<rdar://problem/9768483> REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow()
authormitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Sep 2011 18:45:56 +0000 (18:45 +0000)
committermitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Sep 2011 18:45:56 +0000 (18:45 +0000)
https://bugs.webkit.org/show_bug.cgi?id=68550

Reviewed by Darin Adler.

Source/WebCore:

Test: fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeFloatingObjectsBelow): Break out of the while() loop when the
floating object set is empty, which can happen if there were no floats on previous lines
(in which case, lastFloat is 0).

LayoutTests:

* fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt: Added.
* fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@95654 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt [new file with mode: 0644]
LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp

index b63454ae72281dbc6408dc6c7cdcd7e28ce98aea..d8cb5e2214290ba08d05b482f95d9c7633b75478 100644 (file)
@@ -1,3 +1,13 @@
+2011-09-21  Dan Bernstein  <mitz@apple.com>
+
+        <rdar://problem/9768483> REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow()
+        https://bugs.webkit.org/show_bug.cgi?id=68550
+
+        Reviewed by Darin Adler.
+
+        * fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt: Added.
+        * fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html: Added.
+
 2011-09-21  Dmitry Lomov  <dslomov@google.com>
 
         Fixed bug number in test expectations. 
 2011-09-21  Dmitry Lomov  <dslomov@google.com>
 
         Fixed bug number in test expectations. 
diff --git a/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt b/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt
new file mode 100644 (file)
index 0000000..cd5b344
--- /dev/null
@@ -0,0 +1,6 @@
+Test for https://bugs.webkit.org/show_bug.cgi?id=68550 REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow().
+
+The test passes if it does not cause a crash or assertion failure.
+
+Text
+E
diff --git a/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html b/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html
new file mode 100644 (file)
index 0000000..03f50ca
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<p>
+     Test for <i><a href="https://bugs.webkit.org/show_bug.cgi?id=68550">https://bugs.webkit.org/show_bug.cgi?id=68550</a>
+     REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow()</i>.
+</p>
+<p>
+    The test passes if it does not cause a crash or assertion failure.
+</p>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+<div style="-webkit-columns: 2; width: 200px; height: 40px; font-family: ahem; -webkit-font-smoothing: none;">
+    <div style="height: 12px;"></div>
+    <div>
+        Text<br>E
+        <div style="width: 6px; height: 6px; float: left; background-color: blue;">
+        </div>
+    </div>
+</div>
index 6971c95a5d14f25a4b9a58c7a2cce5b66e2d0653..1ae95aef050604c27b87667ad90a885c26da6c1c 100644 (file)
@@ -1,3 +1,17 @@
+2011-09-21  Dan Bernstein  <mitz@apple.com>
+
+        <rdar://problem/9768483> REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow()
+        https://bugs.webkit.org/show_bug.cgi?id=68550
+
+        Reviewed by Darin Adler.
+
+        Test: fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeFloatingObjectsBelow): Break out of the while() loop when the
+        floating object set is empty, which can happen if there were no floats on previous lines
+        (in which case, lastFloat is 0).
+
 2011-09-21  ChangSeok Oh  <shivamidow@gmail.com>
 
         [GTK] Fix build break when enabling webgl on r95593
 2011-09-21  ChangSeok Oh  <shivamidow@gmail.com>
 
         [GTK] Fix build break when enabling webgl on r95593
index e6e2287d6ba91a70ace2ff75896bc77631a8fda5..60e687432d26f165551502e48747139b4d71b06b 100644 (file)
@@ -3290,6 +3290,8 @@ void RenderBlock::removeFloatingObjectsBelow(FloatingObject* lastFloat, int logi
         m_floatingObjects->remove(curr);
         ASSERT(!curr->m_originatingLine);
         delete curr;
         m_floatingObjects->remove(curr);
         ASSERT(!curr->m_originatingLine);
         delete curr;
+        if (floatingObjectSet.isEmpty())
+            break;
         curr = floatingObjectSet.last();
     }
 }
         curr = floatingObjectSet.last();
     }
 }