[webkit-changes] [275430] trunk

Fri, 02 Apr 2021 12:31:01 -0700

Title: [275430] trunk
Revision
275430
Author
[email protected]
Date
2021-04-02 12:30:12 -0700 (Fri, 02 Apr 2021)

Log Message

[AspectRatio] Out-of-flow box with intrinsic width (e.g. <img>) may trigger infinite recursion
https://bugs.webkit.org/show_bug.cgi?id=224113

Reviewed by Rob Buis.

Source/WebCore:

This covers the case when the out-of-flow box has intrinsic width (replaced box) and
the max-width is also set to "intrinsic" meaning content size dependent. In such cases
the aspect ratio computation ends up recursing around RenderBox::computeReplacedLogicalWidthRespectingMinMaxWidth.
This path checks if the out-of-flow box's horizontal size is also constrained by the intrinsic width.

Test: fast/replaced/infinite-recursion-with-intrinsic-width.html

* rendering/RenderBox.cpp:
(WebCore::shouldComputeLogicalWidthFromAspectRatioAndInsets):

LayoutTests:

* fast/replaced/infinite-recursion-with-intrinsic-width-expected.txt: Added.
* fast/replaced/infinite-recursion-with-intrinsic-width.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (275429 => 275430)


--- trunk/LayoutTests/ChangeLog	2021-04-02 18:52:16 UTC (rev 275429)
+++ trunk/LayoutTests/ChangeLog	2021-04-02 19:30:12 UTC (rev 275430)
@@ -1,3 +1,13 @@
+2021-04-02  Zalan Bujtas  <[email protected]>
+
+        [AspectRatio] Out-of-flow box with intrinsic width (e.g. <img>) may trigger infinite recursion
+        https://bugs.webkit.org/show_bug.cgi?id=224113
+
+        Reviewed by Rob Buis.
+
+        * fast/replaced/infinite-recursion-with-intrinsic-width-expected.txt: Added.
+        * fast/replaced/infinite-recursion-with-intrinsic-width.html: Added.
+
 2021-04-02  Chris Gambrell  <[email protected]>
 
         [LayoutTests] Convert http/tests/referrer-policy convert PHP to Python

Added: trunk/LayoutTests/fast/replaced/infinite-recursion-with-intrinsic-width-expected.txt (0 => 275430)


--- trunk/LayoutTests/fast/replaced/infinite-recursion-with-intrinsic-width-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/replaced/infinite-recursion-with-intrinsic-width-expected.txt	2021-04-02 19:30:12 UTC (rev 275430)
@@ -0,0 +1 @@
+PASS if no crash.

Added: trunk/LayoutTests/fast/replaced/infinite-recursion-with-intrinsic-width.html (0 => 275430)


--- trunk/LayoutTests/fast/replaced/infinite-recursion-with-intrinsic-width.html	                        (rev 0)
+++ trunk/LayoutTests/fast/replaced/infinite-recursion-with-intrinsic-width.html	2021-04-02 19:30:12 UTC (rev 275430)
@@ -0,0 +1,15 @@
+<style>
+  img {
+    top: 0;
+    bottom: 0;
+    aspect-ratio: 1;
+    max-width: fit-content;
+    position: absolute;
+  }
+</style>
+<img src=""
+PASS if no crash.
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+</script>

Modified: trunk/Source/WebCore/ChangeLog (275429 => 275430)


--- trunk/Source/WebCore/ChangeLog	2021-04-02 18:52:16 UTC (rev 275429)
+++ trunk/Source/WebCore/ChangeLog	2021-04-02 19:30:12 UTC (rev 275430)
@@ -1,3 +1,20 @@
+2021-04-02  Zalan Bujtas  <[email protected]>
+
+        [AspectRatio] Out-of-flow box with intrinsic width (e.g. <img>) may trigger infinite recursion
+        https://bugs.webkit.org/show_bug.cgi?id=224113
+
+        Reviewed by Rob Buis.
+
+        This covers the case when the out-of-flow box has intrinsic width (replaced box) and
+        the max-width is also set to "intrinsic" meaning content size dependent. In such cases
+        the aspect ratio computation ends up recursing around RenderBox::computeReplacedLogicalWidthRespectingMinMaxWidth.
+        This path checks if the out-of-flow box's horizontal size is also constrained by the intrinsic width.
+
+        Test: fast/replaced/infinite-recursion-with-intrinsic-width.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::shouldComputeLogicalWidthFromAspectRatioAndInsets):
+
 2021-04-02  Chris Dumez  <[email protected]>
 
         Delete JS code and trigger garbage collection in worker threads on memory pressure

Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (275429 => 275430)


--- trunk/Source/WebCore/rendering/RenderBox.cpp	2021-04-02 18:52:16 UTC (rev 275429)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp	2021-04-02 19:30:12 UTC (rev 275430)
@@ -5111,7 +5111,7 @@
         return false;
     }
     // When both left and right are set, the out-of-flow positioned box is horizontally constrained and aspect ratio for the logical width is not applicable.
-    auto hasConstrainedWidth = !style.logicalLeft().isAuto() && !style.logicalRight().isAuto();
+    auto hasConstrainedWidth = (!style.logicalLeft().isAuto() && !style.logicalRight().isAuto()) || renderer.intrinsicLogicalWidth();
     if (hasConstrainedWidth)
         return false;
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to