Skip to site navigation (Press enter)

[webkit-changes] [112935] trunk

commit-queue Mon, 02 Apr 2012 13:58:32 -0700

Title: [112935] trunk

Revision: 112935
Author: [email protected]
Date: 2012-04-02 13:58:10 -0700 (Mon, 02 Apr 2012)

Log Message

Crash due to floating object lists not properly being cleared
https://bugs.webkit.org/show_bug.cgi?id=74056


Patch by Ken Buchanan <[email protected]> on 2012-04-02
Reviewed by David Hyatt.

Source/WebCore:

Add a check to clearFloats() that determines when intruding floats
are being cleared and not re-added. In this condition, ensure
children with floats are also getting layout because they might
need to have the same intruding floats cleared from their floating
object lists also.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::clearFloats):

LayoutTests:

This test creates a condition where an intruding float is changed so
that it no longer intrudes. The child of a sibling was not getting
properly updated during the next layout.

* fast/block/float/intruding-float-not-removed-from-descendant-crash-expected.txt: Added
* fast/block/float/intruding-float-not-removed-from-descendant-crash.html: Added

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlock.cpp

Added Paths

trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash-expected.txt
trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (112934 => 112935)


--- trunk/LayoutTests/ChangeLog	2012-04-02 20:53:26 UTC (rev 112934)
+++ trunk/LayoutTests/ChangeLog	2012-04-02 20:58:10 UTC (rev 112935)
@@ -1,3 +1,17 @@
+2012-04-02  Ken Buchanan  <[email protected]>
+
+        Crash due to floating object lists not properly being cleared
+        https://bugs.webkit.org/show_bug.cgi?id=74056
+
+        Reviewed by David Hyatt.
+
+        This test creates a condition where an intruding float is changed so
+        that it no longer intrudes. The child of a sibling was not getting
+        properly updated during the next layout.
+
+        * fast/block/float/intruding-float-not-removed-from-descendant-crash-expected.txt: Added
+        * fast/block/float/intruding-float-not-removed-from-descendant-crash.html: Added
+
 2012-04-02  Stephen Chenney  <[email protected]>
 
         [chromium] Layout Test svg/text/text-rescale.html is failing

Added: trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash-expected.txt (0 => 112935)


--- trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash-expected.txt	2012-04-02 20:58:10 UTC (rev 112935)
@@ -0,0 +1,3 @@
+Test passes if it does not crash.
+PASS
+

Added: trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash.html (0 => 112935)


--- trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-descendant-crash.html	2012-04-02 20:58:10 UTC (rev 112935)
@@ -0,0 +1,54 @@
+<html>
+Test passes if it does not crash.
+<style>
+.div2 { float: none; width: 100px; }
+.div2:nth-last-child(odd) { float: right; }
+.span1 { float: right; height: 100px; }
+.td1 { height: 100px; }
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function runTest() {
+span1 = document.createElement('span');
+span1.setAttribute('class', 'span1');
+document.documentElement.appendChild(span1);
+
+div2 = document.createElement('div');
+div2.setAttribute('class', 'div2');
+document.documentElement.appendChild(div2);
+
+document.documentElement.appendChild(document.createElement('div'));
+
+div3 = document.createElement('div');
+document.documentElement.appendChild(div3);
+
+document.documentElement.appendChild(document.createElement('span'));
+document.documentElement.appendChild(document.createElement('span'));
+document.documentElement.appendChild(document.createElement('span'));
+
+span2 = document.createElement('span');
+document.documentElement.appendChild(span2);
+
+document.documentElement.appendChild(document.createElement('div'));
+
+document.body.offsetTop;
+div1 = document.createElement('div');
+td1 = document.createElement('td');
+td1.appendChild(document.createTextNode('PASS'));
+td1.setAttribute('class', 'td1');
+div1.appendChild(td1);
+div2.appendChild(div1);
+
+document.body.offsetTop;
+document.body.appendChild(div3);
+
+document.body.offsetTop;
+span2.appendChild(span1);
+document.createElement("span").appendChild(span2);
+}
+
+window._onload_ = runTest;
+</script>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (112934 => 112935)


--- trunk/Source/WebCore/ChangeLog	2012-04-02 20:53:26 UTC (rev 112934)
+++ trunk/Source/WebCore/ChangeLog	2012-04-02 20:58:10 UTC (rev 112935)
@@ -1,3 +1,19 @@
+2012-04-02  Ken Buchanan  <[email protected]>
+
+        Crash due to floating object lists not properly being cleared
+        https://bugs.webkit.org/show_bug.cgi?id=74056
+
+        Reviewed by David Hyatt.
+
+        Add a check to clearFloats() that determines when intruding floats
+        are being cleared and not re-added. In this condition, ensure
+        children with floats are also getting layout because they might
+        need to have the same intruding floats cleared from their floating
+        object lists also.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::clearFloats):
+
 2012-04-02  Seo Sanghyeon  <[email protected]>
 
         Align IDL to Typed Array Specification

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (112934 => 112935)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-04-02 20:53:26 UTC (rev 112934)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-04-02 20:58:10 UTC (rev 112935)
@@ -4153,6 +4153,17 @@
     // Clear our positioned floats boolean.
     m_hasPositionedFloats = false;
 
+    HashSet<RenderBox*> oldIntrudingFloatSet;
+    if (!childrenInline() && m_floatingObjects) {
+        const FloatingObjectSet& floatingObjectSet = m_floatingObjects->set();
+        FloatingObjectSetIterator end = floatingObjectSet.end();
+        for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it) {
+            FloatingObject* floatingObject = *it;
+            if (!floatingObject->isDescendant())
+                oldIntrudingFloatSet.add(floatingObject->m_renderer);
+        }
+    }
+
     // Inline blocks are covered by the isReplaced() check in the avoidFloats method.
     if (avoidsFloats() || isRoot() || isRenderView() || isFloatingOrPositioned() || isTableCell()) {
         if (m_floatingObjects) {
@@ -4161,6 +4172,8 @@
         }
         if (layoutPass == PositionedFloatLayoutPass)
             addPositionedFloats();
+        if (!oldIntrudingFloatSet.isEmpty())
+            markAllDescendantsWithFloatsForLayout();
         return;
     }
 
@@ -4271,6 +4284,15 @@
         deleteAllValues(floatMap);
 
         markLinesDirtyInBlockRange(changeLogicalTop, changeLogicalBottom);
+    } else if (!oldIntrudingFloatSet.isEmpty()) {
+        // If there are previously intruding floats that no longer intrude, then children with floats
+        // should also get layout because they might need their floating object lists cleared.
+        const FloatingObjectSet& floatingObjectSet = m_floatingObjects->set();
+        FloatingObjectSetIterator end = floatingObjectSet.end();
+        for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it)
+            oldIntrudingFloatSet.remove((*it)->m_renderer);
+        if (!oldIntrudingFloatSet.isEmpty())
+            markAllDescendantsWithFloatsForLayout();
     }
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes