Changeset 134683 in webkit


Ignore:
Timestamp:
Nov 14, 2012 3:36:04 PM (11 years ago)
Author:
tony@chromium.org
Message:

Crash in flexbox when removing absolutely positioned children
https://bugs.webkit.org/show_bug.cgi?id=100465

Reviewed by Ojan Vafai.

Source/WebCore:

We use m_numberOfChildrenOnFirstLine when computing baseline alignment.
This value gets set during flexbox layout. When we remove an absolutely
positioned child, we don't relayout and this value would get stale.

Change m_numberOfChildrenOnFirstLine to m_numberOfInFlowChildrenOnFirstLine
so the value doesn't get stale when we remove absolutely positioned children.
Also change the loop in firstLineBoxBaseline to bail if we run off the end of
the iterator.

Test: css3/flexbox/crash-removing-out-of-flow-child.html

  • rendering/RenderFlexibleBox.cpp:

(WebCore::RenderFlexibleBox::RenderFlexibleBox):
(WebCore::RenderFlexibleBox::firstLineBoxBaseline):
(WebCore::RenderFlexibleBox::layoutBlock):
(WebCore::RenderFlexibleBox::repositionLogicalHeightDependentFlexItems):
(WebCore::RenderFlexibleBox::layoutAndPlaceChildren):

  • rendering/RenderFlexibleBox.h:

LayoutTests:

Test case for the crash.

  • css3/flexbox/crash-removing-out-of-flow-child-expected.txt: Added.
  • css3/flexbox/crash-removing-out-of-flow-child.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r134678 r134683  
     12012-11-14  Tony Chang  <tony@chromium.org>
     2
     3        Crash in flexbox when removing absolutely positioned children
     4        https://bugs.webkit.org/show_bug.cgi?id=100465
     5
     6        Reviewed by Ojan Vafai.
     7
     8        Test case for the crash.
     9
     10        * css3/flexbox/crash-removing-out-of-flow-child-expected.txt: Added.
     11        * css3/flexbox/crash-removing-out-of-flow-child.html: Added.
     12
    1132012-11-14  Dirk Schulze  <krit@webkit.org>
    214

  • trunk/Source/WebCore/ChangeLog

    r134680 r134683  
     12012-11-14  Tony Chang  <tony@chromium.org>
     2
     3        Crash in flexbox when removing absolutely positioned children
     4        https://bugs.webkit.org/show_bug.cgi?id=100465
     5
     6        Reviewed by Ojan Vafai.
     7
     8        We use m_numberOfChildrenOnFirstLine when computing baseline alignment.
     9        This value gets set during flexbox layout. When we remove an absolutely
     10        positioned child, we don't relayout and this value would get stale.
     11
     12        Change m_numberOfChildrenOnFirstLine to m_numberOfInFlowChildrenOnFirstLine
     13        so the value doesn't get stale when we remove absolutely positioned children.
     14        Also change the loop in firstLineBoxBaseline to bail if we run off the end of
     15        the iterator.
     16
     17        Test: css3/flexbox/crash-removing-out-of-flow-child.html
     18
     19        * rendering/RenderFlexibleBox.cpp:
     20        (WebCore::RenderFlexibleBox::RenderFlexibleBox):
     21        (WebCore::RenderFlexibleBox::firstLineBoxBaseline):
     22        (WebCore::RenderFlexibleBox::layoutBlock):
     23        (WebCore::RenderFlexibleBox::repositionLogicalHeightDependentFlexItems):
     24        (WebCore::RenderFlexibleBox::layoutAndPlaceChildren):
     25        * rendering/RenderFlexibleBox.h:
     26
    1272012-11-14  Joshua Bell  <jsbell@chromium.org>
    228

  • trunk/Source/WebCore/rendering/RenderFlexibleBox.cpp

    r133906 r134683  
    133133RenderFlexibleBox::RenderFlexibleBox(Node* node)
    134134    : RenderBlock(node)
    135     , m_numberOfChildrenOnFirstLine(0)
     135    , m_numberOfInFlowChildrenOnFirstLine(-1)
    136136{
    137137    setChildrenInline(false); // All of our children must be block-level.
     
    255255    ASSERT(m_orderIterator);
    256256
    257     if (isWritingModeRoot() || !m_numberOfChildrenOnFirstLine)
     257    if (isWritingModeRoot() || m_numberOfInFlowChildrenOnFirstLine <= 0)
    258258        return -1;
    259259    RenderBox* baselineChild = 0;
    260     RenderBox* child = m_orderIterator->first();
    261     for (size_t childNumber = 0; childNumber < m_numberOfChildrenOnFirstLine; ++childNumber, child = m_orderIterator->next()) {
     260    int childNumber = 0;
     261    for (RenderBox* child = m_orderIterator->first(); child; child = m_orderIterator->next()) {
    262262        if (child->isOutOfFlowPositioned())
    263263            continue;
     
    268268        if (!baselineChild)
    269269            baselineChild = child;
     270
     271        ++childNumber;
     272        if (childNumber == m_numberOfInFlowChildrenOnFirstLine)
     273            break;
    270274    }
    271275
     
    321325    updateLogicalWidth();
    322326
     327    m_numberOfInFlowChildrenOnFirstLine = -1;
    323328    m_overflow.clear();
    324329
     
    386391        flipForWrapReverse(iterator, lineContexts, crossAxisStartEdge);
    387392    }
    388 
    389     m_numberOfChildrenOnFirstLine = lineContexts.isEmpty() ? 0 : lineContexts[0].numberOfChildren;
    390393
    391394    // direction:rtl + flex-direction:column means the cross-axis direction is flipped.
     
    11331136    }
    11341137
     1138    if (m_numberOfInFlowChildrenOnFirstLine == -1)
     1139        m_numberOfInFlowChildrenOnFirstLine = seenInFlowPositionedChildren;
    11351140    lineContexts.append(LineContext(crossAxisOffset, maxChildCrossAxisExtent, children.size(), maxAscent));
    11361141    crossAxisOffset += maxChildCrossAxisExtent;

  • trunk/Source/WebCore/rendering/RenderFlexibleBox.h

    r132112 r134683  
    147147
    148148    OwnPtr<OrderIterator> m_orderIterator;
    149     size_t m_numberOfChildrenOnFirstLine;
     149    int m_numberOfInFlowChildrenOnFirstLine;
    150150};
    151151
Note: See TracChangeset for help on using the changeset viewer.