- Revision
- 273470
- Author
- commit-qu...@webkit.org
- Date
- 2021-02-24 21:59:46 -0800 (Wed, 24 Feb 2021)
Log Message
[css-grid] Do not allow negative heights
https://bugs.webkit.org/show_bug.cgi?id=221439
Patch by Rob Buis <rb...@igalia.com> on 2021-02-24
Reviewed by Darin Adler.
Source/WebCore:
Do not allow negative heights in calculations, instead
use Optional to indicate that the heights are not existing.
Test: fast/css-grid-layout/zero-height-crash.html
* rendering/GridTrackSizingAlgorithm.cpp:
(WebCore::DefiniteSizeStrategy::minLogicalSizeForChild const):
* rendering/RenderBox.cpp:
(WebCore::RenderBox::replacedMinMaxLogicalHeightComputesAsNone const):
* rendering/RenderGrid.cpp:
(WebCore::RenderGrid::layoutBlock):
(WebCore::RenderGrid::gridGap const):
(WebCore::RenderGrid::placeItemsOnGrid const):
(WebCore::RenderGrid::applyStretchAlignmentToChildIfNeeded):
LayoutTests:
Add test for this.
* fast/css-grid-layout/zero-height-crash-expected.txt: Added.
* fast/css-grid-layout/zero-height-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (273469 => 273470)
--- trunk/LayoutTests/ChangeLog 2021-02-25 04:57:48 UTC (rev 273469)
+++ trunk/LayoutTests/ChangeLog 2021-02-25 05:59:46 UTC (rev 273470)
@@ -1,3 +1,15 @@
+2021-02-24 Rob Buis <rb...@igalia.com>
+
+ [css-grid] Do not allow negative heights
+ https://bugs.webkit.org/show_bug.cgi?id=221439
+
+ Reviewed by Darin Adler.
+
+ Add test for this.
+
+ * fast/css-grid-layout/zero-height-crash-expected.txt: Added.
+ * fast/css-grid-layout/zero-height-crash.html: Added.
+
2021-02-24 Imanol Fernandez <ifernan...@igalia.com>
Set xrCompatible in WebGLRenderingContextBase::getContextAttributes
Added: trunk/LayoutTests/fast/css-grid-layout/zero-height-crash-expected.txt (0 => 273470)
--- trunk/LayoutTests/fast/css-grid-layout/zero-height-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-grid-layout/zero-height-crash-expected.txt 2021-02-25 05:59:46 UTC (rev 273470)
@@ -0,0 +1 @@
+This test has PASSED if it does not CRASH.
Added: trunk/LayoutTests/fast/css-grid-layout/zero-height-crash.html (0 => 273470)
--- trunk/LayoutTests/fast/css-grid-layout/zero-height-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-grid-layout/zero-height-crash.html 2021-02-25 05:59:46 UTC (rev 273470)
@@ -0,0 +1,14 @@
+<style>
+ body, p {
+ display: grid;
+ grid-gap: 100%;
+ grid-template-rows: 0 0 0 repeat(auto-fit, 0);
+ margin-top: 100px;
+ min-height: fit-content;
+ }
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<p>This test has PASSED if it does not CRASH.</p>
Modified: trunk/Source/WebCore/ChangeLog (273469 => 273470)
--- trunk/Source/WebCore/ChangeLog 2021-02-25 04:57:48 UTC (rev 273469)
+++ trunk/Source/WebCore/ChangeLog 2021-02-25 05:59:46 UTC (rev 273470)
@@ -1,3 +1,25 @@
+2021-02-24 Rob Buis <rb...@igalia.com>
+
+ [css-grid] Do not allow negative heights
+ https://bugs.webkit.org/show_bug.cgi?id=221439
+
+ Reviewed by Darin Adler.
+
+ Do not allow negative heights in calculations, instead
+ use Optional to indicate that the heights are not existing.
