[webkit-changes] [WebKit/WebKit] b011d3: ASAN_ILL | LayoutIntegration::LineLayout::paint; W...

Tue, 02 Dec 2025 11:22:19 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b011d3f4dbd8cda10ed26259f9946617943fe5e4
      
https://github.com/WebKit/WebKit/commit/b011d3f4dbd8cda10ed26259f9946617943fe5e4
  Author: Claudio Saavedra <[email protected]>
  Date:   2025-11-12 (Wed, 12 Nov 2025)

  Changed paths:
    A LayoutTests/fast/html/crash-marquee-fullscreen-expected.txt
    A LayoutTests/fast/html/crash-marquee-fullscreen.html
    M Source/WebCore/rendering/RenderElement.cpp

  Log Message:
  -----------
  ASAN_ILL | LayoutIntegration::LineLayout::paint; 
WebCore::RenderBlock::paintObject; WebCore::RenderBlock::paint
https://bugs.webkit.org/show_bug.cgi?id=296869
rdar://157022958

Reviewed by Alan Baradlay.

This crash is caused by how RenderMarquee (which is not an actual render)
handles internally its state. When the marquee is in a seemingly active
state but it has been stopped, RenderMarquee will mark its renderer
as needing layout. However, when the marquee is part of inline content,
this information is not available when the style difference is adjusted --
so it can easily be skipped for layout, creating an inconsistent state
and trigger an assertion after layout has finished and it is detected
that there is still a renderer that is dirty.

Address this by checking in RenderElement::adjustStyleDifference() whether
the renderer is used for a Marquee, in which case we make the difference
include layout as well as any other needed change.

The conditions for this to happen seem to be that the marquee is stopped
early on, nearby elements have to be reparented so as to trigger a rebuild of 
the
render tree, and the marquee block renderer ends up as part of inline content.
In the test case added, the asynchronous fullscreen call forces a relayout
after the conditions are met, so we end up with a dirty render tree after
layout. It seems to be very time-sensitive, hence the test is not so elegant,
but it's as good as it gets considering it's a reduction from a fuzzing test 
case.

* LayoutTests/fast/html/crash-marquee-fullscreen-expected.txt: Added.
* LayoutTests/fast/html/crash-marquee-fullscreen.html: Added.
* Source/WebCore/rendering/RenderElement.cpp:
(WebCore::RenderElement::adjustStyleDifference const):

Originally-landed-as: [email protected] (6a0447375f9d). 
rdar://164212697
Canonical link: https://commits.webkit.org/302947@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to