WebKit Bugzilla
Attachment 356493 Details for
Bug 191473
: [css-grid] Crash on debug changing the style of a positioned element
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-191473-20181204161610.patch (text/plain), 5.66 KB, created by
Javier Fernandez
on 2018-12-04 07:16:11 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Javier Fernandez
Created:
2018-12-04 07:16:11 PST
Size:
5.66 KB
patch
obsolete
>Subversion Revision: 238541 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index a9534fe43892b952bed4a69dfdde6181268250e9..82ba352d43e3fcbcecd9f8e6cb7b541d6b17bc2b 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-11-09 Javier Fernandez <jfernandez@igalia.com> >+ >+ [css-grid] Crash on debug changing the style of a positioned element >+ https://bugs.webkit.org/show_bug.cgi?id=191473 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ When an box becomes non-inline, it may be attached to a RenderGrid element. In that case, we must >+ mark the RenderGrid as dirty, since it become a grid item and the grid placement logic has to be >+ executed again. >+ >+ Test: fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >+ >+ * rendering/updating/RenderTreeBuilderBlock.cpp: >+ (WebCore::moveAllChildrenToInternal): >+ > 2018-11-26 Ryan Haddad <ryanhaddad@apple.com> > > Unreviewed, rolling out r238357. >diff --git a/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp b/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >index 1f9faa67f23d3a902b0830ae99d7e592c983b3fe..214f47d698885e664d466e072b2b7290ccafda84 100644 >--- a/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >+++ b/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >@@ -653,6 +653,13 @@ void RenderTreeBuilder::childFlowStateChangesAndAffectsParentBlock(RenderElement > blockBuilder().childBecameNonInline(downcast<RenderBlock>(*parent), child); > else if (is<RenderInline>(*parent)) > inlineBuilder().childBecameNonInline(downcast<RenderInline>(*parent), child); >+ >+ // childBecameNonInline might have re-parented us. >+ if (auto* newParent = child.parent()) { >+ // We need to re-run the grid items placement if it had gained a new item. >+ if (newParent != parent && is<RenderGrid>(*newParent)) >+ downcast<RenderGrid>(*newParent).dirtyGrid(); >+ } > } else { > // An anonymous block must be made to wrap this inline. > auto newBlock = downcast<RenderBlock>(*parent).createAnonymousBlock(); >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 4c6164e8f8c0c7ab7a43ffd7e44b504d38b13581..1e98c9cb1d6714afd60fa8d16c5eccd307148c4a 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,16 @@ >+2018-11-09 Javier Fernandez <jfernandez@igalia.com> >+ >+ [css-grid] Crash on debug changing the style of a positioned element >+ https://bugs.webkit.org/show_bug.cgi?id=191473 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Regression test to ensure that the grid placement logic is executed >+ when a positioned item becomes a grid item. >+ >+ * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt: Added. >+ * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html: Added. >+ > 2018-11-26 Ryan Haddad <ryanhaddad@apple.com> > > Unreviewed, rolling out r238357. >diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations >index daa868a3055ad881e054aa2b5c94122bb6218686..e2af627a212d9cea6452abfbb22d4f7bcaf954bd 100644 >--- a/LayoutTests/TestExpectations >+++ b/LayoutTests/TestExpectations >@@ -590,7 +590,6 @@ webkit.org/b/191461 imported/w3c/web-platform-tests/css/css-grid/grid-items/perc > webkit.org/b/191462 imported/w3c/web-platform-tests/css/css-grid/grid-items/percentage-size-replaced-subitems-001.html [ ImageOnlyFailure ] > webkit.org/b/191463 imported/w3c/web-platform-tests/css/css-grid/grid-items/explicitly-sized-grid-item-as-table.html > webkit.org/b/191627 imported/w3c/web-platform-tests/css/css-grid/alignment/grid-self-baseline-not-applied-if-sizing-cyclic-dependency-001.html [ Failure ] >-webkit.org/b/191473 fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html [ Crash ] > webkit.org/b/149890 fast/css-grid-layout/grid-shorthands-style-format.html [ Failure ] > webkit.org/b/191506 fast/css-grid-layout/grid-item-scroll-position.html [ Failure ] > webkit.org/b/191507 fast/css-grid-layout/positioned-grid-container-percentage-tracks.html [ Failure ] >diff --git a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..b5ad2e118a4de9c07db0eb2444740c4382dd1de9 100644 >--- a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >+++ b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >@@ -0,0 +1,2 @@ >+This test has passed if it didn't crash. >+ >diff --git a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >index 01357691944fa44298457091925785115fe154eb..e72824ca9be7d17f59c8d9bfb68f202f50766e8b 100644 >--- a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >+++ b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >@@ -3,15 +3,14 @@ > <style> > .absolutelyPositioned { position: absolute; } > </style> >-crbug.com/280451 - Heap-use-after-free in WebCore::LayoutGrid::computePreferredTrackWidth</br> > This test has passed if it didn't crash. > <script> > if (window.testRunner) > testRunner.dumpAsText(); > > var cell = document.createElement("cell"); >-cell.setAttribute("class", "absolutelyPositioned"); >+cell.classList.add("absolutelyPositioned"); > document.body.appendChild(cell); >-window.scrollBy(98, 28); >-cell.setAttribute("class", "nonExistent"); >+document.body.offsetLeft; >+cell.classList.remove("absolutelyPositioned"); > </script>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356493">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 191473
:
354352
|
354414
|
354419
|
354422
|
354429
|
354432
|
354443
|
354476
|
354477
|
354504
|
356485
|
356493
|
356496
|
356526