Crash due to floats not cleared before starting SVG <text> layout.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Apr 2012 18:21:05 +0000 (18:21 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Apr 2012 18:21:05 +0000 (18:21 +0000)
commita0ebb96d4fe0c916c1e2af2c7df33943764d8101
treed8ba7f1eb6a1d9403c03b4b4e68499a9a6db9b93
parent19fa3ac97688f1fe62dc2514e937477c5d0dd8dd
Crash due to floats not cleared before starting SVG <text> layout.
https://bugs.webkit.org/show_bug.cgi?id=83021

Reviewed by Dirk Schulze.

.:

* ManualTests/svg-text-float-not-removed-crash.html: Added.

Source/WebCore:

Manual Test - ManualTests/svg-text-float-not-removed-crash.html.
Can't reproduce the failure in DRT.

forceLayoutInlineChildren is used in SVG <text> layout and overrides
RenderBlock::layoutBlock. However, it missed the 'clearFloats' step,
which will cause a crash when trying to access removed renderers.

* rendering/RenderBlock.h:
(WebCore::RenderBlock::forceLayoutInlineChildren):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@113597 268f45cc-cd09-0410-ab3c-d52691b4dbfc
ChangeLog
ManualTests/svg-text-float-not-removed-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.h