[webkit-changes] [WebKit/WebKit] a2043f: [Grid] Crash in gridAreaPositionForOutOfFlowGridIt...

Sammy Gill noreply at github.com
Tue Feb 18 12:25:53 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a2043fd47c108e0a5a7ef9a96de6d963356f4224
      https://github.com/WebKit/WebKit/commit/a2043fd47c108e0a5a7ef9a96de6d963356f4224
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2025-02-18 (Tue, 18 Feb 2025)

  Changed paths:
    A LayoutTests/fast/css-grid-layout/simplified-layout-consecutive-with-oof-children-crash-expected.txt
    A LayoutTests/fast/css-grid-layout/simplified-layout-consecutive-with-oof-children-crash.html
    M Source/WebCore/rendering/RenderGrid.cpp

  Log Message:
  -----------
  [Grid] Crash in gridAreaPositionForOutOfFlowGridItem during consecutive occurrences of simplified layout
https://bugs.webkit.org/show_bug.cgi?id=287832
rdar://144491217

Reviewed by Alan Baradlay.

In 289863 at main, we fixed a bug where we hit a RELEASE_ASSERT when going from performing
grid layout to subsequently performing simplified layout due to some content mutation.
This was because we have a HashMap that uses a WeakRef<const RenderBox> and were not
properly cleaning it up at the end of layout.

This patch fixes another variation of that same bug, but this time the content mutation
ends up causing us to perform simplified layout consecutively. Since we do not clear the
map at the end of simplified layout, we end up running into the exact same bug. To fix this
(and hopefully any other variations of this bug), we can create a "postLayoutTasks,"
ScopeExit at the beginning of RenderGrid::layoutBlock to handle any sort of cleanup that
we need to do at the end of grid layout. As of now, clearing these maps is the only thing
it is responsible for.

* LayoutTests/fast/css-grid-layout/simplified-layout-consecutive-with-oof-children-crash-expected.txt: Added.
* LayoutTests/fast/css-grid-layout/simplified-layout-consecutive-with-oof-children-crash.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::layoutBlock):
(WebCore::RenderGrid::layoutGrid):
(WebCore::RenderGrid::layoutMasonry):

Canonical link: https://commits.webkit.org/290546@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list