169739 – [css-grid] Crash on debug removing a positioned child

Bug 169739 - [css-grid] Crash on debug removing a positioned child

Summary: [css-grid] Crash on debug removing a positioned child

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Manuel Rego Casasnovas

URL:
Keywords:	BlinkMergeCandidate

Duplicates (1):	169749 (view as bug list)
Depends on:
Blocks:	60731
	Show dependency tree / graph

Reported:	2017-03-16 02:05 PDT by Manuel Rego Casasnovas
Modified:	2017-03-16 08:20 PDT (History)
CC List:	7 users (show)

See Also:	https://bugs.chromium.org/p/chromium/issues/detail?id=700383

Attachments
Example to reproduce the issue (683 bytes, text/html) 2017-03-16 02:05 PDT, Manuel Rego Casasnovas	no flags	Details
Patch (5.03 KB, patch) 2017-03-16 02:31 PDT, Manuel Rego Casasnovas	no flags	Details \| Formatted Diff \| Diff
Patch for landing (5.02 KB, patch) 2017-03-16 05:30 PDT, Manuel Rego Casasnovas	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manuel Rego Casasnovas 2017-03-16 02:05:16 PDT

Created attachment 304619 [details]
Example to reproduce the issue

The problem is that when we remove a positioned child, the grid is not relayout but we're marking it as dirty. So when it's repainted we got a crash. The crash is:

ASSERTION FAILED: !m_grid.needsItemsPlacement()
/home/rego/checkout/WebKit/Source/WebCore/rendering/RenderGrid.cpp(1643) : virtual void WebCore::RenderGrid::paintChildren(WebCore::PaintInfo&, const WebCore::LayoutPoint&, WebCore::PaintInfo&, bool)

This has been already fixed in Blink: https://codereview.chromium.org/2748983003/

Comment 1 Manuel Rego Casasnovas 2017-03-16 02:31:39 PDT

Created attachment 304623 [details]
Patch

Comment 2 Sergio Villar Senin 2017-03-16 05:26:36 PDT

Comment on attachment 304623 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304623&action=review

Nice!

> LayoutTests/fast/css-grid-layout/grid-crash-remove-positioned-item.html:11
> +       after removing the positioned item. -->

Nit: don't need to split this comment in 3 lines

Comment 3 Manuel Rego Casasnovas 2017-03-16 05:30:27 PDT

Created attachment 304635 [details]
Patch for landing

Comment 4 WebKit Commit Bot 2017-03-16 06:13:05 PDT

Comment on attachment 304635 [details]
Patch for landing

Clearing flags on attachment: 304635

Committed r214039: <http://trac.webkit.org/changeset/214039>

Comment 5 WebKit Commit Bot 2017-03-16 06:13:12 PDT

All reviewed patches have been landed.  Closing bug.

Comment 6 Manuel Rego Casasnovas 2017-03-16 08:20:41 PDT

*** Bug 169749 has been marked as a duplicate of this bug. ***