Skip to content

GitLab

T
tangled
Commit d15ee17c authored by Aleks Totic's avatar Aleks Totic Committed by Commit Bot
Browse files
Options

[LayoutNG] More limited inline split fix 

This testcase hit a DCHECK while rebalancing split inlines

LayoutInline::SplitInlines
  LayoutBoxModelObject::MoveChildTo

Layout tree looks like it should work. I think that our previous
fix of not splitting any anonymous inlines was incorrect.
This reverts my older fix at
https://chromium-review.googlesource.com/c/chromium/src/+/1610522/1

to a more conservative skip:

if (o->IsLayoutNGInsideListMarker())

instead of

if (o->IsAnonymous())

clusterfuzz layout tree looks like this:

    LayoutNGBlockFlow 0x71c8ea202a0  	FORM id="el0"
        LayoutNGBlockFlow (anonymous) 0x71c8ea20530
          LayoutInline (anonymous) 0x71c8ea303d0
*           LayoutInline 0x71c8ea30250 continuation=0x71c8ea203e8	Q id="el2"
              LayoutInline 0x71c8ea30310	<pseudo:before>
                LayoutQuote (anonymous) 0x71c8ea3c2f8
                  LayoutTextFragment (anonymous) 0x71c8ea40370 """
            LayoutInline 0x71c8ea30190 	Q id="el5"
              LayoutInline 0x71c8ea300d0	<pseudo:before>
                LayoutQuote (anonymous) 0x71c8ea3c108
                  LayoutTextFragment (anonymous) 0x71c8ea40130 "'"
              LayoutInline 0x71c8ea30490	<pseudo:after>
                LayoutQuote (anonymous) 0x71c8ea3c010
                  LayoutTextFragment (anonymous) 0x71c8ea4001

Bug: 962841
Change-Id: I5165089499c2ff7856f999d2926e07d4a992960d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1611866Reviewed-by: default avatarMorten Stenshorne <mstensho@chromium.org>
Reviewed-by: default avatarEmil A Eklund <eae@chromium.org>
Commit-Queue: Aleks Totic <atotic@chromium.org>
Cr-Commit-Position: refs/heads/master@{#659700}
parent 8268630b
Hide whitespace changes
Inline Side-by-side
Showing with 1 addition and 1 deletion
third_party/blink/renderer/core/layout/layout_inline.cc
View file @ d15ee17c
...@@ -612,7 +612,7 @@ void LayoutInline::SplitInlines(LayoutBlockFlow* from_block, ...@@ -612,7 +612,7 @@ void LayoutInline::SplitInlines(LayoutBlockFlow* from_block,
Vector<LayoutInline*> inlines_to_clone; Vector<LayoutInline*> inlines_to_clone;
LayoutInline* top_most_inline = this; LayoutInline* top_most_inline = this;
for (LayoutObject* o = this; o != from_block; o = o->Parent()) { for (LayoutObject* o = this; o != from_block; o = o->Parent()) {
if (o->IsAnonymous()) if (o->IsLayoutNGInsideListMarker())
continue; continue;
top_most_inline = ToLayoutInline(o); top_most_inline = ToLayoutInline(o);
if (inlines_to_clone.size() < kCMaxSplitDepth) if (inlines_to_clone.size() < kCMaxSplitDepth)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment