During HTML fuzzing I've found the following assert: ASSERTION FAILED: y2 >= y1 /home/reni/repos/webkit2/Source/WebCore/rendering/RenderObject.cpp(1033) : void WebCore::RenderObject::drawLineForBoxSide(WebCore::GraphicsContext*, int, int, int, int, WebCore::BoxSide, WebCore::Color, WebCore::EBorderStyle, int, int, bool) Test case: <html> <body> Test for <a style="outline: solid; outline-offset: -70px;"</a>assertion. </body> </html>
Created attachment 208445 [details] Patch
Comment on attachment 208445 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208445&action=review > Source/WebCore/rendering/RenderInline.cpp:1479 > + if (pixelSnappedBox.isEmpty()) Is a zero-sized rect the only problematic case? What about a 1x1 rect?
(In reply to comment #2) > (From update of attachment 208445 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=208445&action=review > > > Source/WebCore/rendering/RenderInline.cpp:1479 > > + if (pixelSnappedBox.isEmpty()) > > Is a zero-sized rect the only problematic case? What about a 1x1 rect? I tried 1x1 size, then there is no problem since y() < maxY() (so y1 < y2) and the ASSERT will not be triggered. zero-sized rects but especially negative width/height rects are the problem here (due to the negative outline-offset).
Add hyatt for CC.
Comment on attachment 208445 [details] Patch r=me
Committed r154064: <http://trac.webkit.org/changeset/154064>