hasOverhangingFloats can produce true when we don't any floats at all. This happens because we have check like bool hasOverhangingFloats() { return parent() && !hasColumns() && lowestFloatLogicalBottom() > logicalHeight(); } lowestFloatLogicalBottom will return 0- when we dont have any floating objects. however our logicalheight can be less than zero when we have large bottom padding. so this check will return true incorrectly. patch upcoming.
I have repro, so we might not need this hack anymore. void RenderBlock::repaintOverhangingFloats(bool paintAllDescendants) { // Repaint any overhanging floats (if we know we're the one to paint them). if (hasOverhangingFloats()) { // We think that we must be in a bad state if m_floatingObjects is nil at this point, so // we assert on Debug builds and nil-check Release builds. ASSERT(m_floatingObjects); if (!m_floatingObjects) return;
stack:: #0 0x0000000001b40af1 in WebCore::RenderBlock::markSiblingsWithFloatsForLayout() () #1 0x0000000001b474ca in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) () #2 0x0000000001bc8461 in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) () #3 0x0000000001bc69af in WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) () #4 0x000000000186ec86 in WebCore::Node::setRenderStyle(WTF::PassRefPtr<WebCore::RenderStyle>) () #5 0x000000000185b232 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #6 0x000000000185b320 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #7 0x000000000149ad69 in WebCore::HTMLFormControlElement::recalcStyle(WebCore::Node::StyleChange) () #8 0x000000000185b320 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #9 0x000000000185b320 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #10 0x000000000185b320 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #11 0x000000000185b320 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) ()
Created attachment 92954 [details] Patch
The crash was happening because m_floatingObjects was nil in markSiblingsWithFloatsForLayout and we returned true in overhangingfloats. Started after my http://trac.webkit.org/changeset/85876. if (diff == StyleDifferenceLayout && s_canPropagateFloatIntoSibling && !canPropagateFloatIntoSibling && hasOverhangingFloats()) { 268 markAllDescendantsWithFloatsForLayout(); 269 markSiblingsWithFloatsForLayout();
Dan, can you please review.
<rdar://problem/9413395>
Committed r86160: <http://trac.webkit.org/changeset/86160>
http://trac.webkit.org/changeset/86160 might have broken SnowLeopard Intel Release (WebKit2 Tests) The following tests are not passing: fast/frames/flattening/frameset-flattening-subframesets.html