Previously, the column count was always incremented by 1. This led to a
mismatch with `compute_outer_content_sizes()`, which did use the `span`
attribute to advance the column index. This mismatch caused an
out-of-bounds access when the column index was greater than the
expected number of columns.
PlaybackManager's ref counting was only used to keep it alive in a few
callbacks. Instead, the callbacks can use weak references that can only
be used from the thread that the PlaybackManager was created on, to
ensure that the PlaybackManager can't be destroyed while being
accessed.
This ensures that:
- The PlaybackManager is destroyed immediately when it is reassigned
by HTMLMediaElement
- No callbacks are invoked after that point
This fixes the crash initially being addressed by #8081. The test from
that PR has been included as a regression test.
When walking the flat tree in HTMLElement::offset_parent(), ancestors
may not have layout nodes (e.g., they have display:none). This can
happen when an element is slotted into a shadow root where the slot
is inside a display:none container.
Guard layout_node() accesses with null checks. If an ancestor has no
layout node, it cannot be positioned or establish a containing block,
so it cannot be the offset parent for those reasons.
Elements in internal shadow trees that represent CSS pseudo-elements
(e.g. the DetailsContent slot in <details>) store their cascaded
properties on the host element's pseudo-element data, not on the
element itself. This meant that when slotted elements walked the
inheritance chain and encountered such a slot, they would dereference
null cascaded properties and crash.
Fix this by copying the cascaded properties onto the slot element
itself after computing its style, keeping both cascaded and computed
properties accessible in the same place.
Add 18 crash tests covering various scenarios where image loading
callbacks fire after an iframe has been removed from the DOM,
making its document inactive. These tests cover microtasks,
element tasks, batching dispatcher callbacks, decode promises,
lazy loading, srcset, picture elements, nested iframes, document
adoption, and iframe reattach/remove cycles.
Instead of defining somewhat high level mouse actions, allow granular
control of mouse clicks and mouse down/up/move events. We will want to
simulate things like holding down a mouse button after double clicking
and then dragging the mouse to another position in the future, and this
enables that.
It's possible for the cookie value from a Set-Cookie header to contain
invalid UTF-8. We must isomorphic decode this header.
This fixes the /cookies/domain/domain-attribute-idn-host.sub.https.html
WPT test. The test added here is a crash test rather than a text test
because we cannot access the received Set-Cookie header from JS on the
file:// test URL.
Previously, click handling for labels was handled in layout and
painting code. This change implements activation_behavior on
HTMLLabelElement, which clicks and focuses the element.
We had two issues with ::backdrop which this commit fixes:
::backdrop is unique in that it's the previous sibling to its
originating element, instead of a child of it. This means when that
element's layout node is thrown away, the ::backdrop's is not.
A second issue is that if we do a partial layout rebuild, the
originating element's layout node replaces its previous one, but we
would still append a new layout node for ::backdrop to the root, so it
would appear in front of the originating element.
A related issue is that clear_pseudo_element_nodes() got called on the
element after its ::backdrop had been assigned, so it would immediately
lose track of it again.
To solve this, we now always remove the ::backdrop's layout node. If we
need to create a new one, we insert it before the element's layout node
if it has one, otherwise we append as before. This ensures we only ever
have up to one layout node for the ::backdrop, and it appears behind
its originating element.
To support this, create_pseudo_element_if_needed() has a couple of
changes:
- It returns the node that was created.
- The caller can ask it not to insert the node, so that the caller can
do so (which we use so that we can insert it in a specific place)
Previously, referencing an element that eventually pointed back to
the original <use> element would cause a stack overflow.
We now look at the referenced element and follow every <use> element
in its subtree and aim to detect any duplicates. If so, we consider
that referenced element invalid.
This recovers 750+ WPT subtests that were lost when
https://github.com/web-platform-tests/wpt/pull/56913 was merged and
added new testcases, two of which exposed this crash.
I have added my own testcase instead of importing the affected WPT tests
since they are large and complex, which makes it hard to understand
where the problem is coming from based on them alone. Also this is only
a crash test (i.e. not a different kind) because the tested scenario
doesn't actually behave correctly yet for seemingly unrelated reasons.
It is not guaranteed that an animation is ready to run a pending task
when it is scheduled just because it has a timeline, and even if it is,
the current time when scheduling will not necessarily still be correct
when the task is run (e.g. if the timeline changes in the interim).
We had some tests which relied on the previous behavior which have been
updated to await the pending play task
Fixes a crash in the
/web-animations/interfaces/Animatable/animate-no-browsing-context.html
WPT test but it can't be imported since it relies on a python web server
to be running
I missed when these changes actually happened, but the big differences
here are that a few steps got extracted into their own algorithms; and
the dialog now only does things when it's attached to a fully-active
document, instead of immediately.
I've imported a WPT test that exercises this by calling show() on an
unattached dialog.
There was a crash in JS::CyclicModule::evaluate due to a spec bug that
we worked around years ago (1dc9769f7d).
This bug has now been fixed in ECMA-262. This adds a regression crash
test to ensure we don't crash still after implementing that fix, as this
is really only reachable from an embedder.
This fixes a silly bug where we would crash when parsing a multi-layer
mask shorthand property that contained the no-clip keyword but no value
for mask-origin.
Fixes a crash when parsing the CSS of https://www.browserbase.com/. The
site still has other, unrelated problems though.
In some cases a document may lack an associated window - to fix this for
now we just return false but perhaps there are some media queries we
should still attempt to resolve.
