Closed Bug 1954920 Opened 29 days ago Closed 26 days ago

[wpt-sync] Sync PR 51436 - [line-clamp] Fix crash when updating a BFC offset for a clamped box

Categories

(Core :: CSS Parsing and Computation, task, P4)

Product:
Core
Component:
CSS Parsing and Computation
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox138 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 51436 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/51436
Details from upstream follow.

Andreu Botella <abotella@igalia.com> wrote:

[line-clamp] Fix crash when updating a BFC offset for a clamped box

When laying out line-clamp: auto, it is possible for an in-flow box
to abort its layout with the kNeedsLineClampRelayout status, which
would not be possible when clamping by a number of lines. This abort
happens when a clamp point is reached, and it propagates upwards until
the line-clamp container to indicate in which line number the clamp
happened.

This status was handled at the start of
BlockLayoutAlgorithm::FinishInFlow. However, in cases where a box
first resolves its BFC offset (e.g. because it follows a margin and it
contains unresolved floats), kNeedsLineClampRelayout was not being
handled on the subsequent relayout. This caused a DCHECK failure, and
in builds without DCHECK, it ultimately led to dereferencing an
invalid pointer.

This patch fixes this by explicitly checking and handling the
kNeedsLineClampRelayout result in BFC block offset-related relayouts
in FinishInFlow.

Bug: 40336192, 404288146
Change-Id: Iaf72bdc444fcd6508a874f3405cf71a5f225618f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6366914
Reviewed-by: Ian Kilpatrick \<ikilpatrick@chromium.org>
Commit-Queue: Andreu Botella \<abotella@igalia.com>
Cr-Commit-Position: refs/heads/main@{#1434479}

Component: web-platform-tests → CSS Parsing and Computation
Product: Testing → Core

CI Results

Ran 0 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 1 tests

Status Summary

Firefox

PASS : 1

Chrome

CRASH: 1

Safari

PASS : 1

Links

GitHub PR Head
GitHub PR Base

Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e7d624d2bd84 [wpt PR 51436] - [line-clamp] Fix crash when updating a BFC offset for a clamped box, a=testonly

https://hg.mozilla.org/mozilla-central/rev/e7d624d2bd84

Status: NEW → RESOLVED
Closed: 26 days ago
status-firefox138: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
You need to log in before you can comment on or make changes to this bug.