-
Morten Stenshorne authored
If a line (RootInlineBox) is marked dirty, also treat adjacent following lines with floats on them as dirty. We cannot safely skip laying them out, because of bugs in the legacy line layout engine. We ended up in a scenario where just one line got marked dirty, because we removed some text there. A float that was associated with the second line got associated with the first (dirty) line during re-layout. We'd skip layout of the next line because it wasn't dirty, and we found it safe to stop laying out after the first line and re-use the remaining lines from the previous layout pass. Suddenly the float was associated with two lines. In addition to definitely fixing the fuzzer crash in bug 724830, it is also speculative fix for bug 969325 (which I've been unable to reproduce, but both the test and the crash seem very similar). Bug: 724830, 969325 Change-Id: I0bbceeac1e19588c58206ed075c21ea19347109f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1664910Reviewed-by:
Morten Stenshorne <mstensho@chromium.org> Reviewed-by:
Emil A Eklund <eae@chromium.org> Commit-Queue: Emil A Eklund <eae@chromium.org> Cr-Commit-Position: refs/heads/master@{#670216}
53eab5a4
