REGRESSION (r199054): CrashTracer: [USER] parseWebKit at WebCore: WebCore::RenderBloc...
authorantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jul 2016 21:24:45 +0000 (21:24 +0000)
committerantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jul 2016 21:24:45 +0000 (21:24 +0000)
https://bugs.webkit.org/show_bug.cgi?id=159519

Reviewed by Zalan Bujtas.

Source/WebCore:

Test: fast/inline/trailing-floats-inline-crash.html

* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlockFlow::checkFloatsInCleanLine):

    Use the existing deletionHasBegun bit in RenderStyle to assert against this reliably.

* rendering/RenderLineBoxList.cpp:
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):

    In some cases a special TrailingFloatsRootInlineBox may be added as the last root linebox of a flow.
    If it is combined with br the existing invalidation that invalidates the next and previous line may
    not be sufficient. Test for this case and invalidate the TrailingFloatsRootInlineBox too if it exists.

* rendering/RootInlineBox.h:
(WebCore::RootInlineBox::isTrailingFloatsRootInlineBox):
* rendering/TrailingFloatsRootInlineBox.h:
* rendering/style/RenderStyle.h:
(WebCore::RenderStyle::deletionHasBegun):

    Expose the bit in debug.

LayoutTests:

* fast/inline/trailing-floats-inline-crash-expected.txt: Added.
* fast/inline/trailing-floats-inline-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202931 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/inline/trailing-floats-inline-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/inline/trailing-floats-inline-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlockLineLayout.cpp
Source/WebCore/rendering/RenderLineBoxList.cpp
Source/WebCore/rendering/RootInlineBox.h
Source/WebCore/rendering/TrailingFloatsRootInlineBox.h
Source/WebCore/rendering/style/RenderStyle.h

index 2fffb1b..ebeb4b4 100644 (file)
@@ -1,3 +1,13 @@
+2016-07-07  Antti Koivisto  <antti@apple.com>
+
+        REGRESSION (r199054): CrashTracer: [USER] parseWebKit at WebCore: WebCore::RenderBlockFlow::checkFloatsInCleanLine + 107
+        https://bugs.webkit.org/show_bug.cgi?id=159519
+
+        Reviewed by Zalan Bujtas.
+
+        * fast/inline/trailing-floats-inline-crash-expected.txt: Added.
+        * fast/inline/trailing-floats-inline-crash.html: Added.
+
 2016-07-07  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r202905 and r202911.
diff --git a/LayoutTests/fast/inline/trailing-floats-inline-crash-expected.txt b/LayoutTests/fast/inline/trailing-floats-inline-crash-expected.txt
new file mode 100644 (file)
index 0000000..6b9a2fd
--- /dev/null
@@ -0,0 +1,5 @@
+This test passes if it doesn't crash.
+
+
+
+BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAC
diff --git a/LayoutTests/fast/inline/trailing-floats-inline-crash.html b/LayoutTests/fast/inline/trailing-floats-inline-crash.html
new file mode 100644 (file)
index 0000000..235184b
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+  :last-child {float:left;}
+</style>
+</head>
+
+<body>
+This test passes if it doesn't crash.
+<nav></nav>
+<br>
+<article>
+<pre></pre>
+<br>
+<content>
+<br>
+<select></select>
+<script id="webtest14">
+document.body.contentEditable = "true";
+document.execCommand("SelectAll");
+document.execCommand("StrikeThrough");
+if (window.testRunner)
+       testRunner.dumpAsText();
+</script>
+BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAC
+</body>
+</html>
index f284e84..c1b5940 100644 (file)
@@ -1,3 +1,32 @@
+2016-07-07  Antti Koivisto  <antti@apple.com>
+
+        REGRESSION (r199054): CrashTracer: [USER] parseWebKit at WebCore: WebCore::RenderBlockFlow::checkFloatsInCleanLine + 107
+        https://bugs.webkit.org/show_bug.cgi?id=159519
+
+        Reviewed by Zalan Bujtas.
+
+        Test: fast/inline/trailing-floats-inline-crash.html
+
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlockFlow::checkFloatsInCleanLine):
+
+            Use the existing deletionHasBegun bit in RenderStyle to assert against this reliably.
+
+        * rendering/RenderLineBoxList.cpp:
+        (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):
+
+            In some cases a special TrailingFloatsRootInlineBox may be added as the last root linebox of a flow.
+            If it is combined with br the existing invalidation that invalidates the next and previous line may
+            not be sufficient. Test for this case and invalidate the TrailingFloatsRootInlineBox too if it exists.
+
+        * rendering/RootInlineBox.h:
+        (WebCore::RootInlineBox::isTrailingFloatsRootInlineBox):
+        * rendering/TrailingFloatsRootInlineBox.h:
+        * rendering/style/RenderStyle.h:
+        (WebCore::RenderStyle::deletionHasBegun):
+
+            Expose the bit in debug.
+
 2016-07-07  Alex Christensen  <achristensen@webkit.org>
 
