Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 52c38471c664653dbb47969473928fa819f0bf86
https://github.com/WebKit/WebKit/commit/52c38471c664653dbb47969473928fa819f0bf86
Author: Sammy Gill <[email protected]>
Date: 2026-04-13 (Mon, 13 Apr 2026)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-paint-dynamic-001-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/css/css-grid/subgrid/subgrid-paint-containment-change-crash.html
M Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp
M Source/WebCore/style/StyleDifference.cpp
Log Message:
-----------
Cherry-pick 310968@main (2cc90f478c7e).
https://bugs.webkit.org/show_bug.cgi?id=311942
[Grid] Crash under GridTrackSizingAlgorithm::copyUsedTrackSizesForSubgrid
when paint containment changes on subgrid.
https://bugs.webkit.org/show_bug.cgi?id=311942
rdar://172724120
Reviewed by Alan Baradlay.
One effect of applying paint containment to a box is that it forces said
box to establish an independent formatting context.
https://drafts.csswg.org/css-contain/#containment-paint
As a result, applying or removing this on a box has layout implications
so we need to make sure that it requires us to do layout. For example,
when a subgrid ends up establishing an independent formatting context
then that box is no longer a subgrid. Instead of sharing the tracks with
the parent grid and having its children participate in the track sizing
algorithm of the parent it acts as its own grid with its own track
sizing algorithm that runs. The parent grid then no longer sees it as a
subgrid but any other grid items. Another case is when you may have a
float that intrudes into a container and forcing the container to
establish an independent formatting context would push the float outside
of the bounds of the container, potentially resulting a much different
layout.
<div style = "width: 50px; height: 50px; float: left; background-color:
magenta;"></div>
<div style= "width: 200px; height: 200px; outline: 1px solid blue;"
id="container">
<div>
foobar
</div>
</div>
Mutating the style on container here and adding paint containment should
result in the float getting pushed outside of container.
In terms of the crash, we end up bailing out early in
RenderGrid::styleDidChange
since the style difference is not Style::DifferenceResult::Layout and
end up skipping the remaining invalidation in this function, which
includes checking for independent formatting context changes on
subgrids. That type of invalidation was added in 289038@main, which
catches changes to, for example, layout containment. If you end up
changing contain: paint to contain: layout in the new testcase we end up
recovering because of this.
* Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:
(WebCore::GridTrackSizingAlgorithm::copyUsedTrackSizesForSubgrid):
The RELEASE_ASSERT here was redundant since it was trying to protect
from a bad Vector access, but WTF::Vector already RELEASE_ASSERTS when
this happens.
* Source/WebCore/style/StyleDifference.cpp:
We can fix this by adding a check for paint containment alongside the
other containment changes that require layout.
Canonical link: https://commits.webkit.org/310968@main
Canonical link: https://commits.webkit.org/305877.409@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
