New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 624028 link

Starred by 2 users
Status: Duplicate
Merged: issue 644803
Owner:
robhogan@chromium.org
Use other robhogan account instead.
Closed: Sep 2016
Cc:
robhogan@chromium.org
e...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Float objects can get into a weird state

Project Member Reported by chrishtr@chromium.org, Jun 28 2016 
In the testcase in https://codereview.chromium.org/2099523002,
at the time of detaching the subtree (including the floating element),
the floating element attempts to remove itself from the floating element
set of its container, but (a) it appears to be in multiple floating
elements sets, and (b) there is at least one that it's in that it doesn't
get removed from.

A subsequent call to unsafeClone when moving anonymous children
ends up passing around an already-deleted LayoutObject pointer.

The root cause seems to be incorrect code for floats.

Comment 1 by e...@chromium.org, Jun 28 2016

Owner: robhogan@chromium.org
Status: Assigned (was: Untriaged)
Would you mind looking into this when you get a chance Rob?

Comment 3 by schenney@chromium.org, Sep 8 2016

Mergedinto: 644803
Status: Duplicate (was: Assigned)

Comment 4 by schenney@chromium.org, Sep 8 2016 

Note that the patch for this was reverted due to https://bugs.chromium.org/p/chromium/issues/detail?id=644605 and the revesion appears to have triggered https://bugs.chromium.org/p/chromium/issues/detail?id=644803.
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 10 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f6e18a33072f5811932ecafe3b6c314591b3fdc8

commit f6e18a33072f5811932ecafe3b6c314591b3fdc8
Author: wfh <wfh@chromium.org>
Date: Sat Sep 10 09:03:23 2016

Revert of Copy float list of ruby base when merging it with a sibling (patchset #1 id:1 of https://codereview.chromium.org/2283413003/ )

Reason for revert:
see crbug.com/644605

Original issue's description:
> Copy float list of ruby base when merging it with a sibling
>
> When merging two ruby bases ensure that the new base has a complete float list.
>
> BUG= 619380 , 624028 
>
> Committed: https://crrev.com/6f208d569f6bd2488f2f2f6f9004e54417f78782
> Cr-Commit-Position: refs/heads/master@{#415337}

TBR=eae@chromium.org,robhogan@gmail.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 619380 , 624028 ,644605

Review-Url: https://codereview.chromium.org/2322703002
Cr-Commit-Position: refs/heads/master@{#417825}

[modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html
[modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/Source/core/layout/FloatingObjects.cpp
[modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/Source/core/layout/FloatingObjects.h
[modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/Source/core/layout/LayoutRubyBase.cpp

Sign in to add a comment