<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[245361] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/245361">245361</a></dd>
<dt>Author</dt> <dd>zalan@apple.com</dd>
<dt>Date</dt> <dd>2019-05-15 15:34:09 -0700 (Wed, 15 May 2019)</dd>
</dl>

<h3>Log Message</h3>
<pre>Do not create a shape object outside of the layout context
https://bugs.webkit.org/show_bug.cgi?id=197926
<rdar://problem/50627858>

Reviewed by Simon Fraser.

Source/WebCore:

ShapeOutside objects are used to compute line constrains during layout (in a strict sense, they are part of the layout context and should only be mutated during layout).
If we don't create one during layout, we probably don't need to know its geometry during paint (or any other non-layout activity) either.

Test: fast/block/float/float-with-shape-outside-crash.html

* rendering/FloatingObjects.cpp:
(WebCore::ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded):
(WebCore::ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatRight>::updateOffsetIfNeeded):
* rendering/shapes/ShapeOutsideInfo.cpp:
(WebCore::ShapeOutsideInfo::computeDeltasForContainingBlockLine):

LayoutTests:

* fast/block/float/float-with-shape-outside-crash-expected.txt: Added.
* fast/block/float/float-with-shape-outside-crash.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorerenderingFloatingObjectscpp">trunk/Source/WebCore/rendering/FloatingObjects.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingshapesShapeOutsideInfocpp">trunk/Source/WebCore/rendering/shapes/ShapeOutsideInfo.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastblockfloatfloatwithshapeoutsidecrashexpectedtxt">trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastblockfloatfloatwithshapeoutsidecrashhtml">trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (245360 => 245361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog      2019-05-15 22:27:09 UTC (rev 245360)
+++ trunk/LayoutTests/ChangeLog 2019-05-15 22:34:09 UTC (rev 245361)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2019-05-15  Zalan Bujtas  <zalan@apple.com>
+
+        Do not create a shape object outside of the layout context
+        https://bugs.webkit.org/show_bug.cgi?id=197926
+        <rdar://problem/50627858>
+
+        Reviewed by Simon Fraser.
+
+        * fast/block/float/float-with-shape-outside-crash-expected.txt: Added.
+        * fast/block/float/float-with-shape-outside-crash.html: Added.
+
</ins><span class="cx"> 2019-05-15  Shawn Roberts  <sroberts@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Layout tests http/wpt/webauthn/public-key-credential-create-success-hid.https.html
</span></span></pre></div>
<a id="trunkLayoutTestsfastblockfloatfloatwithshapeoutsidecrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash-expected.txt (0 => 245361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash-expected.txt                           (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash-expected.txt      2019-05-15 22:34:09 UTC (rev 245361)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+PASS if no crash or ASSERT 
</ins></span></pre></div>
<a id="trunkLayoutTestsfastblockfloatfloatwithshapeoutsidecrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash.html (0 => 245361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash.html                           (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-with-shape-outside-crash.html      2019-05-15 22:34:09 UTC (rev 245361)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<style>
+q { 
+    float: left;
+}
+
+div { 
+    float: left;
+    width: 1400px;
+    height: 100px;
+    -webkit-shape-outside: filter(url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA4MCAxMjUiIHN0cm9rZT0iI2QzNiI+CiAgPHBhdGggZD0iTTQwLDczdjUwIiBzdHJva2Utd2lkdGg9IjExIi8+CiAgPHBhdGggZD0iTTE3LDk4bDQ3LDAiIHN0cm9rZS13aWR0aD0iOCIvPgogIDxjaXJjbGUgcj0iMzMiIGN4PSI0MCIgY3k9IjQwIiBmaWxsPSJub25lIiBzdHJva2Utd2lkdGg9IjEyIi8+Cjwvc3ZnPgo=), hue-rotate()); 
+}
+</style><span>PASS if no crash or ASSERT</span><q>
+<div></div></q><script>
+document.getSelection().selectAllChildren(document.body);
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (245360 => 245361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2019-05-15 22:27:09 UTC (rev 245360)
+++ trunk/Source/WebCore/ChangeLog      2019-05-15 22:34:09 UTC (rev 245361)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2019-05-15  Zalan Bujtas  <zalan@apple.com>
+
+        Do not create a shape object outside of the layout context
