From: mitz@apple.com Date: Wed, 21 Sep 2011 18:45:56 +0000 (+0000) Subject: REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow() X-Git-Url: https://git.webkit.org/?p=WebKit-https.git;a=commitdiff_plain;h=370c9a83b118b7ecbcf077dce2ffdf17bdccf759;hp=52d3e8c5c35b12f667c77450c524eea560f4165d REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow() https://bugs.webkit.org/show_bug.cgi?id=68550 Reviewed by Darin Adler. Source/WebCore: Test: fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html * rendering/RenderBlock.cpp: (WebCore::RenderBlock::removeFloatingObjectsBelow): Break out of the while() loop when the floating object set is empty, which can happen if there were no floats on previous lines (in which case, lastFloat is 0). LayoutTests: * fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt: Added. * fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@95654 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index b63454ae7228..d8cb5e221429 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,13 @@ +2011-09-21 Dan Bernstein + + REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow() + https://bugs.webkit.org/show_bug.cgi?id=68550 + + Reviewed by Darin Adler. + + * fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt: Added. + * fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html: Added. + 2011-09-21 Dmitry Lomov Fixed bug number in test expectations. diff --git a/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt b/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt new file mode 100644 index 000000000000..cd5b344d40b9 --- /dev/null +++ b/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow-expected.txt @@ -0,0 +1,6 @@ +Test for https://bugs.webkit.org/show_bug.cgi?id=68550 REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow(). + +The test passes if it does not cause a crash or assertion failure. + +Text +E diff --git a/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html b/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html new file mode 100644 index 000000000000..03f50ca54f9d --- /dev/null +++ b/LayoutTests/fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html @@ -0,0 +1,20 @@ + +

+ Test for https://bugs.webkit.org/show_bug.cgi?id=68550 + REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow(). +

+

+ The test passes if it does not cause a crash or assertion failure. +

+ +
+
+
+ Text
E +
+
+
+
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 6971c95a5d14..1ae95aef0506 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,17 @@ +2011-09-21 Dan Bernstein + + REGRESSION: Crash in RenderBlock::removeFloatingObjectsBelow() + https://bugs.webkit.org/show_bug.cgi?id=68550 + + Reviewed by Darin Adler. + + Test: fast/multicol/null-lastFloat-in-removeFloatingObjectsBelow.html + + * rendering/RenderBlock.cpp: + (WebCore::RenderBlock::removeFloatingObjectsBelow): Break out of the while() loop when the + floating object set is empty, which can happen if there were no floats on previous lines + (in which case, lastFloat is 0). + 2011-09-21 ChangSeok Oh [GTK] Fix build break when enabling webgl on r95593 diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp index e6e2287d6ba9..60e687432d26 100644 --- a/Source/WebCore/rendering/RenderBlock.cpp +++ b/Source/WebCore/rendering/RenderBlock.cpp @@ -3290,6 +3290,8 @@ void RenderBlock::removeFloatingObjectsBelow(FloatingObject* lastFloat, int logi m_floatingObjects->remove(curr); ASSERT(!curr->m_originatingLine); delete curr; + if (floatingObjectSet.isEmpty()) + break; curr = floatingObjectSet.last(); } }