         Use SocketProvider to create WebSocketChannels
index 8e6abc2..9f6fbc2 100644 (file)
@@ -1788,6 +1788,7 @@ void RenderBlockFlow::checkFloatsInCleanLine(RootInlineBox* line, Vector<FloatWi
 
     for (auto it = cleanLineFloats->begin(), end = cleanLineFloats->end(); it != end; ++it) {
         RenderBox* floatingBox = *it;
+        ASSERT_WITH_SECURITY_IMPLICATION(!floatingBox->style().deletionHasBegun());
         floatingBox->layoutIfNeeded();
         LayoutSize newSize(floatingBox->width() + floatingBox->horizontalMarginExtent(), floatingBox->height() + floatingBox->verticalMarginExtent());
         ASSERT_WITH_SECURITY_IMPLICATION(floatIndex < floats.size());
index be6a22f..e1ff803 100644 (file)
@@ -382,8 +382,15 @@ void RenderLineBoxList::dirtyLinesFromChangedChild(RenderBoxModelObject& contain
 
         // FIXME: We shouldn't need to always dirty the next line. This is only strictly 
         // necessary some of the time, in situations involving BRs.
-        if (RootInlineBox* nextBox = box->nextRootBox())
+        if (RootInlineBox* nextBox = box->nextRootBox()) {
             nextBox->markDirty();
+
+            // Special root box for floats may be added at the end of the list. If this occurs with BRs we need to invalidate it explicitly.
+            if (auto* nextNextBox = nextBox->nextRootBox()) {
+                if (nextNextBox->isTrailingFloatsRootInlineBox())
+                    nextNextBox->markDirty();
+            }
+        }
     }
 }
 
index e860b86..d5eb16f 100644 (file)
@@ -190,6 +190,8 @@ public:
     Node* getLogicalStartBoxWithNode(InlineBox*&) const;
     Node* getLogicalEndBoxWithNode(InlineBox*&) const;
 
+    virtual bool isTrailingFloatsRootInlineBox() const { return false; }
+
 #if ENABLE(TREE_DEBUGGING)
     const char* boxName() const final;
 #endif
index ddb7136..b174da6 100644 (file)
@@ -40,6 +40,7 @@ public:
 
 private:
     float virtualLogicalHeight() const override { return 0; }
+    bool isTrailingFloatsRootInlineBox() const final { return true; }
 };
 
 } // namespace WebCore
index 3ea3318..c9912a9 100644 (file)
@@ -498,6 +498,10 @@ public:
     static RenderStyle createAnonymousStyleWithDisplay(const RenderStyle& parentStyle, EDisplay);
     static RenderStyle createStyleInheritingFromPseudoStyle(const RenderStyle& pseudoStyle);
 
+#if !ASSERT_DISABLED
+    bool deletionHasBegun() const { return m_deletionHasBegun; }
+#endif
+
     ContentPosition resolvedJustifyContentPosition(const StyleContentAlignmentData& normalValueBehavior) const;
     ContentDistributionType resolvedJustifyContentDistribution(const StyleContentAlignmentData& normalValueBehavior) const;
     ContentPosition resolvedAlignContentPosition(const StyleContentAlignmentData& normalValueBehavior) const;