WebKit Bugzilla
Attachment 356485 Details for
Bug 191473
: [css-grid] Crash on debug changing the style of a positioned element
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-191473-20181204140456.patch (text/plain), 4.65 KB, created by
Javier Fernandez
on 2018-12-04 05:04:57 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Javier Fernandez
Created:
2018-12-04 05:04:57 PST
Size:
4.65 KB
patch
obsolete
>Subversion Revision: 238541 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index a9534fe43892b952bed4a69dfdde6181268250e9..82ba352d43e3fcbcecd9f8e6cb7b541d6b17bc2b 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-11-09 Javier Fernandez <jfernandez@igalia.com> >+ >+ [css-grid] Crash on debug changing the style of a positioned element >+ https://bugs.webkit.org/show_bug.cgi?id=191473 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ When an box becomes non-inline, it may be attached to a RenderGrid element. In that case, we must >+ mark the RenderGrid as dirty, since it become a grid item and the grid placement logic has to be >+ executed again. >+ >+ Test: fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >+ >+ * rendering/updating/RenderTreeBuilderBlock.cpp: >+ (WebCore::moveAllChildrenToInternal): >+ > 2018-11-26 Ryan Haddad <ryanhaddad@apple.com> > > Unreviewed, rolling out r238357. >diff --git a/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp b/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >index 1f9faa67f23d3a902b0830ae99d7e592c983b3fe..7ad74186673823847d9b4cbafd6c740bd6e55a86 100644 >--- a/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >+++ b/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >@@ -651,8 +651,15 @@ void RenderTreeBuilder::childFlowStateChangesAndAffectsParentBlock(RenderElement > if (!child.isInline()) { > if (is<RenderBlock>(parent)) > blockBuilder().childBecameNonInline(downcast<RenderBlock>(*parent), child); >- else if (is<RenderInline>(*parent)) >+ else if (is<RenderInline>(*parent)) { > inlineBuilder().childBecameNonInline(downcast<RenderInline>(*parent), child); >+ // childBecameNonInline might have re-parented us. >+ if (auto* parent = child.parent()) { >+ // Check if RenderGrid had gained a new grid item. >+ if (is<RenderGrid>(*parent)) >+ downcast<RenderGrid>(*parent).dirtyGrid(); >+ } >+ } > } else { > // An anonymous block must be made to wrap this inline. > auto newBlock = downcast<RenderBlock>(*parent).createAnonymousBlock(); >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 4c6164e8f8c0c7ab7a43ffd7e44b504d38b13581..1e98c9cb1d6714afd60fa8d16c5eccd307148c4a 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,16 @@ >+2018-11-09 Javier Fernandez <jfernandez@igalia.com> >+ >+ [css-grid] Crash on debug changing the style of a positioned element >+ https://bugs.webkit.org/show_bug.cgi?id=191473 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Regression test to ensure that the grid placement logic is executed >+ when a positioned item becomes a grid item. >+ >+ * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt: Added. >+ * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html: Added. >+ > 2018-11-26 Ryan Haddad <ryanhaddad@apple.com> > > Unreviewed, rolling out r238357. >diff --git a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..b5ad2e118a4de9c07db0eb2444740c4382dd1de9 100644 >--- a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >+++ b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >@@ -0,0 +1,2 @@ >+This test has passed if it didn't crash. >+ >diff --git a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >index 01357691944fa44298457091925785115fe154eb..e72824ca9be7d17f59c8d9bfb68f202f50766e8b 100644 >--- a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >+++ b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >@@ -3,15 +3,14 @@ > <style> > .absolutelyPositioned { position: absolute; } > </style> >-crbug.com/280451 - Heap-use-after-free in WebCore::LayoutGrid::computePreferredTrackWidth</br> > This test has passed if it didn't crash. > <script> > if (window.testRunner) > testRunner.dumpAsText(); > > var cell = document.createElement("cell"); >-cell.setAttribute("class", "absolutelyPositioned"); >+cell.classList.add("absolutelyPositioned"); > document.body.appendChild(cell); >-window.scrollBy(98, 28); >-cell.setAttribute("class", "nonExistent"); >+document.body.offsetLeft; >+cell.classList.remove("absolutelyPositioned"); > </script>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356485">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 191473
:
354352
|
354414
|
354419
|
354422
|
354429
|
354432
|
354443
|
354476
|
354477
|
354504
|
356485
|
356493
|
356496
|
356526