We fail to clean all the renderers while running the following test: LayoutTests/imported/blink/fast/lists/list-item-without-list-reparented-crash.html
Created attachment 290461 [details] Test reduction This happens when we start mutating the renderer tree while laying it out. <body> <span> <li> 1. floating <li> is being laid out by the body (<span> is the direct parent but the containing block is the body) 2. we insert a new renderer (list marker) and dirty the ancestor chain 3. we never get to lay out the <span>
(In reply to comment #1) > Created attachment 290461 [details] > Test reduction > > This happens when we start mutating the renderer tree while laying it out. > <body> > <span> > <li> > 1. floating <li> is being laid out by the body (<span> is the direct parent > but the containing block is the body) > 2. we insert a new renderer (list marker) and dirty the ancestor chain > 3. we never get to lay out the <span> Scratch the containing block part, it's just a floating renderer and not an out of flow positioned one.
Created attachment 290534 [details] Patch
Alternatively we could make RenderObject::markContainingBlocksForLayout smarter and figure out the floating case, but I am sure we don't have all the information at this point to make that decision.
Comment on attachment 290534 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=290534&action=review > Source/WebCore/rendering/RenderListItem.cpp:290 > + // FIXME: We should stop mutating the renderer tree during layout. I think this comment would be better if it described why you added these lines. Something like "mark the parent dirty so that when the marker dirties ancestors, it stops at the parent."
Created attachment 290558 [details] Patch
Created attachment 290559 [details] Patch
Comment on attachment 290559 [details] Patch Clearing flags on attachment: 290559 Committed r206765: <http://trac.webkit.org/changeset/206765>
All reviewed patches have been landed. Closing bug.