Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0768bc0b4089e320b1132cdba41c2240bbe56f37
https://github.com/WebKit/WebKit/commit/0768bc0b4089e320b1132cdba41c2240bbe56f37
Author: Sammy Gill <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-grid/grid-formatting-context-fallback-crash.html
M Source/WebCore/layout/integration/grid/LayoutIntegrationGridLayout.cpp
M Source/WebCore/layout/integration/grid/LayoutIntegrationGridLayout.h
M Source/WebCore/rendering/RenderGrid.cpp
Log Message:
-----------
[GFC] Modern grid layout may incorrectly run when content mutates
https://bugs.webkit.org/show_bug.cgi?id=318358
rdar://problem/181150143
Reviewed by Alan Baradlay.
RenderGrid cached the grid formatting context (GFC) coverage decision in
m_hasGridFormattingContextLayout and only computed it once, when the optional
had no value. A positive decision was therefore never re-evaluated, so a grid
that qualified for the GFC path on its first layout kept using it even after its
content mutated into something the GFC path does not support (for example a grid
item gaining a max-width). That eventually reached unfinished GFC code and
crashed.
Match what RenderFlexibleBox::layoutUsingFlexFormattingContext already does:
only make a negative decision sticky (a perf guard, since unsupported content
stays unsupported) and re-run canUseForGridLayout whenever the grid previously
used, or has not yet evaluated, the GFC path.
Re-checking coverage exposed a second crash. At the end of a GFC layout,
GridLayout::updateFormattingContextRootRenderer marks the legacy grid as placed
without populating it, since the GFC path does not rely on the legacy grid
state. When we then fall back to the legacy layout, placeItemsOnGrid saw the
grid as already placed and returned early, leaving the track lists empty and
crashing in gridAreaBreadthForGridItemIncludingAlignmentOffsets. Add
GridLayout::invalidateFormattingContextRootRenderer to revert that stale state
on fallback so the legacy path re-places the items and rebuilds its tracks.
Canonical link: https://commits.webkit.org/316392@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications