Source/WebCore: Floats should not overhang from flex items

https://bugs.webkit.org/show_bug.cgi?id=115925

Patch by Bem Jones-Bey <bjonesbe@adobe.com> on 2013-05-13
Reviewed by David Hyatt.

Allowing floats to overhand from flex items is not only against the
spec, it causes bad bugs. Fix this by having flex items properly avoid
floats.

Test: fast/block/float/float-not-removed-crash2.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::avoidsFloats): Add flex items to avoid floats.
* rendering/RenderBox.h:
(WebCore::RenderBox::isFlexItemIncludingDeprecated): Determine if the current box is a
    flex item or deprecated flex item.

LayoutTests: Fix the float logic to not return an anonymous block ancestor
https://bugs.webkit.org/show_bug.cgi?id=115925

Patch by Bem Jones-Bey <bjonesbe@adobe.com> on 2013-05-13
Reviewed by David Hyatt.

Cleaned up fuzzer test. Note that this will only crash when run under
a memory checker like ASAN.

* fast/block/float/float-not-removed-crash2-expected.txt: Added.
* fast/block/float/float-not-removed-crash2.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@150029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent a3aedf12
2013-05-13 Bem Jones-Bey <bjonesbe@adobe.com>
Fix the float logic to not return an anonymous block ancestor
https://bugs.webkit.org/show_bug.cgi?id=115925
Reviewed by David Hyatt.
Cleaned up fuzzer test. Note that this will only crash when run under
a memory checker like ASAN.
* fast/block/float/float-not-removed-crash2-expected.txt: Added.
* fast/block/float/float-not-removed-crash2.html: Added.
2013-05-13 Zoltan Horvath <zoltan@webkit.org>
[CSS Regions][CSS Exclusions] Shape-inside on regions should respect region borders and paddings
......
<html>
<body style="display: -webkit-flex;">
<i>
<div> </div><row>
<source id=test style="float: right; padding-top: 238px;">A</source>
</i>
<div style="height: 188;"></div>
<style>
.class1 {
width: 51667px;
}
</style>
<script>
if (window.testRunner)
testRunner.dumpAsText();
document.body.offsetTop;
test.setAttribute("class", "class1");
document.body.offsetTop;
test.parentNode.removeChild(test);
document.body.offsetTop;
document.body.innerHTML = "PASS. WebKit didn't crash.";
</script>
</body>
</html>
\ No newline at end of file
2013-05-13 Bem Jones-Bey <bjonesbe@adobe.com>
Floats should not overhang from flex items
https://bugs.webkit.org/show_bug.cgi?id=115925
Reviewed by David Hyatt.
Allowing floats to overhand from flex items is not only against the
spec, it causes bad bugs. Fix this by having flex items properly avoid
floats.
Test: fast/block/float/float-not-removed-crash2.html
* rendering/RenderBox.cpp:
(WebCore::RenderBox::avoidsFloats): Add flex items to avoid floats.
* rendering/RenderBox.h:
(WebCore::RenderBox::isFlexItemIncludingDeprecated): Determine if the current box is a
flex item or deprecated flex item.
2013-05-13 Zoltan Horvath <zoltan@webkit.org>
[CSS Regions][CSS Exclusions] Shape-inside on regions should respect region borders and paddings
......
......@@ -4084,7 +4084,7 @@ bool RenderBox::shrinkToAvoidFloats() const
bool RenderBox::avoidsFloats() const
{
return isReplaced() || hasOverflowClip() || isHR() || isLegend() || isWritingModeRoot() || isDeprecatedFlexItem();
return isReplaced() || hasOverflowClip() || isHR() || isLegend() || isWritingModeRoot() || isFlexItemIncludingDeprecated();
}
void RenderBox::addVisualEffectOverflow()
......
......@@ -505,6 +505,7 @@ public:
bool isWritingModeRoot() const { return !parent() || parent()->style()->writingMode() != style()->writingMode(); }
bool isDeprecatedFlexItem() const { return !isInline() && !isFloatingOrOutOfFlowPositioned() && parent() && parent()->isDeprecatedFlexibleBox(); }
bool isFlexItemIncludingDeprecated() const { return !isInline() && !isFloatingOrOutOfFlowPositioned() && parent() && parent()->isFlexibleBoxIncludingDeprecated(); }
virtual LayoutUnit lineHeight(bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const;
virtual int baselinePosition(FontBaseline, bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const OVERRIDE;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment