Clear sibling floats while splitting inline flow
authorbjonesbe@adobe.com <bjonesbe@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Apr 2014 22:46:02 +0000 (22:46 +0000)
committerbjonesbe@adobe.com <bjonesbe@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Apr 2014 22:46:02 +0000 (22:46 +0000)
commit2e24300ba2b054db534f95dec1fd29e50f11c747
treef9ff30b98f818bd9cdd5d35ceb5aebf66f2b714b
parentdb0687fd9c5ba1544cff61495b55ac4ae12870a2
Clear sibling floats while splitting inline flow
https://bugs.webkit.org/show_bug.cgi?id=130905

Reviewed by David Hyatt.

Source/WebCore:

This is a port of a Blink patch by kenrb@chromium.org.
(https://src.chromium.org/viewvc/blink?revision=169658&view=revision)

During RenderInline::splitFlow(), floats are cleared on an anonymous
containingBlock() for the inline being split. This is a problem if
siblings of the block contain references to the same floats, since the
float removal code in markSiblingsWithFloatsForLayout() will not later
find them.

This change also affects RenderBlock::splitFlow() and
RenderBoxModelObject::moveChildrenTo, since those are called in
similar situations as RenderInline::splitFlow().

Test: fast/block/float/split-inline-sibling-of-float-crash.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::removeFloatingObjects): Add call to
    markSiblingsWithFloatsForLayout() before removing floats.

LayoutTests:

This test will only crash if run with Address Sanitizer or some other
address checking tool.

* fast/block/float/split-inline-sibling-of-float-crash-expected.txt: Added.
* fast/block/float/split-inline-sibling-of-float-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@167166 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/block/float/split-inline-sibling-of-float-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/block/float/split-inline-sibling-of-float-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlockFlow.cpp