[LayoutNG] Fix shape exclusion tracking.

The DerivedGeometry class gets moved from exclusion-space to exclusion-space as a fast way of determining layout opportunities (where lines, etc get placed). For speed we only allocate "NGShapeExclusions" if we've seen any shapes within the formatting context. This crash was due to an inconsistent state of the: NGExclusionSpaceInternal::track_shape_exclusions_ flag. "other" NGExclusionSpaceInternal - derived_geometry_ = (non-null) - track_shape_exclusions_ = false - num_exclusions_ = 1u "this" NGExclusionSpaceInternal - derived_geometry_ = null - track_shape_exclusions_ = true - num_exclusions_ = 2u (2nd exclusion has shape data). Within the NGExclusionSpaceInternal::MoveAndUpdateDerivedGeometry method we moved the derived geometry over to the "this" exclusion space. However we didn't also move the track_shape_exclusions_ flag as a result we'd try to add the 2nd shape exclusion, and a NPE was hit. Bug: 962135, 962272, 962052 Change-Id: Id095bd2924f83ba6b2dbe90446d1f4613de09933 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1610021 Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org> Reviewed-by: Morten Stenshorne <mstensho@chromium.org> Reviewed-by: Christian Biesinger <cbiesinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#659678}

[LayoutNG] Fix shape exclusion tracking.
The DerivedGeometry class gets moved from exclusion-space to exclusion-space as a fast way of determining layout opportunities (where lines, etc get placed). For speed we only allocate "NGShapeExclusions" if we've seen any shapes within the formatting context. This crash was due to an inconsistent state of the: NGExclusionSpaceInternal::track_shape_exclusions_ flag. "other" NGExclusionSpaceInternal - derived_geometry_ = (non-null) - track_shape_exclusions_ = false - num_exclusions_ = 1u "this" NGExclusionSpaceInternal - derived_geometry_ = null - track_shape_exclusions_ = true - num_exclusions_ = 2u (2nd exclusion has shape data). Within the NGExclusionSpaceInternal::MoveAndUpdateDerivedGeometry method we moved the derived geometry over to the "this" exclusion space. However we didn't also move the track_shape_exclusions_ flag as a result we'd try to add the 2nd shape exclusion, and a NPE was hit. Bug: 962135, 962272, 962052 Change-Id: Id095bd2924f83ba6b2dbe90446d1f4613de09933 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1610021 Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org> Reviewed-by: Morten Stenshorne <mstensho@chromium.org> Reviewed-by: Christian Biesinger <cbiesinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#659678}
983ae99f · Ian Kilpatrick · Commit Bot · 088fb77a · 983ae99f · 983ae99f
Commit 983ae99f authored May 14, 2019 by Ian Kilpatrick Committed by Commit Bot May 14, 2019
2 changed files
--- a/third_party/blink/renderer/core/layout/ng/exclusions/ng_exclusion_space.h
+++ b/third_party/blink/renderer/core/layout/ng/exclusions/ng_exclusion_space.h
@@ -107,6 +107,7 @@ class CORE_EXPORT NGExclusionSpaceInternal {
    if (!other.derived_geometry_)
      return;

+    track_shape_exclusions_ = other.track_shape_exclusions_;
    derived_geometry_ = std::move(other.derived_geometry_);
    other.derived_geometry_ = nullptr;


--- a/third_party/blink/web_tests/external/wpt/css/css-shapes/shape-outside/supported-shapes/inset/shape-outside-inset-crash.html
+++ b/third_party/blink/web_tests/external/wpt/css/css-shapes/shape-outside/supported-shapes/inset/shape-outside-inset-crash.html
+<!DOCTYPE html>
+<link rel="match" href="../../../../reference/ref-filled-green-100px-square-only.html">
+<link rel="help" href="https://crbug.com/962135" />
+<meta name="assert" content="This test passes if the renderer does not crash."/>
+<p>Test passes if there is a filled green square.</p>
+<div style="width: 100px; height: 100px; display: flow-root; background: green;">
+  <div style="width: 20px; height: 20px; float: right;"></div>
+  <div style="width: 20px; height: 10px; display: inline-block;"></div>
+  <div style="width: 40px; height: 20px; overflow: hidden;"></div>
+  <div style="width: 20px; height: 10px; display: inline-block;"></div>
+  <div style="width: 50px; height: 50px; float: left; shape-outside: inset(20px 0 0 0);"></div>
+  <div id="target" style="height: 50px; margin: 10px 0;"></div>
+  <div style="width: 20px; height: 10px; display: inline-block;"></div>
+</div>
+<script>
+document.body.offsetTop;
+document.getElementById('target').style.height = '10px';
+document.body.offsetTop;
+</script>