[LayoutNG] Break infinite loop within SweepLegacyDescendants.

I've been trying to produce a simplified repro with this but to no avail so far. Basically legacy can get into a state where a layout_layout's LayoutBlock::PositionedObjects map contains a positioned-object, however that postiioned-object's containing-block is a node further up the tree. Somewhere (during a style change, inline-splitting, etc) we are missing a call to RemovePositionedObject(s). I've added a NOTREACHED() on the branch so that clusterfuzz can pick up the issue with a simpler test-case. Bug: 977930 Change-Id: I60d5c25f4565d92bff24c10ef46211c23babee28 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1678841Reviewed-by: Aleks Totic <atotic@chromium.org> Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org> Cr-Commit-Position: refs/heads/master@{#672733}

[LayoutNG] Break infinite loop within SweepLegacyDescendants.
I've been trying to produce a simplified repro with this but to no avail so far. Basically legacy can get into a state where a layout_layout's LayoutBlock::PositionedObjects map contains a positioned-object, however that postiioned-object's containing-block is a node further up the tree. Somewhere (during a style change, inline-splitting, etc) we are missing a call to RemovePositionedObject(s). I've added a NOTREACHED() on the branch so that clusterfuzz can pick up the issue with a simpler test-case. Bug: 977930 Change-Id: I60d5c25f4565d92bff24c10ef46211c23babee28 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1678841Reviewed-by: Aleks Totic <atotic@chromium.org> Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org> Cr-Commit-Position: refs/heads/master@{#672733}
6b0fb62b · Ian Kilpatrick · Commit Bot · b4b121fa · 6b0fb62b
Commit 6b0fb62b authored Jun 27, 2019 by Ian Kilpatrick Committed by Commit Bot Jun 27, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

third_party/blink/renderer/core/layout/ng/ng_out_of_flow_layout_part.cc ...ink/renderer/core/layout/ng/ng_out_of_flow_layout_part.cc +14 -0

No files found.
--- a/third_party/blink/renderer/core/layout/ng/ng_out_of_flow_layout_part.cc
+++ b/third_party/blink/renderer/core/layout/ng/ng_out_of_flow_layout_part.cc
@@ -169,6 +169,7 @@ void NGOutOfFlowLayoutPart::Run(const LayoutBox* only_layout) {
  if (container_space_.HasBlockFragmentation())
    return;
+  wtf_size_t prev_placed_objects_size = placed_objects.size();
  while (SweepLegacyDescendants(&placed_objects)) {
    container_builder_->GetAndClearOutOfFlowDescendantCandidates(
        &descendant_candidates, current_container);
@@ -179,6 +180,19 @@ void NGOutOfFlowLayoutPart::Run(const LayoutBox* only_layout) {
    LayoutDescendantCandidates(&descendant_candidates, only_layout,
                               &placed_objects);
+    // Legacy currently has a bug where an OOF-positioned node is present
+    // within the current node's |LayoutBlock::PositionedObjects|, however it
+    // is not the containing-block for this node.
+    //
+    // This results in |LayoutDescendantCandidates| never performing layout on
+    // any additional objects.
+    wtf_size_t placed_objects_size = placed_objects.size();
+    if (prev_placed_objects_size == placed_objects_size) {
+      NOTREACHED();
+      break;
+    }
+    prev_placed_objects_size = placed_objects_size;
  }
 }