Merge r166428 - In some situations, partial layouts of floating eleme…

…nts produce incorrect results. https://bugs.webkit.org/show_bug.cgi?id=122668 Reviewed by David Hyatt. Source/WebCore: When performing partial layout of float elements and checking if other float elements are encountered, incorrect results were obtained by not checking the size of the existing floats vector. Test: fast/block/float/floats-in-clean-line-crash.html * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlockFlow::checkFloatsInCleanLine): LayoutTests: Added test to ensure an assertion is not reached when performing a partial layout of float elements in certain situations. * fast/block/float/floats-in-clean-line-crash-expected.txt: Added. * fast/block/float/floats-in-clean-line-crash.html: Added.
WebKit · May 5, 2014 · 41d51b9 · 41d51b9
1 parent 1dbfdb3
commit 41d51b9
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2014-03-28  Radu Stavila  <stavila@adobe.com>
+
+        In some situations, partial layouts of floating elements produce incorrect results.
+        https://bugs.webkit.org/show_bug.cgi?id=122668
+
+        Reviewed by David Hyatt.
+
+        Added test to ensure an assertion is not reached when performing a partial
+        layout of float elements in certain situations.
+
+        * fast/block/float/floats-in-clean-line-crash-expected.txt: Added.
+        * fast/block/float/floats-in-clean-line-crash.html: Added.
+
 2014-03-28  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Clear SVGInlineTextBox fragments when the text changes.

diff --git a/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt b/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt
@@ -0,0 +1,4 @@
+Bug 122668 - The test passes if it doesn't crash
+1
+A2
+
diff --git a/LayoutTests/fast/block/float/floats-in-clean-line-crash.html b/LayoutTests/fast/block/float/floats-in-clean-line-crash.html
@@ -0,0 +1,48 @@
+<html>
+    <style>
+        html {
+         height:100%; 
+        }
+
+        .test { 
+            float:left; 
+        }
+    </style>
+
+    <body>
+        <a href="https://bugs.webkit.org/show_bug.cgi?id=122668">Bug 122668 - The test passes if it doesn't crash</a>
+        <br id="br">
+        <div class="test">1</div>
+        <div>A<div class="test">2</div><span id="span"></span></div>
+    </body>
+
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+
+        var br = document.getElementById("br");
+        elem = document.getElementById("span");
+        document.body.parentNode.insertBefore(elem, document.body.nextSibling);
+        try
+        {
+            document.getElementById("br").lookupNamespacePrefix("text", document.getElementById("br"));
+        }
+        catch(e)
+        {
+        }
+
+        var canvas = document.createElement("canvas");
+        canvas.setAttribute("height", "1226");
+        canvas.setAttribute("width", "3391");
+        br.parentNode.insertBefore(canvas, br.nextSibling);
+        var ctx = canvas.getContext("2d");
+        ctx.strokeRect(br.appendChild(document.createElement("olist")).offsetLeft, 65535, 11111111111111111111111111111111, 9223372036);
+        head = document.getElementsByTagName("head")[0];
+        var style = document.createElement("style");
+        style.innerHTML=":first-of-type { \n\
+        position: fixed;\n\
+        } \n\
+        ";
+        head.appendChild(style);
+    </script>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2014-03-28  Radu Stavila  <stavila@adobe.com>
+
+        In some situations, partial layouts of floating elements produce incorrect results.
+        https://bugs.webkit.org/show_bug.cgi?id=122668
+
+        Reviewed by David Hyatt.
+
+        When performing partial layout of float elements and checking if other float
+        elements are encountered, incorrect results were obtained by not checking
+        the size of the existing floats vector.
+
+        Test: fast/block/float/floats-in-clean-line-crash.html
+
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlockFlow::checkFloatsInCleanLine):
+
 2014-03-28  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Clear SVGInlineTextBox fragments when the text changes.

diff --git a/Source/WebCore/rendering/RenderBlockLineLayout.cpp b/Source/WebCore/rendering/RenderBlockLineLayout.cpp
@@ -1730,6 +1730,11 @@ void RenderBlockFlow::checkFloatsInCleanLine(RootInlineBox* line, Vector<FloatWi
     Vector<RenderBox*>* cleanLineFloats = line->floatsPtr();
     if (!cleanLineFloats)
         return;
+
+    if (!floats.size()) {
+        encounteredNewFloat = true;
+        return;
+    }
 
     for (auto it = cleanLineFloats->begin(), end = cleanLineFloats->end(); it != end; ++it) {
         RenderBox* floatingBox = *it;