Skip to content
Permalink
Browse files
Remove floating objects during tree normalization after style changes
https://bugs.webkit.org/show_bug.cgi?id=240797

Reviewed by Darin Adler.

Float boxes define their own block formatting context and thus can't have other intruding
floats. That's why this scenario is not allowed in the code, except in the case when
a regular box with floatting descendants becomes float. In that case the tree might
be temporarily in a semi-correct state until we don't remove the intruding floats.

The current code deals with that by calling rebuildFloatingObjectSetFromIntrudingFloats()
in the subsequent layout. However it's possible that before that a style change kicks in and
mutates the render tree. In that case we could be manipulating stale objects. To prevent
that we can simply directly call removeFloatingObjects() when normalizing the tree after
a style change.

* Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::normalizeTreeAfterStyleChange): Call removeFloatingObjects().

Canonical link: https://commits.webkit.org/250941@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294779 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
svillar committed May 25, 2022
1 parent 664e7ec commit 9c74dc25f27f15e99a8650b801a8b1c0090f5242
Showing 1 changed file with 1 addition and 0 deletions.
@@ -673,6 +673,7 @@ void RenderTreeBuilder::normalizeTreeAfterStyleChange(RenderElement& renderer, R
}
};
clearDescendantFloats();
downcast<RenderBlockFlow>(renderer).removeFloatingObjects();
// Fresh floats need to be reparented if they actually belong to the previous anonymous block.
// It copies the logic of RenderBlock::addChildIgnoringContinuation
if (renderer.previousSibling() && renderer.previousSibling()->isAnonymousBlock())

0 comments on commit 9c74dc2

Please sign in to comment.