Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: df20d570f133c81f92690d9744440b4ea29d5cfd
https://github.com/WebKit/WebKit/commit/df20d570f133c81f92690d9744440b4ea29d5cfd
Author: Rob Buis <[email protected]>
Date: 2025-12-12 (Fri, 12 Dec 2025)
Changed paths:
A LayoutTests/fast/misc/event-region-with-prohibited-frame-expected.txt
A LayoutTests/fast/misc/event-region-with-prohibited-frame.html
M Source/WebCore/rendering/RenderLayerCompositor.cpp
Log Message:
-----------
ASAN_ILL | LayoutIntegration::LineLayout::paint;
WebCore::RenderLayer::collectEventRegionForFragments;
WebCore::RenderLayer::paintLayerContents
https://bugs.webkit.org/show_bug.cgi?id=296870
rdar://157023591
Reviewed by Simon Fraser.
The test case contains a subframe that starts self referencing. Such subframes
are being prohibited and not guaranteed to have a laid out rendering tree. So
in that case prevent event region collecting since that would lead to various
ASSERTs.
* LayoutTests/fast/misc/event-region-with-prohibited-frame-expected.txt: Added.
* LayoutTests/fast/misc/event-region-with-prohibited-frame.html: Added.
* Source/WebCore/rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::updateEventRegions):
Originally-landed-as: [email protected] (544f117e7985).
rdar://166339926
Canonical link: https://commits.webkit.org/304397@main
Commit: ae55f8de6bea6fdebe67c3abb52f9b572c59e2a0
https://github.com/WebKit/WebKit/commit/ae55f8de6bea6fdebe67c3abb52f9b572c59e2a0
Author: Rob Buis <[email protected]>
Date: 2025-12-12 (Fri, 12 Dec 2025)
Changed paths:
A
LayoutTests/fast/forms/textarea-with-absolute-placeholder-crash-expected.txt
A LayoutTests/fast/forms/textarea-with-absolute-placeholder-crash.html
M Source/WebCore/css/html.css
Log Message:
-----------
ASAN_ILL | WebCore::LocalFrameViewLayoutContext::performLayout;
WebCore::LocalFrameViewLayoutContext::layout; WebCore::Document::updateLayout
https://bugs.webkit.org/show_bug.cgi?id=298078
rdar://157023263
Reviewed by Alan Baradlay.
The placeholder text in the RenderTextControl is treated as excluded content
and uses special
layout logic. This special layout logic does not consider that the placeholder
can be absolutely
positioned like in the testcase, resulting in a render tree that ends up being
dirty.
To prevent this problem, do not allow position values other than the default
'static', which
actually matches the specification [1], since it states a limited number of
properties apply
to the ::placeholder pseudo-element, which does not include the position
property.
[1] https://drafts.csswg.org/css-pseudo/#placeholder-pseudo
* LayoutTests/fast/forms/textarea-with-absolute-placeholder-crash-expected.txt:
Added.
* LayoutTests/fast/forms/textarea-with-absolute-placeholder-crash.html: Added.
* Source/WebCore/css/html.css:
(::placeholder):
Originally-landed-as: [email protected] (b4e1ccfd7e27).
rdar://166339811
Canonical link: https://commits.webkit.org/304398@main
Commit: 1103435b51050d0ab363cca7a7dcccea834ed4fc
https://github.com/WebKit/WebKit/commit/1103435b51050d0ab363cca7a7dcccea834ed4fc
Author: Rob Buis <[email protected]>
Date: 2025-12-12 (Fri, 12 Dec 2025)
Changed paths:
A LayoutTests/fast/text/text-wrap-no-hyphenation-crash-expected.txt
A LayoutTests/fast/text/text-wrap-no-hyphenation-crash.html
M
Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp
Log Message:
-----------
ASAN_ILL | Layout::InlineContentConstrainer::prettifyRange;
Layout::InlineContentConstrainer::computeParagraphLevelConstraints;
Layout::InlineFormattingContext::layout
https://bugs.webkit.org/show_bug.cgi?id=296871
rdar://157025106
Reviewed by Alan Baradlay.
In InlineContentConstrainer::prettifyRange, if the hyphenation step does
not yield a new lastValidStateIndex, treat that as hyphenation not creating
a valid solution, since continuing would result in assertion failure.
* LayoutTests/fast/text/text-wrap-no-hyphenation-crash-expected.txt: Added.
* LayoutTests/fast/text/text-wrap-no-hyphenation-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp:
(WebCore::Layout::InlineContentConstrainer::prettifyRange):
Originally-landed-as: [email protected] (c18e654b85ca).
rdar://166339734
Canonical link: https://commits.webkit.org/304399@main
Commit: 674e82d6f06194a66bce51a7a2cf2246143de348
https://github.com/WebKit/WebKit/commit/674e82d6f06194a66bce51a7a2cf2246143de348
Author: Rob Buis <[email protected]>
Date: 2025-12-12 (Fri, 12 Dec 2025)
Changed paths:
A
LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts2-expected.txt
A LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts2.html
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
ASAN_ILL | WebCore::FloatingObject::renderer;
WebCore::RenderBlockFlow::styleDidChange; WebCore::RenderElement::setStyle
https://bugs.webkit.org/show_bug.cgi?id=298926
rdar://158670568
Reviewed by Alan Baradlay.
In the test case some layout is skipped due to the details open attribute and
later toggled
to unskip it. The skipped subtree has some FloatingObjects and when the img get
recreated
by the RenderTreeUpdater some of those FloatingObjects will have a null
renderer (to said img renderer).
Since 295699@main RenderBlockFlow::subtreeContainsFloat uses childrenOfType so
not all descendents
are being searched, in the test case the slot element and its child are not
found, leaving those FloatingObjects with
destroyed renderers and crashing when iterating over them in
rebuildFloatingObjectSetFromIntrudingFloats.
To fix this revert to using descendantsOfType instead of childrenOfType.
*
LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts2-expected.txt:
Added.
* LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts2.html:
Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::subtreeContainsFloat const):
Originally-landed-as: [email protected] (59c02d213d27).
rdar://166339757
Canonical link: https://commits.webkit.org/304400@main
Commit: b26db034dbb9667f6ff3fe208bdded1a238bed9a
https://github.com/WebKit/WebKit/commit/b26db034dbb9667f6ff3fe208bdded1a238bed9a
Author: Frédéric Wang <[email protected]>
Date: 2025-12-12 (Fri, 12 Dec 2025)
Changed paths:
A
LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts3-expected.txt
A LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts3.html
Log Message:
-----------
ASAN_ILL | WTF::HashTable::contains;
WebCore::RenderBlockFlow::subtreeContainsFloat;
WebCore::RenderBlockFlow::markAllDescendantsWithFloatsForLayout
https://bugs.webkit.org/show_bug.cgi?id=298924
rdar://158670568
Reviewed by Alan Baradlay.
Add a non-regression test. This was originally fixed in
https://commits.webkit.org/[email protected]
*
LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts3-expected.txt:
Added.
* LayoutTests/fast/dynamic/stale-floating-state-after-skipped-layouts3.html:
Added.
Originally-landed-as: [email protected] (8edee3d73524).
rdar://166339455
Canonical link: https://commits.webkit.org/304401@main
Compare: https://github.com/WebKit/WebKit/compare/977fde23d889...b26db034dbb9
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
