[LayoutNG] Deleted LayoutObject reachable from outline traversal fix

This fixes a particular instance of a general problem described in #965639 To avoid traversing stale child fragment, get the latest fragment from stale child's layout object. Bug: 964924,965639 Change-Id: I3783b71805c90d6397092fb2d249b5f50042584b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1621796 Reviewed-by: Emil A Eklund <eae@chromium.org> Commit-Queue: Aleks Totic <atotic@chromium.org> Cr-Commit-Position: refs/heads/master@{#661990}
web-platform-tests · May 22, 2019 · e426a69 · e426a69
1 parent e9b2f87
commit e426a69
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/css/css-contain/contain-chrome-crash-001.html b/css/css-contain/contain-chrome-crash-001.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<title>CSS Overflow and Transforms: css-overflow-3</title>
+<link rel="author" href="mailto:atotic@google.com">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<link rel="help" href="https://crbug.com/964924">
+<meta name="assert" content="chrome does not crash with css contain edge case">
+<style>
+  * {
+    contain: size layout;
+  }
+  html {
+    outline-style: auto;
+    margin-bottom: 39%;
+  }
+  #target {
+    -webkit-appearance: push-button;
+  }
+</style>
+<output id="target">text</output>
+<script>
+test(() => {
+  document.body.offsetTop;
+  document.querySelector("#target").value = "";
+  document.body.offsetTop;
+  assert_equals(document.querySelector("#target").value, "");
+}, 'chrome does not crash with contain');
+</script>