Title: [214588] trunk
- Revision
- 214588
- Author
- za...@apple.com
- Date
- 2017-03-29 18:25:00 -0700 (Wed, 29 Mar 2017)
Log Message
RenderBlockFlow::addFloatsToNewParent should check if float is already added to the object list.
https://bugs.webkit.org/show_bug.cgi?id=170259
<rdar://problem/31300584>
Reviewed by Simon Fraser.
Source/WebCore:
r210145 assumed that m_floatingObjects would simply ignore the floating box if it was already in the list.
Test: fast/block/float/placing-multiple-floats-crash.html
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::addFloatsToNewParent):
LayoutTests:
* fast/block/float/placing-multiple-floats-crash-expected.txt: Added.
* fast/block/float/placing-multiple-floats-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (214587 => 214588)
--- trunk/LayoutTests/ChangeLog 2017-03-30 01:06:31 UTC (rev 214587)
+++ trunk/LayoutTests/ChangeLog 2017-03-30 01:25:00 UTC (rev 214588)
@@ -1,3 +1,14 @@
+2017-03-29 Zalan Bujtas <za...@apple.com>
+
+ RenderBlockFlow::addFloatsToNewParent should check if float is already added to the object list.
+ https://bugs.webkit.org/show_bug.cgi?id=170259
+ <rdar://problem/31300584>
+
+ Reviewed by Simon Fraser.
+
+ * fast/block/float/placing-multiple-floats-crash-expected.txt: Added.
+ * fast/block/float/placing-multiple-floats-crash.html: Added.
+
2017-03-29 Tim Horton <timothy_hor...@apple.com>
Swipe gesture tests don't work on macOS Sierra
Added: trunk/LayoutTests/fast/block/float/placing-multiple-floats-crash-expected.txt (0 => 214588)
--- trunk/LayoutTests/fast/block/float/placing-multiple-floats-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/float/placing-multiple-floats-crash-expected.txt 2017-03-30 01:25:00 UTC (rev 214588)
@@ -0,0 +1 @@
+
Added: trunk/LayoutTests/fast/block/float/placing-multiple-floats-crash.html (0 => 214588)
--- trunk/LayoutTests/fast/block/float/placing-multiple-floats-crash.html (rev 0)
+++ trunk/LayoutTests/fast/block/float/placing-multiple-floats-crash.html 2017-03-30 01:25:00 UTC (rev 214588)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests placing multiple floats does not make the browser crash.</title>
+<style>
+div {
+ float: left;
+ width: 100px;
+ height: 100px;
+}
+</style>
+</head>
+<body>
+Pass if no crash or assert.
+<div><p style="width: 100px; height: 100px"></p></div>
+<iframe width="800" height="600"></iframe>
+<div></div>
+<span id=span></span><fieldset/><center id=center></center>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+setInterval(function() {
+ var range = document.createRange();
+ range.selectNodeContents(span);
+ range.surroundContents(center);
+}, 0);
+
+setTimeout(function() {
+ document.documentElement.style.visibility = "collapse";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, 100);
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (214587 => 214588)
--- trunk/Source/WebCore/ChangeLog 2017-03-30 01:06:31 UTC (rev 214587)
+++ trunk/Source/WebCore/ChangeLog 2017-03-30 01:25:00 UTC (rev 214588)
@@ -1,3 +1,18 @@
+2017-03-29 Zalan Bujtas <za...@apple.com>
+
+ RenderBlockFlow::addFloatsToNewParent should check if float is already added to the object list.
+ https://bugs.webkit.org/show_bug.cgi?id=170259
+ <rdar://problem/31300584>
+
+ Reviewed by Simon Fraser.
+
+ r210145 assumed that m_floatingObjects would simply ignore the floating box if it was already in the list.
+
+ Test: fast/block/float/placing-multiple-floats-crash.html
+
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::RenderBlockFlow::addFloatsToNewParent):
+
2017-03-29 Myles C. Maxfield <mmaxfi...@apple.com>
Try to normalize variation ranges
Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (214587 => 214588)
--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2017-03-30 01:06:31 UTC (rev 214587)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2017-03-30 01:25:00 UTC (rev 214588)
@@ -2153,8 +2153,11 @@
if (!toBlockFlow.m_floatingObjects)
toBlockFlow.createFloatingObjects();
- for (auto& floatingObject : m_floatingObjects->set())
+ for (auto& floatingObject : m_floatingObjects->set()) {
+ if (toBlockFlow.containsFloat(floatingObject->renderer()))
+ continue;
toBlockFlow.m_floatingObjects->add(floatingObject->cloneForNewParent());
+ }
}
void RenderBlockFlow::moveAllChildrenIncludingFloatsTo(RenderBlock& toBlock, bool fullRemoveInsert)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
