[Webkit-unassigned] [Bug 56301] chrome.dll!WebCore::RenderBlock::removeFloatingObjectsBelow ReadAV at NULL (928f227631041a7b4b71dd15efeae337)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 15 22:59:28 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=56301


Yuqiang Xian <yuqiang.xian at intel.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |yuqiang.xian at intel.com




--- Comment #1 from Yuqiang Xian <yuqiang.xian at intel.com>  2011-03-15 22:59:28 PST ---
For this case, when removeFloatingObjectsBelow is invoked the floatingObjectSet is not empty and it contains one element. It becomes empty after one iteration of the loop which removes the last (and the only) element from the set.

The reason why "lastFloat" parameter is 0 while the floatingObjectSet is not empty is caused by the code below in RenderBlockLineLayout.cpp -

void RenderBlock::layoutInlineChildren(bool relayoutChildren, int& repaintLogicalTop, int& repaintLogicalBottom) {
...
            // around line 691, at this point the set is empty so lastFloat is 0
            FloatingObject* lastFloatFromPreviousLine = (m_floatingObjects && !m_floatingObjects->set().isEmpty()) ? m_floatingObjects->set().last() : 0;
            // one element is inserted into the floating object set
            end = findNextLineBreak(resolver, firstLine, isLineEmpty, lineBreakIteratorInfo, previousLineBrokeCleanly, hyphenated, &clear, lastFloatFromPreviousLine);
...
            // around line 828, the "removeXXX" is invoked with lastFloat as 0  
            removeFloatingObjectsBelow(lastFloatFromPreviousLine, oldLogicalHeight);
...
}

So there seems to be two issues,
1) in the loop of removeFloatingObjectsBelow there's no check for null lastFloat, which should be added. In this special case we may directly clean-up the floatingObjectSet instead of removing the objects one by one?
2) no "isEmpty()" check for floatingObjectSet before the invocations to "first()", "last()" and "removeLast()" as these ListHashSet operations require the set to be non-empty.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list