[webkit-changes] [WebKit/WebKit] 302212: Cherry-pick 293094@main (d9617b11409e). https://bu...

Sun, 06 Apr 2025 05:13:28 -0700 

  Branch: refs/heads/webkitglib/2.48
  Home:   https://github.com/WebKit/WebKit
  Commit: 30221239d4304c36efb12e5dee82c5e878d55383
      
https://github.com/WebKit/WebKit/commit/30221239d4304c36efb12e5dee82c5e878d55383
  Author: Alan Baradlay <[email protected]>
  Date:   2025-04-06 (Sun, 06 Apr 2025)

  Changed paths:
    A 
LayoutTests/fast/block/float-remove-after-block-collapse-crash-expected.txt
    A LayoutTests/fast/block/float-remove-after-block-collapse-crash.html
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Cherry-pick 293094@main (d9617b11409e). 
https://bugs.webkit.org/show_bug.cgi?id=290862

    Block reusing may remove floating object too early
    https://bugs.webkit.org/show_bug.cgi?id=290862
    <rdar://147215658>

    Reviewed by Antti Koivisto.

    "Reusing block" type mutations (see RenderTreeBuilder::Inline::splitFlow) 
followed by float removal may lead to an unexpected state where we have a float 
to remove, but we have already destroyed m_floatingObjects, causing us to 
incorrectly assume that the float no longer belongs here 
(markSiblingsWithFloatsForLayout) and, therefore, does not need to be removed 
from sibling blocks (in case it is intrusive).

    What happens here is:
    1. tree mutation makes an anon block reused (pre block)
    2. a float is removed from said anon block's subtree

    At #1 we call removeFloatingObjects() which simply clears and destroys 
m_floatingObjects on the anon block.
    Now at #2, when we try to remove this float from sibling block containers 
by calling RenderBlockFlow::markSiblingsWithFloatsForLayout, and we consult
    m_floatingObjects to see if there's any float associated with the block and 
we early return as we had already cleared this set at #1.

    This patch ensures that when markSiblingsWithFloatsForLayout is called with 
a valid float, we always try to clean up sibling content.

    * 
LayoutTests/fast/block/float-remove-after-block-collapse-crash-expected.txt: 
Added.
    * LayoutTests/fast/block/float-remove-after-block-collapse-crash.html: 
Added.
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::markSiblingsWithFloatsForLayout):
    Change
    for (siblings)
      for (set items)

    to
    for (set items)
      for (siblings)

    so that the 'for (siblings)' logic can be moved to a lambda and used when 
there's a valid incoming float.

    Canonical link: https://commits.webkit.org/293094@main

Canonical link: https://commits.webkit.org/290945.158@webkitglib/2.48



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to