=137707
+
+        Reviewed by Antti Koivisto.
+
+        In certain cases, floating boxes get attached to the last (root) inline box.
+        When this particular floating box gets destroyed, it also needs to be detached
+        from the last inline box.
+        1. Introduce RootInlineBox::removeFloat() (vs. RootInlineBox::appendFloat())
+        2. Ensure that it is called when the floating box is being destroyed.
+
+        Test: fast/inline/crash-when-inline-box-has-invalid-float.html
+
+        * rendering/RenderBlockFlow.cpp:
+        (WebCore::RenderBlockFlow::removeFloatingObject):
+        (WebCore::RenderBlockFlow::markAllDescendantsWithFloatsForLayout): During style recalc, while
+        tearing down the render tree, we can get to a state where a block element has both inline and block children.
+        It happens when the style change on an element makes sibling anonymous block wrappers detached.
+        In that case the markAllDescendantsWithFloatsForLayout() call does not get propagated down on the
+        block child elements as we return early at the childrenInline() check.
+        * rendering/RootInlineBox.h:
+        (WebCore::RootInlineBox::removeFloat):
+
 2014-10-29  Antti Koivisto  <[email protected]>
 
         Unreviewed, rolling out r175342.

Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (175344 => 175345)


--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2014-10-29 21:04:28 UTC (rev 175344)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2014-10-29 21:13:12 UTC (rev 175345)
@@ -2225,6 +2225,7 @@
                     logicalBottom = std::max(logicalBottom, logicalTop + 1);
                 }
                 if (floatingObject->originatingLine()) {
+                    floatingObject->originatingLine()->removeFloat(floatBox);
                     if (!selfNeedsLayout()) {
                         ASSERT(&floatingObject->originatingLine()->renderer() == this);
                         floatingObject->originatingLine()->markDirty();
@@ -2682,10 +2683,7 @@
     if (floatToRemove)
         removeFloatingObject(*floatToRemove);
 
-    if (childrenInline())
-        return;
-
-    // Iterate over our children and mark them as needed.
+    // Iterate over our block children and mark them as needed.
     for (auto& block : childrenOfType<RenderBlock>(*this)) {
         if (!floatToRemove && block.isFloatingOrOutOfFlowPositioned())
             continue;

Modified: trunk/Source/WebCore/rendering/RootInlineBox.h (175344 => 175345)


--- trunk/Source/WebCore/rendering/RootInlineBox.h	2014-10-29 21:04:28 UTC (rev 175344)
+++ trunk/Source/WebCore/rendering/RootInlineBox.h	2014-10-29 21:13:12 UTC (rev 175345)
@@ -145,6 +145,13 @@
             m_floats = std::make_unique<Vector<RenderBox*>>(1, &floatingBox);
     }
 
+    void removeFloat(RenderBox& floatingBox)
+    {
+        ASSERT(m_floats);
+        ASSERT(m_floats->contains(&floatingBox));
+        m_floats->remove(m_floats->find(&floatingBox));
+    }
+
     Vector<RenderBox*>* floatsPtr() { ASSERT(!isDirty()); return m_floats.get(); }
 
     virtual void extractLineBoxFromRenderObject() override final;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes