ASSERTION FAILED: resolvedInitialPosition <= resolvedFinalPosition in WebCore::GridSp...
authorsvillar@igalia.com <svillar@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Feb 2015 14:05:49 +0000 (14:05 +0000)
committersvillar@igalia.com <svillar@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Feb 2015 14:05:49 +0000 (14:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=141328

Reviewed by Darin Adler.

.:

Added as manual test because it involves a huge grid allocation
which is very slow on Debug bots, the only ones capable to trigger
the assertion.

* ManualTests/css-grid-layout-item-with-huge-span-crash.html: Added.

Source/WebCore:

Whenever
GridResolvedPosition::resolveGridPositionsFromAutoPlacementPosition()
was trying to place an item with span, it was completely ignoring
the resolvedInitialPosition returned by
GridResolvedPosition::resolveGridPositionAgainstOppositePosition()
and only using the finalResolvedPosition. This works with an
unlimited grid which can indefinitely grow. But if the item spans
over the grid track limits, then it might happen that the final
resolved position is placed before the initial resolved position,
something that is forbidden.

The solution is to directly use the GridSpan returned by
GridResolvedPosition::resolveGridPositionAgainstOppositePosition(), if the item
does not surpass the track limits then the returned initialResolvedPosition
is identical to the provided one, otherwise it's properly corrected to respect
track boundaries.

* rendering/style/GridResolvedPosition.cpp:
(WebCore::GridResolvedPosition::resolveGridPositionsFromAutoPlacementPosition):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@179826 268f45cc-cd09-0410-ab3c-d52691b4dbfc

ChangeLog
ManualTests/css-grid-layout-item-with-huge-span-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/style/GridResolvedPosition.cpp

index 2d1b80f..c19f185 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2015-02-09  Sergio Villar Senin  <svillar@igalia.com>
+
+        ASSERTION FAILED: resolvedInitialPosition <= resolvedFinalPosition in WebCore::GridSpan::GridSpan
+        https://bugs.webkit.org/show_bug.cgi?id=141328
+
+        Reviewed by Darin Adler.
+
+        Added as manual test because it involves a huge grid allocation
+        which is very slow on Debug bots, the only ones capable to trigger
+        the assertion.
+
+        * ManualTests/css-grid-layout-item-with-huge-span-crash.html: Added.
+
 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
 
         [Streams API] Implement a barebone ReadableStream interface
diff --git a/ManualTests/css-grid-layout-item-with-huge-span-crash.html b/ManualTests/css-grid-layout-item-with-huge-span-crash.html
new file mode 100644 (file)
index 0000000..e732c06
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<p>PASSED if no crash or assertion failure.</p>
+<input/>
+<input/>
+<style>
+* {
+    display:-webkit-inline-grid;
+    -webkit-grid-row: span 400000;
+}
+</style>
index 04a5303..79a8e77 100644 (file)
@@ -1,3 +1,30 @@
+2015-02-06  Sergio Villar Senin  <svillar@igalia.com>
+
+        ASSERTION FAILED: resolvedInitialPosition <= resolvedFinalPosition in WebCore::GridSpan::GridSpan
+        https://bugs.webkit.org/show_bug.cgi?id=141328
+
+        Reviewed by Darin Adler.
+
+        Whenever
+        GridResolvedPosition::resolveGridPositionsFromAutoPlacementPosition()
+        was trying to place an item with span, it was completely ignoring
+        the resolvedInitialPosition returned by
+        GridResolvedPosition::resolveGridPositionAgainstOppositePosition()
+        and only using the finalResolvedPosition. This works with an
+        unlimited grid which can indefinitely grow. But if the item spans
+        over the grid track limits, then it might happen that the final
+        resolved position is placed before the initial resolved position,
+        something that is forbidden.
+
+        The solution is to directly use the GridSpan returned by
+        GridResolvedPosition::resolveGridPositionAgainstOppositePosition(), if the item
+        does not surpass the track limits then the returned initialResolvedPosition
+        is identical to the provided one, otherwise it's properly corrected to respect
+        track boundaries.
+
+        * rendering/style/GridResolvedPosition.cpp:
+        (WebCore::GridResolvedPosition::resolveGridPositionsFromAutoPlacementPosition):
+
 2015-01-22  Sergio Villar Senin  <svillar@igalia.com>
 
         [CSS Grid Layout] Tracks' growth limits must be >= base sizes
index af535e0..35f9bfe 100644 (file)
@@ -78,9 +78,9 @@ GridSpan GridResolvedPosition::resolveGridPositionsFromAutoPlacementPosition(con
     GridResolvedPosition resolvedFinalPosition = resolvedInitialPosition;
 
     if (initialPosition.isSpan())
-        resolvedFinalPosition = resolveGridPositionAgainstOppositePosition(gridContainerStyle, resolvedInitialPosition, initialPosition, finalPositionSide)->resolvedFinalPosition;
+        return *resolveGridPositionAgainstOppositePosition(gridContainerStyle, resolvedInitialPosition, initialPosition, finalPositionSide);
     else if (finalPosition.isSpan())
-        resolvedFinalPosition = resolveGridPositionAgainstOppositePosition(gridContainerStyle, resolvedInitialPosition, finalPosition, finalPositionSide)->resolvedFinalPosition;
+        return *resolveGridPositionAgainstOppositePosition(gridContainerStyle, resolvedInitialPosition, finalPosition, finalPositionSide);
 
     return GridSpan(resolvedInitialPosition, resolvedFinalPosition);
 }