Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b1f0317c51e1489cc8b1e8f37bbbd18c7875010b
https://github.com/WebKit/WebKit/commit/b1f0317c51e1489cc8b1e8f37bbbd18c7875010b
Author: Rob Buis <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
A
LayoutTests/fast/css/content-visibility-container-with-oof-child-crash-expected.txt
A
LayoutTests/fast/css/content-visibility-container-with-oof-child-crash.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
ASAN_SEGV | WebCore::Path::strokeContains;
WebCore::LegacyRenderSVGPath::shapeDependentStrokeContains;
WebCore::SVGGeometryElement::isPointInStroke
https://bugs.webkit.org/show_bug.cgi?id=295244
rdar://154646149
Reviewed by Alan Baradlay.
Prevent simplified layout on a c-v root with a previously skipped subtree,
since that means any out of flow
children in the subtree have not been processed yet, and only the normal layout
path handles them correctly.
*
LayoutTests/fast/css/content-visibility-container-with-oof-child-crash-expected.txt:
Added.
* LayoutTests/fast/css/content-visibility-container-with-oof-child-crash.html:
Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::canPerformSimplifiedLayout const):
Originally-landed-as: [email protected] (2f7305a50eb3).
rdar://164279372
Canonical link: https://commits.webkit.org/302885@main
Commit: 7d181b38a42c5e4af12be76f3b10775ffa196c21
https://github.com/WebKit/WebKit/commit/7d181b38a42c5e4af12be76f3b10775ffa196c21
Author: Claudio Saavedra <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
A LayoutTests/fast/css/immutable-properties-crash-expected.txt
A LayoutTests/fast/css/immutable-properties-crash.html
M Source/WTF/wtf/text/StringHash.h
M Source/WebCore/css/ImmutableStyleProperties.cpp
Log Message:
-----------
ASAN_ILL | WebCore::ImmutableStyleProperties::createDeduplicating;
WebCore::createStyleProperties; WebCore::CSSParser::parseInlineStyleDeclaration
https://bugs.webkit.org/show_bug.cgi?id=295927
rdar://155792201
Reviewed by Simon Fraser.
AlreadyHashed::avoidDeletedValue() always returns the passed hash, as
the or-bitwise operator doesn't really do anything. If the expected
behavior of this method is to avoid the special 0xFFFFFFFF value,
then I strongly suspect that what was intended was to use a xor-bitwise
operation; this will indeed flip the topmost bit if the hash is
0xFFFFFFFF but leave it unchanged for any other value (except 0,
of course).
ImmutableStyleProperties should use this method when adding elements
to its hash map, to make sure that it doesn't accidentally try to
insert a value whose hash key is 0xFFFFFFFF. Otherwise it will
hit an assertion.
* LayoutTests/fast/css/immutable-properties-crash-expected.txt: Added.
* LayoutTests/fast/css/immutable-properties-crash.html: Added.
* Source/WTF/wtf/text/StringHash.h:
(WTF::AlreadyHashed::avoidDeletedValue):
* Source/WebCore/css/ImmutableStyleProperties.cpp:
(WebCore::ImmutableStyleProperties::createDeduplicating):
Originally-landed-as: [email protected] (c54787bc3732).
rdar://164279182
Canonical link: https://commits.webkit.org/302886@main
Commit: 2cc9274ac081db225b92d52ccd0fedab3b1056b6
https://github.com/WebKit/WebKit/commit/2cc9274ac081db225b92d52ccd0fedab3b1056b6
Author: Rob Buis <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
A LayoutTests/svg/animations/key-times-zero-path-crash-expected.html
A LayoutTests/svg/animations/key-times-zero-path-crash.html
M Source/WebCore/svg/SVGAnimationElement.cpp
Log Message:
-----------
ASAN_ILL | WTF::Markable::operator*;
WebCore::LegacyRenderSVGRoot::repaintRectInLocalCoordinates;
WebCore::LegacyRenderSVGRoot::localClippedOverflowRect
https://bugs.webkit.org/show_bug.cgi?id=295930
rdar://155792445
Reviewed by Said Abou-Hallawa.
Ending the keyTimes list with 0 should be treated as an invalid animation for
animateMotion. While this
does not seem specified, it is what Chrome does.
* LayoutTests/svg/animations/key-times-zero-path-crash-expected.html: Added.
* LayoutTests/svg/animations/key-times-zero-path-crash.html:
* Source/WebCore/svg/SVGAnimationElement.cpp:
(WebCore::parseKeyTimes):
Originally-landed-as: [email protected] (278e39816d42).
rdar://164278816
Canonical link: https://commits.webkit.org/302887@main
Commit: 4808d9db86eb0492a3502b204a9bdd268c389f5d
https://github.com/WebKit/WebKit/commit/4808d9db86eb0492a3502b204a9bdd268c389f5d
Author: Rob Buis <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
A
LayoutTests/fast/css/content-visibility-with-multi-column-and-view-transition-crash-expected.txt
A
LayoutTests/fast/css/content-visibility-with-multi-column-and-view-transition-crash.html
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
Bug 295932 ASAN_SEGV | WebCore::RenderFragmentedFlow::boxIsFragmented;
WebCore::rendererIsFragmented; WebCore::forEachRendererInPaintOrder
https://bugs.webkit.org/show_bug.cgi?id=295932
rdar://155792317
Reviewed by Alan Baradlay.
