Skip to site navigation (Press enter)

[webkit-changes] [238888] trunk

jfernandez Wed, 05 Dec 2018 00:18:50 -0800

Title: [238888] trunk

Revision: 238888
Author: [email protected]
Date: 2018-12-05 00:17:10 -0800 (Wed, 05 Dec 2018)

Log Message

[css-grid] Crash on debug changing the style of a positioned element
https://bugs.webkit.org/show_bug.cgi?id=191473


Reviewed by Dean Jackson and Zalan Bujtas.

Source/WebCore:

When an box becomes {out-of,in}-flow, it may be re-parented and it may become a grid
item. In that case, we must mark the RenderGrid as dirty, so that the grid items
placement logic is executed again.

Test: fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html

* rendering/updating/RenderTreeBuilder.cpp:
(WebCore::childFlowStateChangesAndAffectsParentBlock): Consider the case of a box's new parent being a grid container.

LayoutTests:

Regression test to ensure that the grid placement logic is executed
when a positioned item becomes a grid item.

* fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt:
* fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html:
* TestExpectations: Remove a Skip entry, since the test doesn't crash anymore.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/TestExpectations
trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt
trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (238887 => 238888)


--- trunk/LayoutTests/ChangeLog	2018-12-05 06:52:17 UTC (rev 238887)
+++ trunk/LayoutTests/ChangeLog	2018-12-05 08:17:10 UTC (rev 238888)
@@ -1,3 +1,17 @@
+2018-12-05  Javier Fernandez  <[email protected]>
+
+        [css-grid] Crash on debug changing the style of a positioned element
+        https://bugs.webkit.org/show_bug.cgi?id=191473
+
+        Reviewed by Dean Jackson and Zalan Bujtas.
+
+        Regression test to ensure that the grid placement logic is executed
+        when a positioned item becomes a grid item.
+
+        * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt:
+        * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html:
+        * TestExpectations: Remove a Skip entry, since the test doesn't crash anymore.
+
 2018-12-04  Simon Fraser  <[email protected]>
 
         Attempt to de-flake this test by scrolling a bit more.

Modified: trunk/LayoutTests/TestExpectations (238887 => 238888)


--- trunk/LayoutTests/TestExpectations	2018-12-05 06:52:17 UTC (rev 238887)
+++ trunk/LayoutTests/TestExpectations	2018-12-05 08:17:10 UTC (rev 238888)
@@ -617,7 +617,6 @@
 webkit.org/b/191462 imported/w3c/web-platform-tests/css/css-grid/grid-items/percentage-size-replaced-subitems-001.html [ ImageOnlyFailure ]
 webkit.org/b/191463 imported/w3c/web-platform-tests/css/css-grid/grid-items/explicitly-sized-grid-item-as-table.html
 webkit.org/b/191627 imported/w3c/web-platform-tests/css/css-grid/alignment/grid-self-baseline-not-applied-if-sizing-cyclic-dependency-001.html [ Failure ]
-webkit.org/b/191473 fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html [ Skip ]
 webkit.org/b/149890 fast/css-grid-layout/grid-shorthands-style-format.html [ Failure ]
 webkit.org/b/191506 fast/css-grid-layout/grid-item-scroll-position.html [ Failure ]
 webkit.org/b/191507 fast/css-grid-layout/positioned-grid-container-percentage-tracks.html [ Failure ]

Modified: trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt (238887 => 238888)


--- trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt	2018-12-05 06:52:17 UTC (rev 238887)
+++ trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt	2018-12-05 08:17:10 UTC (rev 238888)
@@ -0,0 +1,2 @@
+This test has passed if it didn't crash.
+

Modified: trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html (238887 => 238888)


--- trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html	2018-12-05 06:52:17 UTC (rev 238887)
+++ trunk/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html	2018-12-05 08:17:10 UTC (rev 238888)
@@ -3,7 +3,6 @@
 <style>
 .absolutelyPositioned { position: absolute; }
 </style>
-crbug.com/280451 - Heap-use-after-free in WebCore::LayoutGrid::computePreferredTrackWidth</br>
 This test has passed if it didn't crash.
 <script>
 if (window.testRunner)
@@ -10,8 +9,8 @@
     testRunner.dumpAsText();
 
 var cell = document.createElement("cell");
-cell.setAttribute("class", "absolutelyPositioned");
+cell.classList.add("absolutelyPositioned");
 document.body.appendChild(cell);
-window.scrollBy(98, 28);
-cell.setAttribute("class", "nonExistent");
+document.body.offsetLeft;
+cell.classList.remove("absolutelyPositioned");
 </script>

Modified: trunk/Source/WebCore/ChangeLog (238887 => 238888)


--- trunk/Source/WebCore/ChangeLog	2018-12-05 06:52:17 UTC (rev 238887)
+++ trunk/Source/WebCore/ChangeLog	2018-12-05 08:17:10 UTC (rev 238888)
@@ -1,3 +1,19 @@
+2018-12-05  Javier Fernandez  <[email protected]>
+
+        [css-grid] Crash on debug changing the style of a positioned element
+        https://bugs.webkit.org/show_bug.cgi?id=191473
+
+        Reviewed by Dean Jackson and Zalan Bujtas.
+
+        When an box becomes {out-of,in}-flow, it may be re-parented and it may become a grid
+        item. In that case, we must mark the RenderGrid as dirty, so that the grid items
+        placement logic is executed again.
+
+        Test: fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html
+
+        * rendering/updating/RenderTreeBuilder.cpp:
+        (WebCore::childFlowStateChangesAndAffectsParentBlock): Consider the case of a box's new parent being a grid container.
+
 2018-12-04  Frederic Wang  <[email protected]>
 
         Always pass scrollingGeometry to update*ScrollingNode functions

Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (238887 => 238888)


--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp	2018-12-05 06:52:17 UTC (rev 238887)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp	2018-12-05 08:17:10 UTC (rev 238888)
@@ -653,6 +653,13 @@
             blockBuilder().childBecameNonInline(downcast<RenderBlock>(*parent), child);
         else if (is<RenderInline>(*parent))
             inlineBuilder().childBecameNonInline(downcast<RenderInline>(*parent), child);
+
+        // childBecameNonInline might have re-parented us.
+        if (auto* newParent = child.parent()) {
+            // We need to re-run the grid items placement if it had gained a new item.
+            if (newParent != parent && is<RenderGrid>(*newParent))
+                downcast<RenderGrid>(*newParent).dirtyGrid();
+        }
     } else {
         // An anonymous block must be made to wrap this inline.
         auto newBlock = downcast<RenderBlock>(*parent).createAnonymousBlock();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes