REGRESSION (r191336): RenderFlexibleBox::adjustChildSizeForMinAndMax crashes in std...
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Sep 2018 03:41:11 +0000 (03:41 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Sep 2018 03:41:11 +0000 (03:41 +0000)
https://bugs.webkit.org/show_bug.cgi?id=189232
<rdar://problem/43886373>

Reviewed by Brent Fulgham.

Source/WebCore:

It's not guaranteed that RenderFlexibleBox::computeMainAxisExtentForChild() always returns with a valid value.

Test: fast/flexbox/crash-when-min-max-content-is-not-computed.html

* rendering/RenderFlexibleBox.cpp:
(WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax):

LayoutTests:

* fast/flexbox/crash-when-min-max-content-is-not-computed-expected.txt: Added.
* fast/flexbox/crash-when-min-max-content-is-not-computed.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235590 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/flexbox/crash-when-min-max-content-is-not-computed-expected.txt [new file with mode: 0644]
LayoutTests/fast/flexbox/crash-when-min-max-content-is-not-computed.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderFlexibleBox.cpp

index 2c2f481..22914b3 100644 (file)
@@ -1,3 +1,14 @@
+2018-09-02  Zalan Bujtas  <zalan@apple.com>
+
+        REGRESSION (r191336): RenderFlexibleBox::adjustChildSizeForMinAndMax crashes in std::optional<>::value()
+        https://bugs.webkit.org/show_bug.cgi?id=189232
+        <rdar://problem/43886373>
+
+        Reviewed by Brent Fulgham.
+
+        * fast/flexbox/crash-when-min-max-content-is-not-computed-expected.txt: Added.
+        * fast/flexbox/crash-when-min-max-content-is-not-computed.html: Added.
+
 2018-09-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 
         Implement Object.fromEntries
 2018-09-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 
         Implement Object.fromEntries
diff --git a/LayoutTests/fast/flexbox/crash-when-min-max-content-is-not-computed-expected.txt b/LayoutTests/fast/flexbox/crash-when-min-max-content-is-not-computed-expected.txt
new file mode 100644 (file)
index 0000000..73409ae
--- /dev/null
@@ -0,0 +1,2 @@
+PASS if no crash.
+
diff --git a/LayoutTests/fast/flexbox/crash-when-min-max-content-is-not-computed.html b/LayoutTests/fast/flexbox/crash-when-min-max-content-is-not-computed.html
new file mode 100644 (file)
index 0000000..82212ef
--- /dev/null
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+.outer {
+    display: flex;
+    flex-direction: column;
+}
+
+.inner{
+    display: grid;
+    height: 100px;
+}
+</style>
+</head>
+PASS if no crash.
+<div class=outer><div class=inner></div></div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</html>
\ No newline at end of file
index fff3719..618188f 100644 (file)
@@ -1,3 +1,18 @@
+2018-09-02  Zalan Bujtas  <zalan@apple.com>
+
+        REGRESSION (r191336): RenderFlexibleBox::adjustChildSizeForMinAndMax crashes in std::optional<>::value()
+        https://bugs.webkit.org/show_bug.cgi?id=189232
+        <rdar://problem/43886373>
+
+        Reviewed by Brent Fulgham.
+
+        It's not guaranteed that RenderFlexibleBox::computeMainAxisExtentForChild() always returns with a valid value.
+
+        Test: fast/flexbox/crash-when-min-max-content-is-not-computed.html
+
+        * rendering/RenderFlexibleBox.cpp:
+        (WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax):
+
 2018-09-01  Simon Fraser  <simon.fraser@apple.com>
 
         Rename FilterEffectRenderer to CSSFilter
 2018-09-01  Simon Fraser  <simon.fraser@apple.com>
 
         Rename FilterEffectRenderer to CSSFilter
index 6692eac..2128583 100644 (file)
@@ -1087,7 +1087,9 @@ LayoutUnit RenderFlexibleBox::adjustChildSizeForMinAndMax(const RenderBox& child
         // https://drafts.csswg.org/css-flexbox/#intrinsic-sizes before that
         // produces reasonable results. Tracking bug: https://crbug.com/581553
         // css-flexbox section 4.5
         // https://drafts.csswg.org/css-flexbox/#intrinsic-sizes before that
         // produces reasonable results. Tracking bug: https://crbug.com/581553
         // css-flexbox section 4.5
-        LayoutUnit contentSize = computeMainAxisExtentForChild(child, MinSize, Length(MinContent)).value();
+        // FIXME: If the min value is expected to be valid here, we need to come up with a non optional version of computeMainAxisExtentForChild and
+        // ensure it's valid through the virtual calls of computeIntrinsicLogicalContentHeightUsing.
+        LayoutUnit contentSize = computeMainAxisExtentForChild(child, MinSize, Length(MinContent)).value_or(0);
         ASSERT(contentSize >= 0);
         if (child.hasAspectRatio() && child.intrinsicSize().height() > 0)
             contentSize = adjustChildSizeForAspectRatioCrossAxisMinAndMax(child, contentSize);
         ASSERT(contentSize >= 0);
         if (child.hasAspectRatio() && child.intrinsicSize().height() > 0)
             contentSize = adjustChildSizeForAspectRatioCrossAxisMinAndMax(child, contentSize);
@@ -1095,7 +1097,7 @@ LayoutUnit RenderFlexibleBox::adjustChildSizeForMinAndMax(const RenderBox& child
         
         Length mainSize = isHorizontalFlow() ? child.style().width() : child.style().height();
         if (mainAxisLengthIsDefinite(child, mainSize)) {
         
         Length mainSize = isHorizontalFlow() ? child.style().width() : child.style().height();
         if (mainAxisLengthIsDefinite(child, mainSize)) {
-            LayoutUnit resolvedMainSize = computeMainAxisExtentForChild(child, MainOrPreferredSize, mainSize).value();
+            LayoutUnit resolvedMainSize = computeMainAxisExtentForChild(child, MainOrPreferredSize, mainSize).value_or(0);
             ASSERT(resolvedMainSize >= 0);
             LayoutUnit specifiedSize = std::min(resolvedMainSize, maxExtent.value_or(resolvedMainSize));
             return std::max(childSize, std::min(specifiedSize, contentSize));
             ASSERT(resolvedMainSize >= 0);
             LayoutUnit specifiedSize = std::min(resolvedMainSize, maxExtent.value_or(resolvedMainSize));
             return std::max(childSize, std::min(specifiedSize, contentSize));