View transition algorithms test whether a renderer is frsgmented or not,
however when content-visibility: hidden
causes a subtree to be hidden the fragmentation information is not always fully
computed. To fix this avoid
early returns due to content-visibility: hidden when fragmented flows are
involved.
*
LayoutTests/fast/css/content-visibility-with-multi-column-and-view-transition-crash-expected.txt:
Added.
*
LayoutTests/fast/css/content-visibility-with-multi-column-and-view-transition-crash.html:
Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::layoutInFlowChildren):
(WebCore::RenderBlockFlow::layoutBlockChildren):
Originally-landed-as: [email protected] (fad8efb954b8).
rdar://164278651
Canonical link: https://commits.webkit.org/302888@main
Commit: 629f07bc714c01131375a94f8ab602042d05e1fb
https://github.com/WebKit/WebKit/commit/629f07bc714c01131375a94f8ab602042d05e1fb
Author: Frédéric Wang <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
A LayoutTests/fast/grid/nested-grid-and-subgrid-crash-expected.txt
A LayoutTests/fast/grid/nested-grid-and-subgrid-crash.html
M Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp
Log Message:
-----------
ASAN_TRAP | WebCore::GridTrackSizingAlgorithm::gridAreaBreadthForGridItem
https://bugs.webkit.org/show_bug.cgi?id=295928
rdar://155792516
Reviewed by Alan Baradlay.
After https://commits.webkit.org/296300@main, it's possible that
`GridTrackSizingAlgorithm::gridAreaBreadthForGridItem()` dereferences
`spannedRowsSize`, causing a release crash if the value returned by
`GridTrackSizingAlgorithm::estimatedGridAreaBreadthForGridItem()` is a
`nullopt`, as it is the case in the new test added by this patch.
Checking carefully, such a nullopt can only be returned for indefinite
grid area with an a grid item parallel to the `m_renderGrid`. In
https://commits.webkit.org/206127@main, a debug assert was added to
guarantee grid item is actually orthogonal, which is probably why the
code is written in a way that assumes the return value is not a nullopt.
However, this assert fails for the simple configuration below. Indeed,
`minContentContributionForGridItem` is called with m_renderGrid being
(the div of) id=grid and arguments (the div of) id=griditem. Because
of id=griditem's `writing-mode`, this in turn calls the method
`updateOverridingContainingBlockContentSizeForGridItem` with
parameters id=griditem and `GridTrackSizingDirection::Rows`. Because of
id=subgrid's `grid-template-columns`, the same method is called
recursively with arguments id=subgrid and
`GridTrackSizingDirection::Rows`. Finally, `gridAreaBreadthForGridItem`
is called with parallel m_renderGrid(id=grid) and gridItem(id=subgrid).
```
<div id="grid" style="display: grid">
<div id="subgrid" style="grid-template-columns: subgrid;">
<div id="griditem" style="writing-mode: vertical-lr"></div>
</div>
</div>
ASSERTION FAILED: GridLayoutFunctions::isOrthogonalGridItem(*m_renderGrid,
gridItem)
WebCore::GridTrackSizingAlgorithm::gridAreaBreadthForGridItem(WebCore::RenderBox
const&, WebCore::Style::GridTrackSizingDirection) const
WebCore::GridTrackSizingAlgorithmStrategy::updateOverridingContainingBlockContentSizeForGridItem(WebCore::RenderBox&,
WebCore::Style::GridTrackSizingDirection, std::optional<WebCore::LayoutUnit>)
const
WebCore::GridTrackSizingAlgorithmStrategy::updateOverridingContainingBlockContentSizeForGridItem(WebCore::RenderBox&,
WebCore::Style::GridTrackSizingDirection, std::optional<WebCore::LayoutUnit>)
const
WebCore::GridTrackSizingAlgorithmStrategy::minContentContributionForGridItem(WebCore::RenderBox&,
WebCore::GridLayoutState&) const
```
It's very likely that some wrong assumptions were made when subgrid
were introduced, `updateOverridingContainingBlockContentSizeForGridItem`
should probably now perform something more clever in order to handle the
case when `gridItem` can change its direction in the recursive call. But
in order to minimize behavior changes, this patch just makes
gridAreaBreadthForGridItem return a nullopt in the case where current
code tries to derefence a nullopt rowSpanForGridItem. The obsolete debug
ASSERT is removed.
* LayoutTests/fast/grid/nested-grid-and-subgrid-crash-expected.txt: Added.
* LayoutTests/fast/grid/nested-grid-and-subgrid-crash.html: Added.
* Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:
(WebCore::GridTrackSizingAlgorithm::gridAreaBreadthForGridItem const): Remove
obsolete ASSERT and return nullopt if spannedRowsSize is nullopt.
Originally-landed-as: [email protected] (22c1764572c2).
rdar://164278536
Canonical link: https://commits.webkit.org/302889@main
Compare: https://github.com/WebKit/WebKit/compare/a179b3a3ac1b...629f07bc714c
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
