From 41d51b979dc1433bc8a3b03f9833cbaa6f223de8 Mon Sep 17 00:00:00 2001
From: Radu Stavila <stavila@adobe.com>
Date: Mon, 5 May 2014 10:05:16 +0000
Subject: [PATCH] Merge r166428 - In some situations, partial layouts of
 floating elements produce incorrect results.
 https://bugs.webkit.org/show_bug.cgi?id=122668

Reviewed by David Hyatt.

Source/WebCore:

When performing partial layout of float elements and checking if other float
elements are encountered, incorrect results were obtained by not checking
the size of the existing floats vector.

Test: fast/block/float/floats-in-clean-line-crash.html

* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlockFlow::checkFloatsInCleanLine):

LayoutTests:

Added test to ensure an assertion is not reached when performing a partial
layout of float elements in certain situations.

* fast/block/float/floats-in-clean-line-crash-expected.txt: Added.
* fast/block/float/floats-in-clean-line-crash.html: Added.
---
 LayoutTests/ChangeLog                         | 13 +++++
 .../floats-in-clean-line-crash-expected.txt   |  4 ++
 .../float/floats-in-clean-line-crash.html     | 48 +++++++++++++++++++
 Source/WebCore/ChangeLog                      | 16 +++++++
 .../rendering/RenderBlockLineLayout.cpp       |  5 ++
 5 files changed, 86 insertions(+)
 create mode 100644 LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt
 create mode 100644 LayoutTests/fast/block/float/floats-in-clean-line-crash.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7325d02e209d..5f7ccc6b15dc 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2014-03-28  Radu Stavila  <stavila@adobe.com>
+
+        In some situations, partial layouts of floating elements produce incorrect results.
+        https://bugs.webkit.org/show_bug.cgi?id=122668
+
+        Reviewed by David Hyatt.
+
+        Added test to ensure an assertion is not reached when performing a partial
+        layout of float elements in certain situations.
+
+        * fast/block/float/floats-in-clean-line-crash-expected.txt: Added.
+        * fast/block/float/floats-in-clean-line-crash.html: Added.
+
 2014-03-28  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Clear SVGInlineTextBox fragments when the text changes.
diff --git a/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt b/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt
new file mode 100644
index 000000000000..995b885d5bae
--- /dev/null
+++ b/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt
@@ -0,0 +1,4 @@
+Bug 122668 - The test passes if it doesn't crash
+1
+A2
+
diff --git a/LayoutTests/fast/block/float/floats-in-clean-line-crash.html b/LayoutTests/fast/block/float/floats-in-clean-line-crash.html
new file mode 100644
index 000000000000..fc2929d26962
--- /dev/null
+++ b/LayoutTests/fast/block/float/floats-in-clean-line-crash.html
@@ -0,0 +1,48 @@
+<html>
+    <style>
+        html {
+         height:100%; 
+        }
+
+        .test { 
+            float:left; 
+        }
+    </style>
+
+    <body>
+        <a href="https://bugs.webkit.org/show_bug.cgi?id=122668">Bug 122668 - The test passes if it doesn't crash</a>
+        <br id="br">
+        <div class="test">1</div>
+        <div>A<div class="test">2</div><span id="span"></span></div>
+    </body>
+
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+
+        var br = document.getElementById("br");
+        elem = document.getElementById("span");
+        document.body.parentNode.insertBefore(elem, document.body.nextSibling);
+        try
+        {
+            document.getElementById("br").lookupNamespacePrefix("text", document.getElementById("br"));
+        }
+        catch(e)
+        {
+        }
+
+        var canvas = document.createElement("canvas");
+        canvas.setAttribute("height", "1226");
+        canvas.setAttribute("width", "3391");
+        br.parentNode.insertBefore(canvas, br.nextSibling);
+        var ctx = canvas.getContext("2d");
+        ctx.strokeRect(br.appendChild(document.createElement("olist")).offsetLeft, 65535, 11111111111111111111111111111111, 9223372036);
+        head = document.getElementsByTagName("head")[0];
+        var style = document.createElement("style");
+        style.innerHTML=":first-of-type { \n\
+        position: fixed;\n\
+        } \n\
+        ";
+        head.appendChild(style);
+    </script>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index e76d51816c41..826242c96ef2 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2014-03-28  Radu Stavila  <stavila@adobe.com>
+
+        In some situations, partial layouts of floating elements produce incorrect results.
+        https://bugs.webkit.org/show_bug.cgi?id=122668
+
+        Reviewed by David Hyatt.
+
+        When performing partial layout of float elements and checking if other float
+        elements are encountered, incorrect results were obtained by not checking
+        the size of the existing floats vector.
+
+        Test: fast/block/float/floats-in-clean-line-crash.html
+
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlockFlow::checkFloatsInCleanLine):
+
 2014-03-28  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Clear SVGInlineTextBox fragments when the text changes.
diff --git a/Source/WebCore/rendering/RenderBlockLineLayout.cpp b/Source/WebCore/rendering/RenderBlockLineLayout.cpp
index a608014b2a2b..3dedad68b7b4 100644
--- a/Source/WebCore/rendering/RenderBlockLineLayout.cpp
+++ b/Source/WebCore/rendering/RenderBlockLineLayout.cpp
@@ -1730,6 +1730,11 @@ void RenderBlockFlow::checkFloatsInCleanLine(RootInlineBox* line, Vector<FloatWi
     Vector<RenderBox*>* cleanLineFloats = line->floatsPtr();
     if (!cleanLineFloats)
         return;
+    
+    if (!floats.size()) {
+        encounteredNewFloat = true;
+        return;
+    }
 
     for (auto it = cleanLineFloats->begin(), end = cleanLineFloats->end(); it != end; ++it) {
         RenderBox* floatingBox = *it;