+        https://bugs.webkit.org/show_bug.cgi?id=197926
+        <rdar://problem/50627858>
+
+        Reviewed by Simon Fraser.
+
+        ShapeOutside objects are used to compute line constrains during layout (in a strict sense, they are part of the layout context and should only be mutated during layout).
+        If we don't create one during layout, we probably don't need to know its geometry during paint (or any other non-layout activity) either.
+
+        Test: fast/block/float/float-with-shape-outside-crash.html
+
+        * rendering/FloatingObjects.cpp:
+        (WebCore::ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded):
+        (WebCore::ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatRight>::updateOffsetIfNeeded):
+        * rendering/shapes/ShapeOutsideInfo.cpp:
+        (WebCore::ShapeOutsideInfo::computeDeltasForContainingBlockLine):
+
</ins><span class="cx"> 2019-05-15  Youenn Fablet  <youenn@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Mark beacon and ping loads as low priority
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingFloatingObjectscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/FloatingObjects.cpp (245360 => 245361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/FloatingObjects.cpp       2019-05-15 22:27:09 UTC (rev 245360)
+++ trunk/Source/WebCore/rendering/FloatingObjects.cpp  2019-05-15 22:34:09 UTC (rev 245361)
</span><span class="lines">@@ -479,7 +479,7 @@
</span><span class="cx">     LayoutUnit logicalRight = m_renderer->logicalRightForFloat(floatingObject);
</span><span class="cx">     if (ShapeOutsideInfo* shapeOutside = floatingObject.renderer().shapeOutsideInfo()) {
</span><span class="cx">         ShapeOutsideDeltas shapeDeltas = shapeOutside->computeDeltasForContainingBlockLine(*m_renderer, floatingObject, m_lineTop, m_lineBottom - m_lineTop);
</span><del>-        if (!shapeDeltas.lineOverlapsShape())
</del><ins>+        if (!shapeDeltas.isValid() || !shapeDeltas.lineOverlapsShape())
</ins><span class="cx">             return false;
</span><span class="cx"> 
</span><span class="cx">         logicalRight += shapeDeltas.rightMarginBoxDelta();
</span><span class="lines">@@ -498,7 +498,7 @@
</span><span class="cx">     LayoutUnit logicalLeft = m_renderer->logicalLeftForFloat(floatingObject);
</span><span class="cx">     if (ShapeOutsideInfo* shapeOutside = floatingObject.renderer().shapeOutsideInfo()) {
</span><span class="cx">         ShapeOutsideDeltas shapeDeltas = shapeOutside->computeDeltasForContainingBlockLine(*m_renderer, floatingObject, m_lineTop, m_lineBottom - m_lineTop);
</span><del>-        if (!shapeDeltas.lineOverlapsShape())
</del><ins>+        if (!shapeDeltas.isValid() || !shapeDeltas.lineOverlapsShape())
</ins><span class="cx">             return false;
</span><span class="cx"> 
</span><span class="cx">         logicalLeft += shapeDeltas.leftMarginBoxDelta();
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingshapesShapeOutsideInfocpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/shapes/ShapeOutsideInfo.cpp (245360 => 245361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/shapes/ShapeOutsideInfo.cpp       2019-05-15 22:27:09 UTC (rev 245360)
+++ trunk/Source/WebCore/rendering/shapes/ShapeOutsideInfo.cpp  2019-05-15 22:34:09 UTC (rev 245361)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> #include "RenderBox.h"
</span><span class="cx"> #include "RenderFragmentContainer.h"
</span><span class="cx"> #include "RenderImage.h"
</span><ins>+#include "RenderView.h"
</ins><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span><span class="cx"> 
</span><span class="lines">@@ -320,6 +321,10 @@
</span><span class="cx"> 
</span><span class="cx"> ShapeOutsideDeltas ShapeOutsideInfo::computeDeltasForContainingBlockLine(const RenderBlockFlow& containingBlock, const FloatingObject& floatingObject, LayoutUnit lineTop, LayoutUnit lineHeight)
</span><span class="cx"> {
</span><ins>+    // If we never constructed this shape during layout, we propably don't need to know about it outside of layout in the context of "containing block line".
+    if (!m_shape && !containingBlock.view().frameView().layoutContext().isInLayout())
+        return { };
+
</ins><span class="cx">     ASSERT(lineHeight >= 0);
</span><span class="cx">     LayoutUnit borderBoxTop = containingBlock.logicalTopForFloat(floatingObject) + containingBlock.marginBeforeForChild(m_renderer);
</span><span class="cx">     LayoutUnit borderBoxLineTop = lineTop - borderBoxTop;
</span></span></pre>
</div>
</div>

</body>
</html>