From 9f1dec8f0c5384b7064f6db27b9b24db788a7981 Mon Sep 17 00:00:00 2001 From: Morten Stenshorne Date: Fri, 26 Feb 2021 00:36:15 -0800 Subject: [PATCH] Never force legacy layout on NG objects. Remove dangerous legacy fallback code from LayoutObject(), and do this safely in the child insertion code instead. Calling a virtual method in a base class constructor doesn't work. IsLayoutNGObject() would always return false, since that's how it's implemented in LayoutObject. This code could cause us to mark an NG object as requiring legacy fallback, which would make the NG engine delegate the job to the legacy engine. But the legacy engine would refuse to do anything, since it's an NG object, so it would delegate to NG, and so on... Infinite recursion. The !IsLayoutNGObject() check in LayoutObject() was a mistake added in CL:2414289, which basically had no effect at all. But we can just remove the entire thing now, and rely on the new hook in the child insertion code instead. Note that the new test doesn't fail without this fix when run normally by the test runner, because the test needs LayoutNGTextControl to be disabled in order to fail (so that we attempt legacy fallback), but this feature is currently set to "test". Unlike the fuzzer, it seems... Bug: 1181687 Change-Id: I2f174824e4b86d9ae2e5b3b319df7f6036b4f13d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2720104 Reviewed-by: Ian Kilpatrick Commit-Queue: Morten Stenshorne Cr-Commit-Position: refs/heads/master@{#858052} --- css/css-layout-api/input-text-crash.https.html | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 css/css-layout-api/input-text-crash.https.html diff --git a/css/css-layout-api/input-text-crash.https.html b/css/css-layout-api/input-text-crash.https.html new file mode 100644 index 00000000000000..2d32609040a970 --- /dev/null +++ b/css/css-layout-api/input-text-crash.https.html @@ -0,0 +1,4 @@ + + + +