Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock

https://bugs.webkit.org/show_bug.cgi?id=139474
<rdar://problem/27705190>

Reviewed by David Hyatt.

Source/WebCore:

We should just give up trying to avoid widow when the page is too small to break line.

Test: fast/multicol/assert-on-small-page-height-with-widow.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::clearShouldBreakAtLineToAvoidWidowIfNeeded):
(WebCore::RenderBlockFlow::adjustLinePositionForPagination):
* rendering/RenderBlockFlow.h:

LayoutTests:

* fast/multicol/assert-on-small-page-height-with-widow-expected.txt: Added.
* fast/multicol/assert-on-small-page-height-with-widow.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204980 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f0999b1..54b3f67 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2016-08-25  Zalan Bujtas  <zalan@apple.com>
+
+        Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock
+        https://bugs.webkit.org/show_bug.cgi?id=139474
+        <rdar://problem/27705190>
+
+        Reviewed by David Hyatt.
+
+        * fast/multicol/assert-on-small-page-height-with-widow-expected.txt: Added.
+        * fast/multicol/assert-on-small-page-height-with-widow.html: Added.
+
 2016-08-25  Johan K. Jensen  <johan_jensen@apple.com>
 
         Update the Resource Timing implementation

diff --git a/LayoutTests/fast/multicol/assert-on-small-page-height-with-widow-expected.txt b/LayoutTests/fast/multicol/assert-on-small-page-height-with-widow-expected.txt
new file mode 100644 (file)
index 0000000..fa66891
--- /dev/null
+++ b/LayoutTests/fast/multicol/assert-on-small-page-height-with-widow-expected.txt
@@ -0,0 +1,3 @@
+PASS if no assert in debug.
+
+

diff --git a/LayoutTests/fast/multicol/assert-on-small-page-height-with-widow.html b/LayoutTests/fast/multicol/assert-on-small-page-height-with-widow.html
new file mode 100644 (file)
index 0000000..263d856
--- /dev/null
+++ b/LayoutTests/fast/multicol/assert-on-small-page-height-with-widow.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that.</title>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+html {
+    -webkit-column-count: 3;
+}
+
+body {
+    max-height: 0px;
+    -webkit-column-count: 3;
+    widows: 2;   
+}
+span {
+    margin-right: -1px;
+}
+</style>
+</head>
+<body>
+PASS if no assert in debug.<input><br><br>
+<span></span>
+</body>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index a665c1b..f16fbba 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2016-08-25  Zalan Bujtas  <zalan@apple.com>
+
+        Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock
+        https://bugs.webkit.org/show_bug.cgi?id=139474
+        <rdar://problem/27705190>
+
+        Reviewed by David Hyatt.
+
+        We should just give up trying to avoid widow when the page is too small to break line.
+
+        Test: fast/multicol/assert-on-small-page-height-with-widow.html
+
+        * rendering/RenderBlockFlow.cpp:
+        (WebCore::RenderBlockFlow::clearShouldBreakAtLineToAvoidWidowIfNeeded):
+        (WebCore::RenderBlockFlow::adjustLinePositionForPagination):
+        * rendering/RenderBlockFlow.h:
+
 2016-08-24  Sam Weinig  <sam@webkit.org>
 
         Add the ability to override the implementation name of IDL enums and dictionaries

diff --git a/Source/WebCore/rendering/RenderBlockFlow.cpp b/Source/WebCore/rendering/RenderBlockFlow.cpp
index 6636150..bc4fe1e 100644 (file)
--- a/Source/WebCore/rendering/RenderBlockFlow.cpp
+++ b/Source/WebCore/rendering/RenderBlockFlow.cpp
@@ -1650,7 +1650,15 @@ static inline bool needsAppleMailPaginationQuirk(RootInlineBox& lineBox)
 
     return false;
 }
-    
+
+static void clearShouldBreakAtLineToAvoidWidowIfNeeded(RenderBlockFlow& blockFlow)
+{
+    if (!blockFlow.shouldBreakAtLineToAvoidWidow())
+        return;
+    blockFlow.clearShouldBreakAtLineToAvoidWidow();
+    blockFlow.setDidBreakAtLineToAvoidWidow();
+}
+
 void RenderBlockFlow::adjustLinePositionForPagination(RootInlineBox* lineBox, LayoutUnit& delta, bool& overflowsRegion, RenderFlowThread* flowThread)
 {
     // FIXME: Ignore anonymous inline blocks. Handle the delta already having been set because of
@@ -1704,8 +1712,11 @@ void RenderBlockFlow::adjustLinePositionForPagination(RootInlineBox* lineBox, La
         logicalBottom = intMinForLayoutUnit;
         lineBox->computeReplacedAndTextLineTopAndBottom(logicalOffset, logicalBottom);
         lineHeight = logicalBottom - logicalOffset;
-        if (logicalOffset == intMaxForLayoutUnit || lineHeight > pageLogicalHeight)
-            return; // Give up. We're genuinely too big even after excluding blank space and overflow.
+        if (logicalOffset == intMaxForLayoutUnit || lineHeight > pageLogicalHeight) {
+            // Give up. We're genuinely too big even after excluding blank space and overflow.
+            clearShouldBreakAtLineToAvoidWidowIfNeeded(*this);
+            return;
+        }
         pageLogicalHeight = pageLogicalHeightForOffset(logicalOffset);
     }
     
@@ -1714,10 +1725,8 @@ void RenderBlockFlow::adjustLinePositionForPagination(RootInlineBox* lineBox, La
 
     int lineIndex = lineCount(lineBox);
     if (remainingLogicalHeight < lineHeight || (shouldBreakAtLineToAvoidWidow() && lineBreakToAvoidWidow() == lineIndex)) {
-        if (shouldBreakAtLineToAvoidWidow() && lineBreakToAvoidWidow() == lineIndex) {
-            clearShouldBreakAtLineToAvoidWidow();
-            setDidBreakAtLineToAvoidWidow();
-        }
+        if (lineBreakToAvoidWidow() == lineIndex)
+            clearShouldBreakAtLineToAvoidWidowIfNeeded(*this);
         // If we have a non-uniform page height, then we have to shift further possibly.
         if (!hasUniformPageLogicalHeight && !pushToNextPageWithMinimumLogicalHeight(remainingLogicalHeight, logicalOffset, lineHeight))
             return;