Remove invalid float from RootInlineBox.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Oct 2014 21:13:12 +0000 (21:13 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Oct 2014 21:13:12 +0000 (21:13 +0000)
commitff0af9f01f1913678924927b5aa49a9992beac27
treef73591b57d80ddf72623bc48f95887a9f959afe0
parent15ef55f3e814621cd54affd39f4795ac66e6126f
Remove invalid float from RootInlineBox.
https://bugs.webkit.org/show_bug.cgi?id=137707

Reviewed by Antti Koivisto.

In certain cases, floating boxes get attached to the last (root) inline box.
When this particular floating box gets destroyed, it also needs to be detached
from the last inline box.
Source/WebCore:

1. Introduce RootInlineBox::removeFloat() (vs. RootInlineBox::appendFloat())
2. Ensure that it is called when the floating box is being destroyed.

Test: fast/inline/crash-when-inline-box-has-invalid-float.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::removeFloatingObject):
(WebCore::RenderBlockFlow::markAllDescendantsWithFloatsForLayout): During style recalc, while
tearing down the render tree, we can get to a state where a block element has both inline and block children.
It happens when the style change on an element makes sibling anonymous block wrappers detached.
In that case the markAllDescendantsWithFloatsForLayout() call does not get propagated down on the
block child elements as we return early at the childrenInline() check.
* rendering/RootInlineBox.h:
(WebCore::RootInlineBox::removeFloat):

LayoutTests:

* fast/inline/crash-when-inline-box-has-invalid-float-expected.txt: Added.
* fast/inline/crash-when-inline-box-has-invalid-float.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@175345 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float-expected.txt [new file with mode: 0644]
LayoutTests/fast/inline/crash-when-inline-box-has-invalid-float.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlockFlow.cpp
Source/WebCore/rendering/RootInlineBox.h