Title: [274774] trunk
- Revision
- 274774
- Author
- [email protected]
- Date
- 2021-03-22 12:29:14 -0700 (Mon, 22 Mar 2021)
Log Message
[ macOS debug arm64 ] ASSERTION FAILED: count >= 1 ./rendering/RenderMultiColumnSet.cpp(450) : unsigned int WebCore::RenderMultiColumnSet::columnCount() const
https://bugs.webkit.org/show_bug.cgi?id=223144
<rdar://problem/75381496>
Reviewed by Simon Fraser.
Source/WebCore:
Overflow height computation with infinite constraint should not produce a negative height value.
During the column balancing, we use the "max layout unit" value to indicate infinite available space.
However this max value confuses the height computation in expandToEncompassFragmentedFlowContentsIfNeeded and produces a negative height value.
Let's also ensure that we never trigger undefined behavior as the result of implicitly converting (negative)float to unsigned.
* rendering/RenderFragmentContainerSet.cpp:
(WebCore::RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded):
* rendering/RenderFragmentedFlow.cpp:
(WebCore::RenderFragmentedFlow::updateFragmentsFragmentedFlowPortionRect):
* rendering/RenderMultiColumnSet.cpp:
(WebCore::RenderMultiColumnSet::columnCount const):
LayoutTests:
* platform/mac/TestExpectations:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (274773 => 274774)
--- trunk/LayoutTests/ChangeLog 2021-03-22 19:25:16 UTC (rev 274773)
+++ trunk/LayoutTests/ChangeLog 2021-03-22 19:29:14 UTC (rev 274774)
@@ -1,3 +1,13 @@
+2021-03-22 Zalan Bujtas <[email protected]>
+
+ [ macOS debug arm64 ] ASSERTION FAILED: count >= 1 ./rendering/RenderMultiColumnSet.cpp(450) : unsigned int WebCore::RenderMultiColumnSet::columnCount() const
+ https://bugs.webkit.org/show_bug.cgi?id=223144
+ <rdar://problem/75381496>
+
+ Reviewed by Simon Fraser.
+
+ * platform/mac/TestExpectations:
+
2021-03-22 Wenson Hsieh <[email protected]>
[macOS] Context menu should account for image overlay content
Modified: trunk/LayoutTests/platform/mac/TestExpectations (274773 => 274774)
--- trunk/LayoutTests/platform/mac/TestExpectations 2021-03-22 19:25:16 UTC (rev 274773)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2021-03-22 19:29:14 UTC (rev 274774)
@@ -2313,8 +2313,6 @@
webkit.org/b/223271 [ BigSur Debug ] imported/w3c/web-platform-tests/xhr/event-upload-progress.any.worker.html [ Pass Failure ]
-webkit.org/b/223144 [ Debug arm64 ] fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html [ Crash ]
-
webkit.org/b/221833 fast/text/image-alt-text-bidi-2.html [ ImageOnlyFailure ]
webkit.org/b/223484 [ arm64 ] compositing/style-change/backface-visibility-change.html [ Pass ImageOnlyFailure ]
Modified: trunk/Source/WebCore/ChangeLog (274773 => 274774)
--- trunk/Source/WebCore/ChangeLog 2021-03-22 19:25:16 UTC (rev 274773)
+++ trunk/Source/WebCore/ChangeLog 2021-03-22 19:29:14 UTC (rev 274774)
@@ -1,3 +1,24 @@
+2021-03-22 Zalan Bujtas <[email protected]>
+
+ [ macOS debug arm64 ] ASSERTION FAILED: count >= 1 ./rendering/RenderMultiColumnSet.cpp(450) : unsigned int WebCore::RenderMultiColumnSet::columnCount() const
+ https://bugs.webkit.org/show_bug.cgi?id=223144
+ <rdar://problem/75381496>
+
+ Reviewed by Simon Fraser.
+
+ Overflow height computation with infinite constraint should not produce a negative height value.
+ During the column balancing, we use the "max layout unit" value to indicate infinite available space.
+ However this max value confuses the height computation in expandToEncompassFragmentedFlowContentsIfNeeded and produces a negative height value.
+
+ Let's also ensure that we never trigger undefined behavior as the result of implicitly converting (negative)float to unsigned.
+
+ * rendering/RenderFragmentContainerSet.cpp:
+ (WebCore::RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded):
+ * rendering/RenderFragmentedFlow.cpp:
+ (WebCore::RenderFragmentedFlow::updateFragmentsFragmentedFlowPortionRect):
+ * rendering/RenderMultiColumnSet.cpp:
+ (WebCore::RenderMultiColumnSet::columnCount const):
+
2021-03-22 Chris Dumez <[email protected]>
Implement AbortSignal.abort()
Modified: trunk/Source/WebCore/rendering/RenderFragmentContainerSet.cpp (274773 => 274774)
--- trunk/Source/WebCore/rendering/RenderFragmentContainerSet.cpp 2021-03-22 19:25:16 UTC (rev 274773)
+++ trunk/Source/WebCore/rendering/RenderFragmentContainerSet.cpp 2021-03-22 19:29:14 UTC (rev 274774)
@@ -50,7 +50,7 @@
// Whenever the last region is a set, it always expands its region rect to consume all
// of the flow thread content. This is because it is always capable of generating an
// infinite number of boxes in order to hold all of the remaining content.
- LayoutRect rect(fragmentedFlowPortionRect());
+ auto rect = fragmentedFlowPortionRect();
// Get the offset within the flow thread in its block progression direction. Then get the
// flow thread's remaining logical height including its overflow and expand our rect
@@ -58,10 +58,10 @@
// additional columns and pages to hold that overflow, since people do write bad
// content like <body style="height:0px"> in multi-column layouts.
bool isHorizontal = fragmentedFlow()->isHorizontalWritingMode();
- LayoutUnit logicalTopOffset = isHorizontal ? rect.y() : rect.x();
- LayoutRect layoutRect = fragmentedFlow()->layoutOverflowRect();
- LayoutUnit logicalHeightWithOverflow = (isHorizontal ? layoutRect.maxY() : layoutRect.maxX()) - logicalTopOffset;
- setFragmentedFlowPortionRect(LayoutRect(rect.x(), rect.y(), isHorizontal ? rect.width() : logicalHeightWithOverflow, isHorizontal ? logicalHeightWithOverflow : rect.height()));
+ auto logicalTopOffset = isHorizontal ? rect.y() : rect.x();
+ auto overflowHeight = isHorizontal ? fragmentedFlow()->layoutOverflowRect().maxY() : fragmentedFlow()->layoutOverflowRect().maxX();
+ auto logicalHeightWithOverflow = logicalTopOffset == RenderFragmentedFlow::maxLogicalHeight() ? overflowHeight : overflowHeight - logicalTopOffset;
+ setFragmentedFlowPortionRect({ rect.x(), rect.y(), isHorizontal ? rect.width() : logicalHeightWithOverflow, isHorizontal ? logicalHeightWithOverflow : rect.height() });
}
}
Modified: trunk/Source/WebCore/rendering/RenderMultiColumnSet.cpp (274773 => 274774)
--- trunk/Source/WebCore/rendering/RenderMultiColumnSet.cpp 2021-03-22 19:25:16 UTC (rev 274773)
+++ trunk/Source/WebCore/rendering/RenderMultiColumnSet.cpp 2021-03-22 19:29:14 UTC (rev 274774)
@@ -438,15 +438,16 @@
{
// We must always return a value of 1 or greater. Column count = 0 is a meaningless situation,
// and will confuse and cause problems in other parts of the code.
- if (!computedColumnHeight())
+ auto computedColumnHeight = this->computedColumnHeight();
+ if (computedColumnHeight <= 0)
return 1;
// Our portion rect determines our column count. We have as many columns as needed to fit all the content.
- LayoutUnit logicalHeightInColumns = fragmentedFlow()->isHorizontalWritingMode() ? fragmentedFlowPortionRect().height() : fragmentedFlowPortionRect().width();
- if (!logicalHeightInColumns)
+ auto logicalHeightInColumns = fragmentedFlow()->isHorizontalWritingMode() ? fragmentedFlowPortionRect().height() : fragmentedFlowPortionRect().width();
+ if (logicalHeightInColumns <= 0)
return 1;
- unsigned count = ceil(static_cast<float>(logicalHeightInColumns) / computedColumnHeight());
+ unsigned count = ceilf(static_cast<float>(logicalHeightInColumns) / computedColumnHeight);
ASSERT(count >= 1);
return count;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