+
+ Test: fast/css-grid-layout/zero-height-crash.html
+
+ * rendering/GridTrackSizingAlgorithm.cpp:
+ (WebCore::DefiniteSizeStrategy::minLogicalSizeForChild const):
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::replacedMinMaxLogicalHeightComputesAsNone const):
+ * rendering/RenderGrid.cpp:
+ (WebCore::RenderGrid::layoutBlock):
+ (WebCore::RenderGrid::gridGap const):
+ (WebCore::RenderGrid::placeItemsOnGrid const):
+ (WebCore::RenderGrid::applyStretchAlignmentToChildIfNeeded):
+
2021-02-24 Julian Gonzalez <julian_a_gonza...@apple.com>
Crash in CompositeEditCommand::breakOutOfEmptyMailBlockquotedParagraph()
Modified: trunk/Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp (273469 => 273470)
--- trunk/Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp 2021-02-25 04:57:48 UTC (rev 273469)
+++ trunk/Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp 2021-02-25 05:59:46 UTC (rev 273470)
@@ -1052,10 +1052,13 @@
LayoutUnit DefiniteSizeStrategy::minLogicalSizeForChild(RenderBox& child, const Length& childMinSize, LayoutUnit availableSize) const
{
GridTrackSizingDirection childInlineDirection = GridLayoutFunctions::flowAwareDirectionForChild(*renderGrid(), child, ForColumns);
- LayoutUnit indefiniteSize = direction() == childInlineDirection ? LayoutUnit() : LayoutUnit(-1);
GridTrackSizingDirection flowAwareDirection = GridLayoutFunctions::flowAwareDirectionForChild(*renderGrid(), child, direction());
- if (hasRelativeMarginOrPaddingForChild(child, flowAwareDirection) || (direction() != childInlineDirection && hasRelativeOrIntrinsicSizeForChild(child, flowAwareDirection)))
- setOverridingContainingBlockContentSizeForChild(child, direction(), indefiniteSize);
+ if (hasRelativeMarginOrPaddingForChild(child, flowAwareDirection) || (direction() != childInlineDirection && hasRelativeOrIntrinsicSizeForChild(child, flowAwareDirection))) {
+ Optional<LayoutUnit> overridingSize;
+ if (direction() == childInlineDirection)
+ overridingSize = 0_lu;
+ setOverridingContainingBlockContentSizeForChild(child, direction(), overridingSize);
+ }
return GridTrackSizingAlgorithmStrategy::minLogicalSizeForChild(child, childMinSize, availableSize);
}
Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (273469 => 273470)
--- trunk/Source/WebCore/rendering/RenderBox.cpp 2021-02-25 04:57:48 UTC (rev 273469)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2021-02-25 05:59:46 UTC (rev 273470)
@@ -3279,7 +3279,7 @@
return true;
if (logicalHeight.isPercentOrCalculated() && hasOverridingContainingBlockContentLogicalHeight())
- return overridingContainingBlockContentLogicalHeight() == LayoutUnit(-1);
+ return false;
// Make sure % min-height and % max-height resolve to none if the containing block has auto height.
// Note that the "height" case for replaced elements was handled by hasReplacedLogicalHeight, which is why
Modified: trunk/Source/WebCore/rendering/RenderGrid.cpp (273469 => 273470)
--- trunk/Source/WebCore/rendering/RenderGrid.cpp 2021-02-25 04:57:48 UTC (rev 273469)
+++ trunk/Source/WebCore/rendering/RenderGrid.cpp 2021-02-25 05:59:46 UTC (rev 273470)
@@ -250,7 +250,7 @@
if (!hasDefiniteLogicalHeight)
computeTrackSizesForIndefiniteSize(m_trackSizingAlgorithm, ForRows);
else
- computeTrackSizesForDefiniteSize(ForRows, availableLogicalHeight(ExcludeMarginBorderPadding));
+ computeTrackSizesForDefiniteSize(ForRows, std::max<LayoutUnit>(0_lu, availableLogicalHeight(ExcludeMarginBorderPadding)));
LayoutUnit trackBasedLogicalHeight = m_trackSizingAlgorithm.computeTrackBasedSize() + borderAndPaddingLogicalHeight() + scrollbarLogicalHeight();
setLogicalHeight(trackBasedLogicalHeight);
@@ -310,6 +310,7 @@
LayoutUnit RenderGrid::gridGap(GridTrackSizingDirection direction, Optional<LayoutUnit> availableSize) const
{
+ ASSERT(!availableSize || *availableSize >= 0);
const GapLength& gapLength = direction == ForColumns? style().columnGap() : style().rowGap();
if (gapLength.isNormal())
return 0_lu;
@@ -613,7 +614,7 @@
if (!child->hasOverridingContainingBlockContentLogicalWidth())
child->setOverridingContainingBlockContentLogicalWidth(LayoutUnit());
if (!child->hasOverridingContainingBlockContentLogicalHeight())
- child->setOverridingContainingBlockContentLogicalHeight(LayoutUnit(-1));
+ child->setOverridingContainingBlockContentLogicalHeight(WTF::nullopt);
GridArea area = grid.gridItemArea(*child);
if (!area.rows.isIndefinite())
@@ -1136,7 +1137,7 @@
bool allowedToStretchChildBlockSize = blockFlowIsColumnAxis ? allowedToStretchChildAlongColumnAxis(child) : allowedToStretchChildAlongRowAxis(child);
if (allowedToStretchChildBlockSize) {
LayoutUnit stretchedLogicalHeight = availableAlignmentSpaceForChildBeforeStretching(GridLayoutFunctions::overridingContainingBlockContentSizeForChild(child, childBlockDirection).value(), child);
- LayoutUnit desiredLogicalHeight = child.constrainLogicalHeightByMinMax(stretchedLogicalHeight, -1_lu);
+ LayoutUnit desiredLogicalHeight = child.constrainLogicalHeightByMinMax(stretchedLogicalHeight, WTF::nullopt);
child.setOverridingLogicalHeight(desiredLogicalHeight);
// Checking the logical-height of a child isn't enough. Setting an override logical-height
