[LayoutNG] Fix clusterfuzz crash

Using empty Optional<MinMax> to indicate that MinMax value should not matter caused trouble with ng_length_utils ResolveInlineLengthInternal, when max-width was fit-content. Use MinMax(0, LayoutUnitMax) to indicate intrinsic size does not matter instead. It accomplishes the same goal, computed size does not get clamped by intrinsic. I've also tested running it with width:max-content out of fear that we might end up with too wide OOF, but that did not happen. Bug: 1010798 Change-Id: Ife11b3d9637be91cc0648b7f8485af51f07108bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1837118 Commit-Queue: Aleks Totic <atotic@chromium.org> Auto-Submit: Aleks Totic <atotic@chromium.org> Reviewed-by: Morten Stenshorne <mstensho@chromium.org> Cr-Commit-Position: refs/heads/master@{#702525}

[LayoutNG] Fix clusterfuzz crash
Using empty Optional<MinMax> to indicate that MinMax value should not matter caused trouble with ng_length_utils ResolveInlineLengthInternal, when max-width was fit-content. Use MinMax(0, LayoutUnitMax) to indicate intrinsic size does not matter instead. It accomplishes the same goal, computed size does not get clamped by intrinsic. I've also tested running it with width:max-content out of fear that we might end up with too wide OOF, but that did not happen. Bug: 1010798 Change-Id: Ife11b3d9637be91cc0648b7f8485af51f07108bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1837118 Commit-Queue: Aleks Totic <atotic@chromium.org> Auto-Submit: Aleks Totic <atotic@chromium.org> Reviewed-by: Morten Stenshorne <mstensho@chromium.org> Cr-Commit-Position: refs/heads/master@{#702525}
b3ad25f1 · Aleks Totic · Commit Bot · bc3c0990 · b3ad25f1 · b3ad25f1
Commit b3ad25f1 authored Oct 03, 2019 by Aleks Totic Committed by Commit Bot Oct 03, 2019
4 changed files
--- a/third_party/blink/renderer/core/layout/ng/ng_absolute_utils.cc
+++ b/third_party/blink/renderer/core/layout/ng/ng_absolute_utils.cc
@@ -70,19 +70,14 @@ inline LayoutUnit StaticPositionEndInset(bool is_static_position_start,
         (is_static_position_start ? size : LayoutUnit());
 }
-// https://www.w3.org/TR/css-position-3/#abs-replaced-width
-// Handle the special case of an element with aspect ratio, but no intrinsic
-// width or height.
 LayoutUnit ComputeShrinkToFitSize(
    const base::Optional<MinMaxSize>& child_minmax,
    LayoutUnit computed_available_size,
    LayoutUnit margin_start,
    LayoutUnit margin_end) {
-  LayoutUnit size = (computed_available_size - margin_start - margin_end)
+  return child_minmax->ShrinkToFit(
-                        .ClampNegativeToZero();
+      (computed_available_size - margin_start - margin_end)
-  if (child_minmax)
+          .ClampNegativeToZero());
-    return child_minmax->ShrinkToFit(size);
-  return size;
 }
 // Implement the absolute size resolution algorithm.

--- a/third_party/blink/renderer/core/layout/ng/ng_out_of_flow_layout_part.cc
+++ b/third_party/blink/renderer/core/layout/ng/ng_out_of_flow_layout_part.cc
@@ -584,7 +584,7 @@ scoped_refptr<const NGLayoutResult> NGOutOfFlowLayoutPart::Layout(
    // should not be constrained by intrinsic size in this case.
    // https://www.w3.org/TR/CSS22/visudet.html#inline-replaced-width
    if (is_replaced_with_only_aspect_ratio)
-      min_max_size.reset();
+      min_max_size = MinMaxSize{LayoutUnit(), LayoutUnit::NearlyMax()};
  } else if (should_be_considered_as_replaced) {
    replaced_size =
        LogicalSize{min_max_size->ShrinkToFit(

--- a/third_party/blink/web_tests/external/wpt/css/css-position/position-absolute-replaced-minmax.html
+++ b/third_party/blink/web_tests/external/wpt/css/css-position/position-absolute-replaced-minmax.html
@@ -261,7 +261,14 @@
 <!-- Just viewbox. Has aspect_ratio, but no intrinsic size
 inline_width is constrained by left/right, height computed proportionally -->
 <div class="container">
-  <img class="target" style="left:100px;right:100px" src="data:image/svg+xml,%3Csvg viewBox='0 0 100 10' xmlns='http://www.w3.org/2000/svg' %3E%3Crect width='100%' height='100%' style='fill:rgb(0,255,0);'/%3E%3C/svg%3E"
+  <img class="target" style="left:100px;right:100px;" src="data:image/svg+xml,%3Csvg viewBox='0 0 100 10' xmlns='http://www.w3.org/2000/svg' %3E%3Crect width='100%' height='100%' style='fill:rgb(0,255,0);'/%3E%3C/svg%3E"
+  data-expected-width="188" data-expected-height="47" data-offset-y="146" data-offset-x="109"
+  >
+</div>
+<!-- Same as previous test, but with max-width:fit-content. crbug.com/1010798
+  -->
+<div class="container">
+  <img class="target" style="left:100px;right:100px;max-width:fit-content" src="data:image/svg+xml,%3Csvg viewBox='0 0 100 10' xmlns='http://www.w3.org/2000/svg' %3E%3Crect width='100%' height='100%' style='fill:rgb(0,255,0);'/%3E%3C/svg%3E"
  data-expected-width="188" data-expected-height="47" data-offset-y="146" data-offset-x="109"
  >
 </div>

--- a/third_party/blink/web_tests/flag-specific/disable-blink-features=LayoutNG/external/wpt/css/css-position/position-absolute-replaced-minmax-expected.txt
+++ b/third_party/blink/web_tests/flag-specific/disable-blink-features=LayoutNG/external/wpt/css/css-position/position-absolute-replaced-minmax-expected.txt
@@ -35,7 +35,8 @@ PASS minmax replaced IMG svg 33
 PASS minmax replaced IMG 34
 FAIL minmax replaced IMG 35 assert_equals: incorrect offsetWidth expected "388" but got "426"
 FAIL minmax replaced IMG 36 assert_equals: incorrect offsetWidth expected "188" but got "426"
-PASS minmax replaced IMG 37
+FAIL minmax replaced IMG 37 assert_equals: incorrect offsetWidth expected "188" but got "338"
 PASS minmax replaced IMG 38
+PASS minmax replaced IMG 39
 Harness: the test ran to completion.