Title: [117280] releases/WebKitGTK/webkit-1.8
- Revision
- 117280
- Author
- [email protected]
- Date
- 2012-05-16 06:56:29 -0700 (Wed, 16 May 2012)
Log Message
Merge 113825 - Crash due to intruding float not removed from next siblings.
https://bugs.webkit.org/show_bug.cgi?id=83301
Reviewed by Eric Seidel.
Source/WebCore:
Test: fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html
markSiblingsWithFloatsForLayout currently only handled overhanging floats and made
checks for those by checking if logicalBottomForFloat > our logicalHeight. We need
to take care of intruding floats as well, since these can intrude into the neighbouring
blocks too. So, generalized the function to check all our next siblings if they contains
that float (one getting removed) and if yes, mark it and all its descendants for layout.
This fixes the crash.
For performance, we change the looping condition to iterate over the next sibling
blocks first and finding which ones can contain floats and then check it against
our floating object list. Currently, it is the other way around and is less
performant due to repeated calls to isRenderBlock(), isFloatingOrPositioned()
and avoidFloats().
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::markSiblingsWithFloatsForLayout):
LayoutTests:
* fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt: Added.
* fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (117279 => 117280)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-16 13:56:09 UTC (rev 117279)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-16 13:56:29 UTC (rev 117280)
@@ -1,3 +1,13 @@
+2012-04-10 Abhishek Arya <[email protected]>
+
+ Crash due to intruding float not removed from next siblings.
+ https://bugs.webkit.org/show_bug.cgi?id=83301
+
+ Reviewed by Eric Seidel.
+
+ * fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt: Added.
+ * fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html: Added.
+
2012-04-09 Abhishek Arya <[email protected]>
ASSERTION FAILED: !attached() in Node::attach.
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt (0 => 117280)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt 2012-05-16 13:56:29 UTC (rev 117280)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html (0 => 117280)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html 2012-05-16 13:56:29 UTC (rev 117280)
@@ -0,0 +1,44 @@
+<html>
+<head>
+<style>
+#float1 {
+ float: left;
+}
+#div1 {
+ display: table;
+ padding-top: 1em;
+ padding-bottom: 1em;
+ margin-bottom: 1em;
+ -webkit-margin-before: -100px;
+}
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+_onload_ = function() {
+document.body.appendChild(document.createElement('select'));
+
+float1 = document.createElement('hr');
+float1.setAttribute('id', 'float1');
+document.body.appendChild(float1);
+
+div1 = document.createElement('div');
+div1.setAttribute('id', 'div1');
+document.body.appendChild(div1);
+div1.appendChild(document.createElement('textarea'));
+
+div2 = document.createElement('div');
+document.body.appendChild(div2);
+div2.appendChild(document.createElement('input'));
+
+document.body.offsetTop;
+document.body.removeChild(float1);
+document.body.offsetTop;
+document.body.innerHTML = "PASS. WebKit didn't crash.";
+}
+</script>
+</head>
+<body>
+</body>
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html
___________________________________________________________________
Added: svn:executable
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (117279 => 117280)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-16 13:56:09 UTC (rev 117279)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-16 13:56:29 UTC (rev 117280)
@@ -1,3 +1,28 @@
+2012-04-10 Abhishek Arya <[email protected]>
+
+ Crash due to intruding float not removed from next siblings.
+ https://bugs.webkit.org/show_bug.cgi?id=83301
+
+ Reviewed by Eric Seidel.
+
+ Test: fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html
+
+ markSiblingsWithFloatsForLayout currently only handled overhanging floats and made
+ checks for those by checking if logicalBottomForFloat > our logicalHeight. We need
+ to take care of intruding floats as well, since these can intrude into the neighbouring
+ blocks too. So, generalized the function to check all our next siblings if they contains
+ that float (one getting removed) and if yes, mark it and all its descendants for layout.
+ This fixes the crash.
+
+ For performance, we change the looping condition to iterate over the next sibling
+ blocks first and finding which ones can contain floats and then check it against
+ our floating object list. Currently, it is the other way around and is less
+ performant due to repeated calls to isRenderBlock(), isFloatingOrPositioned()
+ and avoidFloats().
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::markSiblingsWithFloatsForLayout):
+
2012-04-09 Abhishek Arya <[email protected]>
ASSERTION FAILED: !attached() in Node::attach.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp (117279 => 117280)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp 2012-05-16 13:56:09 UTC (rev 117279)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/RenderBlock.cpp 2012-05-16 13:56:29 UTC (rev 117280)
@@ -4238,26 +4238,21 @@
{
if (!m_floatingObjects)
return;
+
const FloatingObjectSet& floatingObjectSet = m_floatingObjects->set();
FloatingObjectSetIterator end = floatingObjectSet.end();
- for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it) {
- if (logicalBottomForFloat(*it) > logicalHeight()) {
+
+ for (RenderObject* next = nextSibling(); next; next = next->nextSibling()) {
+ if (!next->isRenderBlock() || next->isFloatingOrPositioned() || toRenderBlock(next)->avoidsFloats())
+ continue;
+
+ RenderBlock* nextBlock = toRenderBlock(next);
+ for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it) {
RenderBox* floatingBox = (*it)->renderer();
if (floatToRemove && floatingBox != floatToRemove)
continue;
-
- RenderObject* next = nextSibling();
- while (next) {
- if (next->isRenderBlock() && !next->isFloatingOrPositioned() && !toRenderBlock(next)->avoidsFloats()) {
- RenderBlock* nextBlock = toRenderBlock(next);
- if (nextBlock->containsFloat(floatingBox))
- nextBlock->markAllDescendantsWithFloatsForLayout(floatingBox);
- else
- break;
- }
-
- next = next->nextSibling();
- }
+ if (nextBlock->containsFloat(floatingBox))
+ nextBlock->markAllDescendantsWithFloatsForLayout(floatingBox);
}
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
