[webkit-changes] [WebKit/WebKit] baa760: [Grid] Crash in gridAreaPositionForOutOfFlowGridIt...

Sammy Gill noreply at github.com
Wed Feb 5 06:40:44 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: baa760883a1ef5c21028df5b61903dab6b7dd41c
      https://github.com/WebKit/WebKit/commit/baa760883a1ef5c21028df5b61903dab6b7dd41c
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2025-02-05 (Wed, 05 Feb 2025)

  Changed paths:
    A LayoutTests/fast/css-grid-layout/simplified-layout-with-oof-children-crash-expected.txt
    A LayoutTests/fast/css-grid-layout/simplified-layout-with-oof-children-crash.html
    M Source/WebCore/rendering/RenderGrid.cpp

  Log Message:
  -----------
  [Grid] Crash in gridAreaPositionForOutOfFlowGridItem when accessing out of flow item map during simplified layout.
https://bugs.webkit.org/show_bug.cgi?id=287031
rdar://143376323

Reviewed by Alan Baradlay.

Currently, grid layout will clear its out of flow positioned maps before
it lays out its positioned content. This can lead to a crash if we
perform simplified layout afterwards as there is no guarantee that the
items in the map are still there (like in the testcase). We should
clear this map after we have performed laid out the positioned content
as there is currently no reason to query it after we are done with
layout. We only seem to use these maps during layout to query and set
the offsets for grid items.

The reason for this is due to the fact that when we subsequently enter
simplified layout we will check to see if a grid item is in the map via
gridAreaPositionForOutOfFlowGridItem. If we end up computing an index in
the map for a renderer that was removed from the tree before we entered
simplified layout, then we will end up hitting a RELEASE_ASSERT in
WeakRef code.

Also apply the same logic for Masonry as there is no reason as far as
I know why this should not follow the same idea.

* LayoutTests/fast/css-grid-layout/simplified-layout-with-oof-children-crash-expected.txt: Added.
* LayoutTests/fast/css-grid-layout/simplified-layout-with-oof-children-crash.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::layoutGrid):
(WebCore::RenderGrid::layoutMasonry):

Canonical link: https://commits.webkit.org/289863@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list