I've been on a quest to fix all NG crashers.
Fixing this one needs deeper understanding of float layout than
I have. Here is my brain dump, and a simplified test case.
fast/block/float-avoids-padding-inline-ancestors.html crashes.
Crash cause:
#FLOAT gets painted twice after DOM mutation.
- it gets painted once by Legacy as float inside #CONTAINER.
#CONTAINER is getting painted by Legacy because it has no paint
fragment, because it does not have inline children.
- it gets painted again by NG inside LayoutNGBlockFlow (anonymous)
What should happen:
#CONTAINER Legacy paint should not paint #FLOAT because it is
not #FLOAT's containing block.
Why does #CONTAINER paint the float?
Before mutation, #CONTAINER was #FLOAT's containing block. After
mutation, LayoutNGBlockFlow (anonymous) became FLOAT's containing block.
#FLOAT was never removed from #CONTAINER.
I attempted to fix this by removing floats from Legacy inside NGBlockNode::Layout
before LayoutWithAlgorithm.
WIP: https://chromium-review.googlesource.com/c/chromium/src/+/1125319
This caused two more tests to fail:
fast/block/float/relative-painted-twice.html
fast/dom/nodesFromRect/nodesFromRect-child-frame-content.html
My guess is that removing floats that were cached causes them never to be
reinserted again. Turning caching off makes these failing test pass.
I tried tracing the root cause of these failures, and this is where
my knowledge of floats/block layout ran out. Elements in question get
relaid out multiple times, IsBlockLayoutComplete returns false, and
I get completely lost about what is happening.
|
Deleted:
float_crash.html
750 bytes
|
Comment 1 by dtapu...@chromium.org
, Sep 17Status: Untriaged (was: Available)