Reviewed by James Robinson.
Tests that we do not crash when overflowing the height of a root
inline box.
https://bugs.webkit.org/show_bug.cgi?id=53729
* fast/overflow/overflow-height-float-not-removed-crash-expected.txt: Added.
* fast/overflow/overflow-height-float-not-removed-crash.html: Added.
2011-02-03 Abhishek Arya <inferno@chromium.org>
Reviewed by James Robinson.
Enforce more limits on root inline boxes height calculations.
https://bugs.webkit.org/show_bug.cgi?id=53729
Test: fast/overflow/overflow-height-float-not-removed-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeFloatingObject): prevent logicalBottom to
become negative when logicalTop is INT_MAX.
(WebCore::RenderBlock::markLinesDirtyInBlockRange): when logicalBottom
is INT_MAX, we should dirty everything. So, we bail out to make
afterLowest equal to the lastRootBox() or lowestDirstLine.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77565
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-02-03 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by James Robinson.
+
+ Tests that we do not crash when overflowing the height of a root
+ inline box.
+ https://bugs.webkit.org/show_bug.cgi?id=53729
+
+ * fast/overflow/overflow-height-float-not-removed-crash-expected.txt: Added.
+ * fast/overflow/overflow-height-float-not-removed-crash.html: Added.
+
2011-02-03 David Levin <levin@chromium.org>
Reviewed by Adam Barth.
--- /dev/null
+<html>\r
+ <head>\r
+ <script>\r
+ if (window.layoutTestController)\r
+ layoutTestController.dumpAsText();\r
+ \r
+ function finish()\r
+ {\r
+ document.getElementById("result").innerHTML = "PASS";\r
+ } \r
+ </script>\r
+ </head>\r
+ <body onload="finish()">\r
+ <div id="result"></div>\r
+ <textarea rows="100000000"></textarea>\r
+ <textarea style="width: 100%" rows="100000000"></textarea>\r
+ <object data="a" align="right"></object>\r
+ </body>\r
+</html>\r
+\r
+2011-02-03 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by James Robinson.
+
+ Enforce more limits on root inline boxes height calculations.
+ https://bugs.webkit.org/show_bug.cgi?id=53729
+
+ Test: fast/overflow/overflow-height-float-not-removed-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::removeFloatingObject): prevent logicalBottom to
+ become negative when logicalTop is INT_MAX.
+ (WebCore::RenderBlock::markLinesDirtyInBlockRange): when logicalBottom
+ is INT_MAX, we should dirty everything. So, we bail out to make
+ afterLowest equal to the lastRootBox() or lowestDirstLine.
+
2011-02-03 David Levin <levin@chromium.org>
Reviewed by Adam Barth and Oliver Hunt.
// Special-case zero- and less-than-zero-height floats: those don't touch
// the line that they're on, but it still needs to be dirtied. This is
// accomplished by pretending they have a height of 1.
- logicalBottom = max(logicalBottom, logicalTop + 1);
+ logicalBottom = max(logicalBottom, max(logicalTop + 1, logicalTop));
markLinesDirtyInBlockRange(0, logicalBottom);
}
m_floatingObjects->removeRef(it.current());
RootInlineBox* lowestDirtyLine = lastRootBox();
RootInlineBox* afterLowest = lowestDirtyLine;
- while (lowestDirtyLine && lowestDirtyLine->blockLogicalHeight() >= logicalBottom) {
+ while (lowestDirtyLine && lowestDirtyLine->blockLogicalHeight() >= logicalBottom && logicalBottom < numeric_limits<int>::max()) {
afterLowest = lowestDirtyLine;
lowestDirtyLine = lowestDirtyLine->prevRootBox();
}