Use PostLayoutChildren in AddVisualOverflowFromFloats

This patch changes |LayoutBlockFlow:: AddVisualOverflowFromFloats| to use |PostLayoutChildren| to avoid reading stale fragments. DCHECKs were added in r781383 <crrev.com/c/2261092> and these DCHECKs do hit, but we may still read objects that were destroyed or moved out to different location in the tree. Also adds a few more checks to avoid crashes in dirty tree. Bug: 1101449 Change-Id: I3a00052b0a3c86e83789eb542872299d86dbe453 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2275167Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Commit-Queue: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#784528}

Use PostLayoutChildren in AddVisualOverflowFromFloats
This patch changes |LayoutBlockFlow:: AddVisualOverflowFromFloats| to use |PostLayoutChildren| to avoid reading stale fragments. DCHECKs were added in r781383 <crrev.com/c/2261092> and these DCHECKs do hit, but we may still read objects that were destroyed or moved out to different location in the tree. Also adds a few more checks to avoid crashes in dirty tree. Bug: 1101449 Change-Id: I3a00052b0a3c86e83789eb542872299d86dbe453 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2275167Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Commit-Queue: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#784528}
8aef6a6a · Koji Ishii · Commit Bot · db3ba916 · 8aef6a6a · 8aef6a6a
Commit 8aef6a6a authored Jul 01, 2020 by Koji Ishii Committed by Commit Bot Jul 01, 2020
3 changed files
--- a/third_party/blink/renderer/core/layout/layout_block_flow.cc
+++ b/third_party/blink/renderer/core/layout/layout_block_flow.cc
@@ -2407,7 +2407,7 @@ void LayoutBlockFlow::AddVisualOverflowFromFloats(
  DCHECK(!PrePaintBlockedByDisplayLock(DisplayLockLifecycleTarget::kChildren));
  DCHECK(fragment.HasFloatingDescendantsForPaint());

-  for (const NGLink& child : fragment.Children()) {
+  for (const NGLink& child : fragment.PostLayoutChildren()) {
    if (child->HasSelfPaintingLayer())
      continue;


--- a/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.cc
+++ b/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.cc
@@ -2208,6 +2208,8 @@ bool NGBoxFragmentPainter::HitTestBlockChildren(
  auto children = box_fragment_.Children();
  for (const NGLink& child : base::Reversed(children)) {
    const auto& block_child = To<NGPhysicalBoxFragment>(*child);
+    if (UNLIKELY(block_child.IsLayoutObjectDestroyedOrMoved()))
+      continue;
    if (block_child.HasSelfPaintingLayer() || block_child.IsFloating())
      continue;

@@ -2362,6 +2364,8 @@ bool NGBoxFragmentPainter::HitTestFloatingChildren(
  auto children = container.Children();
  for (const NGLink& child : base::Reversed(children)) {
    const NGPhysicalFragment& child_fragment = *child.fragment;
+    if (UNLIKELY(child_fragment.IsLayoutObjectDestroyedOrMoved()))
+      continue;
    if (child_fragment.HasSelfPaintingLayer())
      continue;


--- a/third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc
+++ b/third_party/blink/renderer/core/paint/pre_paint_tree_walk.cc
@@ -547,6 +547,10 @@ void PrePaintTreeWalk::WalkNGChildren(const LayoutObject* parent,
        continue;
      }
    } else if (!object) {
+      const NGPhysicalBoxFragment* box_fragment = (*iterator)->BoxFragment();
+      if (UNLIKELY(box_fragment->IsLayoutObjectDestroyedOrMoved()))
+        continue;
+
      // A fragmentainer doesn't paint anything itself. Just include its offset
      // and descend into children.
      DCHECK((*iterator)->BoxFragment()->IsFragmentainerBox());