Crash due to floats not cleared before starting SVG <text> layout.
[WebKit-https.git] / Source / WebCore / ChangeLog
index 63fe4ac..dced877 100644 (file)
@@ -1,3 +1,20 @@
+2012-04-09  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to floats not cleared before starting SVG <text> layout.
+        https://bugs.webkit.org/show_bug.cgi?id=83021
+
+        Reviewed by Dirk Schulze.
+
+        Manual Test - ManualTests/svg-text-float-not-removed-crash.html.
+        Can't reproduce the failure in DRT.
+
+        forceLayoutInlineChildren is used in SVG <text> layout and overrides
+        RenderBlock::layoutBlock. However, it missed the 'clearFloats' step,
+        which will cause a crash when trying to access removed renderers.
+
+        * rendering/RenderBlock.h:
+        (WebCore::RenderBlock::forceLayoutInlineChildren):
+
 2012-04-09  Jeffrey Pfau  <jpfau@apple.com>
 
         Filter files from dataTransfer.getData on Mac