Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ca8c809f1e71553a22215a67fe9be1d05114e6d6
https://github.com/WebKit/WebKit/commit/ca8c809f1e71553a22215a67fe9be1d05114e6d6
Author: Roberto Rodriguez <[email protected]>
Date: 2026-06-04 (Thu, 04 Jun 2026)
Changed paths:
A
LayoutTests/fast/css-grid-layout/masonry-span-exceeds-grid-axis-tracks-crash-expected.txt
A
LayoutTests/fast/css-grid-layout/masonry-span-exceeds-grid-axis-tracks-crash.html
A
LayoutTests/fast/css-grid-layout/masonry-subgrid-excluded-legend-crash-expected.txt
A
LayoutTests/fast/css-grid-layout/masonry-subgrid-excluded-legend-crash.html
M Source/WebCore/rendering/GridMasonryLayout.cpp
M Source/WebCore/rendering/RenderGrid.cpp
Log Message:
-----------
Masonry fieldset legend passes isSubgrid() despite being excluded from parent
grid
https://bugs.webkit.org/show_bug.cgi?id=313505
rdar://175165115
Reviewed by Elika Etemad.
RenderGrid::isSubgrid() does not check isExcludedFromNormalLayout(). A fieldset
legend styled with
grid-template-rows: subgrid is excluded from the fieldset's grid item placement
but still passes all
subgrid checks. When the legend's layout queries the parent grid for its span,
the legend is not found
and hits ASSERT(m_gridItemArea.contains(item)) in debug builds and causes an
unsigned underflow in
gridAreaForIndefiniteGridAxisItem in release builds.
Return false from isSubgrid() for excluded elements. Clamp the item span to the
grid-axis track count in
gridAreaForIndefiniteGridAxisItem() per CSS Grid Level 3 ยง4.4, which bounds
placement to existing grid-axis
tracks.
Tests: fast/css-grid-layout/masonry-span-exceeds-grid-axis-tracks-crash.html
fast/css-grid-layout/masonry-subgrid-excluded-legend-crash.html
*
LayoutTests/fast/css-grid-layout/masonry-span-exceeds-grid-axis-tracks-crash-expected.txt:
Added.
*
LayoutTests/fast/css-grid-layout/masonry-span-exceeds-grid-axis-tracks-crash.html:
Added.
*
LayoutTests/fast/css-grid-layout/masonry-subgrid-excluded-legend-crash-expected.txt:
Added.
* LayoutTests/fast/css-grid-layout/masonry-subgrid-excluded-legend-crash.html:
Added.
* Source/WebCore/rendering/GridMasonryLayout.cpp:
(WebCore::GridMasonryLayout::gridAreaForIndefiniteGridAxisItem):
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::isSubgrid const):
Originally-landed-as: 305413.808@safari-7624-branch (b39e5f1bf872).
rdar://175165115
Canonical link: https://commits.webkit.org/314580@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
