[webkit-changes] [WebKit/WebKit] 60c138: Downcast crash when grid item requests fullscreen ...

Wed, 03 Dec 2025 12:27:07 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 60c138fa85eaebab3407056462971fccf66f1d7c
      
https://github.com/WebKit/WebKit/commit/60c138fa85eaebab3407056462971fccf66f1d7c
  Author: Ruthvik Konda <[email protected]>
  Date:   2025-12-03 (Wed, 03 Dec 2025)

  Changed paths:
    M LayoutTests/TestExpectations
    A 
LayoutTests/fullscreen/fullscreen-grid-item-container-type-crash-expected.txt
    A LayoutTests/fullscreen/fullscreen-grid-item-container-type-crash.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/rendering/RenderBox.cpp

  Log Message:
  -----------
  Downcast crash when grid item requests fullscreen with container-type parent
https://bugs.webkit.org/show_bug.cgi?id=303417
rdar://163028025

Reviewed by Sammy Gill.

When a frameset enters fullscreen while being a grid item of a parent with 
container-type: size, container query interleaving
(StyleTreeResolver.cpp:1382-1403) defers descendant style resolution, 
preventing StyleAdjuster from setting position:absolute on the top layer
element. This creates a broken invariant where isGridItem() returns true but 
containingBlock() returns RenderView (per top layer rules),
causing an invalid downcast from RenderView to RenderGrid in 
computeInlineDirectionMargins. The fix changes the downcast to dynamicDowncast,
returning nullptr when the containing block is RenderView and safely avoiding 
the crash. This is a defensive workaround; the deeper
architectural issue of container query interleaving blocking StyleAdjuster on 
top layer elements is tracked separately
in https://bugs.webkit.org/show_bug.cgi?id=303414#.

This specific test/crash requires several specific conditions. display: grid on 
the parent makes the frameset a grid item.
container-type: size triggers both the container query interleaving and the 
shouldApplySizeContainment() check that causes a second track sizing
pass in RenderGrid. content: test on the frameset makes it a RenderBlockFlow 
instead of a RenderFrameSet, allowing it to participate in grid layout.
And the fullscreen request triggers the layout that exposes the type confusion.

Test: fullscreen/fullscreen-grid-item-container-type-crash.html

* LayoutTests/TestExpectations:
* 
LayoutTests/fullscreen/fullscreen-grid-item-container-type-crash-expected.txt: 
Added.
* LayoutTests/fullscreen/fullscreen-grid-item-container-type-crash.html: Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::computeInlineDirectionMargins const):

Canonical link: https://commits.webkit.org/303857@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to