DescriptionDon't delete nodes in the float interval tree while traversing it.
When traversing the floated objects' interval tree in searchForOverlapsFrom() we will crash if
we delete ourselves from the tree - this can happen if computedShape() is called,
the shape needs to be computed, and we end up removing ourselves from ancestors' floating
object lists in markShapeDependentObjectsForLayout() via RenderBox::imageChanged().
What this boils down to is ensuring that we don't mark a shape as dirty while we are in
the middle of computing it. When we compute a shape RenderBox::imageChanged() will get
called. This function needs to dirty the shape when we are here because
of an asynchronous image; if we're here because we are computing the shape deltas for the float
there is no need to dirty ourselves again.
I explored a few options for determining if we are computing the shape deltas for the
float. Unfortunately we can't just use isShapeDirty() because if a float is added
to the render tree markShapeOutsideDependentsForLayout() will not mark any ancestors
for layout until the first layout has happened. This means we could arrive in
RenderBox::imageChanged()
with the shape marked as dirty but still needing to re-layout its ancestors.
This is a regression from https://codereview.chromium.org/131133004.
Note that I've moved a couple of the shape-outside test to the http/ folder. They use
url() for the image loads; which doesn't work when running on file:// urls. The image
loads always fail with 'Image from origin 'file://' has been blocked from loading
by Cross-Origin Resource Sharing policy: Received an invalid response. Origin 'null'
is therefore not allowed access.'
BUG=409508
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=183485
Patch Set 1 #Patch Set 2 : Added square.png and another test #
Total comments: 3
Patch Set 3 : Updated #Patch Set 4 : Add correct png! #Messages
Total messages: 16 (6 generated)
|