[webkit-changes] [WebKit/WebKit] d9617b: Block reusing may remove floating object too early

Wed, 02 Apr 2025 06:04:27 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d9617b11409e1d4bea5d54832f4d69b9cd9d743a
      
https://github.com/WebKit/WebKit/commit/d9617b11409e1d4bea5d54832f4d69b9cd9d743a
  Author: Alan Baradlay <[email protected]>
  Date:   2025-04-02 (Wed, 02 Apr 2025)

  Changed paths:
    A 
LayoutTests/fast/block/float-remove-after-block-collapse-crash-expected.txt
    A LayoutTests/fast/block/float-remove-after-block-collapse-crash.html
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Block reusing may remove floating object too early
https://bugs.webkit.org/show_bug.cgi?id=290862
<rdar://147215658>

Reviewed by Antti Koivisto.

"Reusing block" type mutations (see RenderTreeBuilder::Inline::splitFlow) 
followed by float removal may lead to an unexpected state where we have a float 
to remove, but we have already destroyed m_floatingObjects, causing us to 
incorrectly assume that the float no longer belongs here 
(markSiblingsWithFloatsForLayout) and, therefore, does not need to be removed 
from sibling blocks (in case it is intrusive).

What happens here is:
1. tree mutation makes an anon block reused (pre block)
2. a float is removed from said anon block's subtree

At #1 we call removeFloatingObjects() which simply clears and destroys 
m_floatingObjects on the anon block.
Now at #2, when we try to remove this float from sibling block containers by 
calling RenderBlockFlow::markSiblingsWithFloatsForLayout, and we consult
m_floatingObjects to see if there's any float associated with the block and we 
early return as we had already cleared this set at #1.

This patch ensures that when markSiblingsWithFloatsForLayout is called with a 
valid float, we always try to clean up sibling content.

* LayoutTests/fast/block/float-remove-after-block-collapse-crash-expected.txt: 
Added.
* LayoutTests/fast/block/float-remove-after-block-collapse-crash.html: Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::markSiblingsWithFloatsForLayout):
Change
for (siblings)
  for (set items)

to
for (set items)
  for (siblings)

so that the 'for (siblings)' logic can be moved to a lambda and used when 
there's a valid incoming float.

Canonical link: https://commits.webkit.org/293094@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to