[webkit-changes] [WebKit/WebKit] ad4a10: ASAN_TRAP | WebCore::LocalFrameViewLayoutContext::...

Sat, 21 Jun 2025 21:11:09 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ad4a1079d2dc5b083ba7bd52094449d435ce2dae
      
https://github.com/WebKit/WebKit/commit/ad4a1079d2dc5b083ba7bd52094449d435ce2dae
  Author: Alan Baradlay <za...@apple.com>
  Date:   2025-06-21 (Sat, 21 Jun 2025)

  Changed paths:
    A 
LayoutTests/fast/dynamic/disappearing-content-on-size-change-crash-expected.txt
    A LayoutTests/fast/dynamic/disappearing-content-on-size-change-crash.html
    M Source/WebCore/inspector/InspectorInstrumentation.cpp
    M Source/WebCore/inspector/InspectorInstrumentation.h
    M Source/WebCore/inspector/agents/page/PageTimelineAgent.cpp
    M Source/WebCore/inspector/agents/page/PageTimelineAgent.h
    M Source/WebCore/page/LocalFrameViewLayoutContext.cpp

  Log Message:
  -----------
  ASAN_TRAP | WebCore::LocalFrameViewLayoutContext::performLayout; 
WebCore::LocalFrameViewLayoutContext::layout; WebCore::Document::updateLayout
https://bugs.webkit.org/show_bug.cgi?id=293511
rdar://147938727

Reviewed by Devin Rousso.

This is caused by a nested layout where the initial layout's entry point gets 
destroyed during the nested one.

1. Subtree layout is initiated, meaning that the entry point of the layout is a 
renderer in the RenderView's subtree and not the RenderView itself.
2. Initial layout is complete, and now we are in the 'post' layout phase, 
calling protectedView()->didLayout()
3. protectedView()->didLayout finds out that the content is overflowing, and 
now we have to show scrollbars

In case of space-taking scrollbars (as opposed to floating), we have to shrink 
the available space for our content and run layout again with this new 
constraint.

4. We are still in performLayout() and now calling it again, recursively.
5. Style resolve runs, and renderers may get destroyed (container query, etc.), 
and in this case, our initial layout root gets deleted.

And now coming back from the nested layout, we fail when dereferencing the 
(already gone) weak renderer.

Let's fix it by holding on to the layout area, as that's really what 
InspectorInstrumentation is interested in.

* 
LayoutTests/fast/dynamic/disappearing-content-on-size-change-crash-expected.txt:
 Added.
* LayoutTests/fast/dynamic/disappearing-content-on-size-change-crash.html: 
Added.
* Source/WebCore/inspector/InspectorInstrumentation.cpp:
(WebCore::InspectorInstrumentation::didLayoutImpl):
* Source/WebCore/inspector/InspectorInstrumentation.h:
(WebCore::InspectorInstrumentation::didLayout):
* Source/WebCore/inspector/agents/page/PageTimelineAgent.cpp:
(WebCore::PageTimelineAgent::didLayout):
* Source/WebCore/inspector/agents/page/PageTimelineAgent.h:
* Source/WebCore/page/LocalFrameViewLayoutContext.cpp:
(WebCore::LocalFrameViewLayoutContext::performLayout):

Canonical link: https://commits.webkit.org/296484@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to