Title: [168271] releases/WebKitGTK/webkit-2.4
- Revision
- 168271
- Author
- carlo...@webkit.org
- Date
- 2014-05-05 03:05:16 -0700 (Mon, 05 May 2014)
Log Message
Merge r166428 - In some situations, partial layouts of floating elements produce incorrect results.
https://bugs.webkit.org/show_bug.cgi?id=122668
Reviewed by David Hyatt.
Source/WebCore:
When performing partial layout of float elements and checking if other float
elements are encountered, incorrect results were obtained by not checking
the size of the existing floats vector.
Test: fast/block/float/floats-in-clean-line-crash.html
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlockFlow::checkFloatsInCleanLine):
LayoutTests:
Added test to ensure an assertion is not reached when performing a partial
layout of float elements in certain situations.
* fast/block/float/floats-in-clean-line-crash-expected.txt: Added.
* fast/block/float/floats-in-clean-line-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (168270 => 168271)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 10:01:18 UTC (rev 168270)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-05-05 10:05:16 UTC (rev 168271)
@@ -1,3 +1,16 @@
+2014-03-28 Radu Stavila <stav...@adobe.com>
+
+ In some situations, partial layouts of floating elements produce incorrect results.
+ https://bugs.webkit.org/show_bug.cgi?id=122668
+
+ Reviewed by David Hyatt.
+
+ Added test to ensure an assertion is not reached when performing a partial
+ layout of float elements in certain situations.
+
+ * fast/block/float/floats-in-clean-line-crash-expected.txt: Added.
+ * fast/block/float/floats-in-clean-line-crash.html: Added.
+
2014-03-28 Myles C. Maxfield <mmaxfi...@apple.com>
Clear SVGInlineTextBox fragments when the text changes.
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt (0 => 168271)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt 2014-05-05 10:05:16 UTC (rev 168271)
@@ -0,0 +1,4 @@
+Bug 122668 - The test passes if it doesn't crash
+1
+A2
+
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/block/float/floats-in-clean-line-crash.html (0 => 168271)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/block/float/floats-in-clean-line-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/block/float/floats-in-clean-line-crash.html 2014-05-05 10:05:16 UTC (rev 168271)
@@ -0,0 +1,48 @@
+<html>
+ <style>
+ html {
+ height:100%;
+ }
+
+ .test {
+ float:left;
+ }
+ </style>
+
+ <body>
+ <a href="" 122668 - The test passes if it doesn't crash</a>
+ <br id="br">
+ <div class="test">1</div>
+ <div>A<div class="test">2</div><span id="span"></span></div>
+ </body>
+
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var br = document.getElementById("br");
+ elem = document.getElementById("span");
+ document.body.parentNode.insertBefore(elem, document.body.nextSibling);
+ try
+ {
+ document.getElementById("br").lookupNamespacePrefix("text", document.getElementById("br"));
+ }
+ catch(e)
+ {
+ }
+
+ var canvas = document.createElement("canvas");
+ canvas.setAttribute("height", "1226");
+ canvas.setAttribute("width", "3391");
+ br.parentNode.insertBefore(canvas, br.nextSibling);
+ var ctx = canvas.getContext("2d");
+ ctx.strokeRect(br.appendChild(document.createElement("olist")).offsetLeft, 65535, 11111111111111111111111111111111, 9223372036);
+ head = document.getElementsByTagName("head")[0];
+ var style = document.createElement("style");
+ style.innerHTML=":first-of-type { \n\
+ position: fixed;\n\
+ } \n\
+ ";
+ head.appendChild(style);
+ </script>
+</html>
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (168270 => 168271)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 10:01:18 UTC (rev 168270)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-05-05 10:05:16 UTC (rev 168271)
@@ -1,3 +1,19 @@
+2014-03-28 Radu Stavila <stav...@adobe.com>
+
+ In some situations, partial layouts of floating elements produce incorrect results.
+ https://bugs.webkit.org/show_bug.cgi?id=122668
+
+ Reviewed by David Hyatt.
+
+ When performing partial layout of float elements and checking if other float
+ elements are encountered, incorrect results were obtained by not checking
+ the size of the existing floats vector.
+
+ Test: fast/block/float/floats-in-clean-line-crash.html
+
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::RenderBlockFlow::checkFloatsInCleanLine):
+
2014-03-28 Myles C. Maxfield <mmaxfi...@apple.com>
Clear SVGInlineTextBox fragments when the text changes.
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp (168270 => 168271)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-05 10:01:18 UTC (rev 168270)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2014-05-05 10:05:16 UTC (rev 168271)
@@ -1730,6 +1730,11 @@
Vector<RenderBox*>* cleanLineFloats = line->floatsPtr();
if (!cleanLineFloats)
return;
+
+ if (!floats.size()) {
+ encounteredNewFloat = true;
+ return;
+ }
for (auto it = cleanLineFloats->begin(), end = cleanLineFloats->end(); it != end; ++it) {
RenderBox* floatingBox = *it;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
