In some situations, partial layouts of floating elements produce incorrect results.
authorstavila@adobe.com <stavila@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Mar 2014 21:55:46 +0000 (21:55 +0000)
committerstavila@adobe.com <stavila@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Mar 2014 21:55:46 +0000 (21:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=122668

Reviewed by David Hyatt.

Source/WebCore:

When performing partial layout of float elements and checking if other float
elements are encountered, incorrect results were obtained by not checking
the size of the existing floats vector.

Test: fast/block/float/floats-in-clean-line-crash.html

* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlockFlow::checkFloatsInCleanLine):

LayoutTests:

Added test to ensure an assertion is not reached when performing a partial
layout of float elements in certain situations.

* fast/block/float/floats-in-clean-line-crash-expected.txt: Added.
* fast/block/float/floats-in-clean-line-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166428 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/block/float/floats-in-clean-line-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlockLineLayout.cpp

index f6cd911..41e2f9c 100644 (file)
@@ -1,3 +1,16 @@
+2014-03-28  Radu Stavila  <stavila@adobe.com>
+
+        In some situations, partial layouts of floating elements produce incorrect results.
+        https://bugs.webkit.org/show_bug.cgi?id=122668
+
+        Reviewed by David Hyatt.
+
+        Added test to ensure an assertion is not reached when performing a partial
+        layout of float elements in certain situations.
+
+        * fast/block/float/floats-in-clean-line-crash-expected.txt: Added.
+        * fast/block/float/floats-in-clean-line-crash.html: Added.
+
 2014-03-28  Brent Fulgham  <bfulgham@apple.com>
 
         Unreviewed gardening. Make WebVTT tests less flaky by ensuring captions are set to display
diff --git a/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt b/LayoutTests/fast/block/float/floats-in-clean-line-crash-expected.txt
new file mode 100644 (file)
index 0000000..995b885
--- /dev/null
@@ -0,0 +1,4 @@
+Bug 122668 - The test passes if it doesn't crash
+1
+A2
+
diff --git a/LayoutTests/fast/block/float/floats-in-clean-line-crash.html b/LayoutTests/fast/block/float/floats-in-clean-line-crash.html
new file mode 100644 (file)
index 0000000..fc2929d
--- /dev/null
@@ -0,0 +1,48 @@
+<html>
+    <style>
+        html {
+         height:100%; 
+        }
+
+        .test { 
+            float:left; 
+        }
+    </style>
+
+    <body>
+        <a href="https://bugs.webkit.org/show_bug.cgi?id=122668">Bug 122668 - The test passes if it doesn't crash</a>
+        <br id="br">
+        <div class="test">1</div>
+        <div>A<div class="test">2</div><span id="span"></span></div>
+    </body>
+
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+
+        var br = document.getElementById("br");
+        elem = document.getElementById("span");
+        document.body.parentNode.insertBefore(elem, document.body.nextSibling);
+        try
+        {
+            document.getElementById("br").lookupNamespacePrefix("text", document.getElementById("br"));
+        }
+        catch(e)
+        {
+        }
+
+        var canvas = document.createElement("canvas");
+        canvas.setAttribute("height", "1226");
+        canvas.setAttribute("width", "3391");
+        br.parentNode.insertBefore(canvas, br.nextSibling);
+        var ctx = canvas.getContext("2d");
+        ctx.strokeRect(br.appendChild(document.createElement("olist")).offsetLeft, 65535, 11111111111111111111111111111111, 9223372036);
+        head = document.getElementsByTagName("head")[0];
+        var style = document.createElement("style");
+        style.innerHTML=":first-of-type { \n\
+        position: fixed;\n\
+        } \n\
+        ";
+        head.appendChild(style);
+    </script>
+</html>
index 2c9e9a1..b571744 100644 (file)
@@ -1,3 +1,19 @@
+2014-03-28  Radu Stavila  <stavila@adobe.com>
+
+        In some situations, partial layouts of floating elements produce incorrect results.
+        https://bugs.webkit.org/show_bug.cgi?id=122668
+
+        Reviewed by David Hyatt.
+
+        When performing partial layout of float elements and checking if other float
+        elements are encountered, incorrect results were obtained by not checking
+        the size of the existing floats vector.
+
+        Test: fast/block/float/floats-in-clean-line-crash.html
+
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlockFlow::checkFloatsInCleanLine):
+
 2014-03-28  Beth Dakin  <bdakin@apple.com>
 
         Build fix.
index 5c3e0c1..e1af81f 100644 (file)
@@ -1466,6 +1466,11 @@ void RenderBlockFlow::checkFloatsInCleanLine(RootInlineBox* line, Vector<FloatWi
     Vector<RenderBox*>* cleanLineFloats = line->floatsPtr();
     if (!cleanLineFloats)
         return;
+    
+    if (!floats.size()) {
+        encounteredNewFloat = true;
+        return;
+    }
 
     for (auto it = cleanLineFloats->begin(), end = cleanLineFloats->end(); it != end; ++it) {
         RenderBox* floatingBox = *it;