WebKit Bugzilla
Attachment 356526 Details for
Bug 191473
: [css-grid] Crash on debug changing the style of a positioned element
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-191473-20181204224613.patch (text/plain), 5.87 KB, created by
Javier Fernandez
on 2018-12-04 13:46:14 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Javier Fernandez
Created:
2018-12-04 13:46:14 PST
Size:
5.87 KB
patch
obsolete
>Subversion Revision: 238851 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index d85b8dac7d0fc41a6c106843784721cd6e154864..6da80995a70c25ac71a5908d79308d70364f1329 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-11-09 Javier Fernandez <jfernandez@igalia.com> >+ >+ [css-grid] Crash on debug changing the style of a positioned element >+ https://bugs.webkit.org/show_bug.cgi?id=191473 >+ >+ Reviewed by Dean Jackson and Zalan Bujtas. >+ >+ When an box becomes {out-of,in}-flow, it may be re-parented and it may become a grid >+ item. In that case, we must mark the RenderGrid as dirty, so that the grid items >+ placement logic is executed again. >+ >+ Test: fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >+ >+ * rendering/updating/RenderTreeBuilder.cpp: >+ (WebCore::childFlowStateChangesAndAffectsParentBlock): Consider the case of a box's new parent being a grid container. >+ > 2018-12-04 Carlos Garcia Campos <cgarcia@igalia.com> > > [SOUP] Move URLSoup back to WebCore after r238771 >diff --git a/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp b/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >index 1f9faa67f23d3a902b0830ae99d7e592c983b3fe..214f47d698885e664d466e072b2b7290ccafda84 100644 >--- a/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >+++ b/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp >@@ -653,6 +653,13 @@ void RenderTreeBuilder::childFlowStateChangesAndAffectsParentBlock(RenderElement > blockBuilder().childBecameNonInline(downcast<RenderBlock>(*parent), child); > else if (is<RenderInline>(*parent)) > inlineBuilder().childBecameNonInline(downcast<RenderInline>(*parent), child); >+ >+ // childBecameNonInline might have re-parented us. >+ if (auto* newParent = child.parent()) { >+ // We need to re-run the grid items placement if it had gained a new item. >+ if (newParent != parent && is<RenderGrid>(*newParent)) >+ downcast<RenderGrid>(*newParent).dirtyGrid(); >+ } > } else { > // An anonymous block must be made to wrap this inline. > auto newBlock = downcast<RenderBlock>(*parent).createAnonymousBlock(); >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 5d6c9c0b90a41b0d5e59237ba15659e416f2526d..b7b2e51c197e98c667855250ee51d5e6777e7cd1 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,17 @@ >+2018-11-09 Javier Fernandez <jfernandez@igalia.com> >+ >+ [css-grid] Crash on debug changing the style of a positioned element >+ https://bugs.webkit.org/show_bug.cgi?id=191473 >+ >+ Reviewed by Dean Jackson and Zalan Bujtas. >+ >+ Regression test to ensure that the grid placement logic is executed >+ when a positioned item becomes a grid item. >+ >+ * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt: >+ * fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html: >+ * TestExpectations: Remove a Skip entry, since the test doesn't crash anymore. >+ > 2018-12-04 Devin Rousso <drousso@apple.com> > > Web Inspector: Audit: tests should support async operations >diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations >index e90ed88b86d1cb1238199268e9463bd6daa275e3..7400ae2225464ce66c95bf9c9ecd04daf4835fa0 100644 >--- a/LayoutTests/TestExpectations >+++ b/LayoutTests/TestExpectations >@@ -617,7 +617,6 @@ webkit.org/b/191461 imported/w3c/web-platform-tests/css/css-grid/grid-items/perc > webkit.org/b/191462 imported/w3c/web-platform-tests/css/css-grid/grid-items/percentage-size-replaced-subitems-001.html [ ImageOnlyFailure ] > webkit.org/b/191463 imported/w3c/web-platform-tests/css/css-grid/grid-items/explicitly-sized-grid-item-as-table.html > webkit.org/b/191627 imported/w3c/web-platform-tests/css/css-grid/alignment/grid-self-baseline-not-applied-if-sizing-cyclic-dependency-001.html [ Failure ] >-webkit.org/b/191473 fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html [ Skip ] > webkit.org/b/149890 fast/css-grid-layout/grid-shorthands-style-format.html [ Failure ] > webkit.org/b/191506 fast/css-grid-layout/grid-item-scroll-position.html [ Failure ] > webkit.org/b/191507 fast/css-grid-layout/positioned-grid-container-percentage-tracks.html [ Failure ] >diff --git a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..b5ad2e118a4de9c07db0eb2444740c4382dd1de9 100644 >--- a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >+++ b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element-expected.txt >@@ -0,0 +1,2 @@ >+This test has passed if it didn't crash. >+ >diff --git a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >index 01357691944fa44298457091925785115fe154eb..e72824ca9be7d17f59c8d9bfb68f202f50766e8b 100644 >--- a/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >+++ b/LayoutTests/fast/css-grid-layout/grid-crash-out-of-flow-positioned-element.html >@@ -3,15 +3,14 @@ > <style> > .absolutelyPositioned { position: absolute; } > </style> >-crbug.com/280451 - Heap-use-after-free in WebCore::LayoutGrid::computePreferredTrackWidth</br> > This test has passed if it didn't crash. > <script> > if (window.testRunner) > testRunner.dumpAsText(); > > var cell = document.createElement("cell"); >-cell.setAttribute("class", "absolutelyPositioned"); >+cell.classList.add("absolutelyPositioned"); > document.body.appendChild(cell); >-window.scrollBy(98, 28); >-cell.setAttribute("class", "nonExistent"); >+document.body.offsetLeft; >+cell.classList.remove("absolutelyPositioned"); > </script>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356526">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 191473
:
354352
|
354414
|
354419
|
354422
|
354429
|
354432
|
354443
|
354476
|
354477
|
354504
|
356485
|
356493
|
356496
| 356526