commit 5c0d6a5d2b0a65f0379e4293a731fa623eefd2f8
parent 2b3d0b0c4a0d1f83321d24dc728477a9e0b85404
Author: Sam Davis Omekara Jr. <samomekarajr@microsoft.com>
Date: Thu, 9 Oct 2025 20:31:07 +0000
Bug 1992117 [wpt PR 55146] - [Gap Decorations]: Prevent crash during flex cross gap painting, a=testonly
Automatic update from web-platform-tests
[Gap Decorations]: Prevent crash during flex cross gap painting
This CL resolves a crash discovered by the fuzzer during flex cross gap
painting. The issue occurred when the first cross gap did not occur
on the first flex line.
Previously, `main_gap_running_index_` was always initialized to zero,
based on a flawed assumption that the first cross gap would always end
at the first main gap.
This assumption is wrong because it is possible that the first cross gap
may begin on the kth flex line and end at the kth main gap.
Initializing `main_gap_running_index_` to zero in such scenarios leads
to invalid access of `CrossGapsBefore` when computing the end position
of the cross gap.
The fix updates the initialization of `main_gap_running_index_` to
correctly point to the first main gap that has cross gaps before it,
rather than just zero.
Bug: 446998354
Change-Id: Ica0ed829bd099f2e68ca55607f37e81682a047dd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6996527
Commit-Queue: Sam Davis Omekara <samomekarajr@microsoft.com>
Reviewed-by: Alison Maher <almaher@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#1522580}
--
wpt-commits: 5c57e039531a5742df8e3308743555eb1fa66966
wpt-pr: 55146
Diffstat:
2 files changed, 78 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/css/css-gaps/flex/flex-gap-decorations-029-ref.html b/testing/web-platform/tests/css/css-gaps/flex/flex-gap-decorations-029-ref.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<link rel="help" href="https://drafts.csswg.org/css-gaps-1/">
+<link rel="author" title="Sam Davis Omekara Jr." href="mailto:samomekarajr@microsoft.com">
+<style>
+ body {
+ margin: 0px;
+ }
+ .container {
+ display: flex;
+ width: 110px;
+ height: 110px;
+ column-gap: 10px;
+ row-gap: 10px;
+ flex-wrap: wrap;
+ }
+ .item {
+ background: skyblue;
+ width: 50px;
+ height: 50px;
+ }
+ .row-gap {
+ position: absolute;
+ background: green;
+ width: 110px;
+ height: 10px;
+ }
+ .column-gap {
+ position: absolute;
+ top: 55px;
+ left: 50px;
+ background: pink;
+ height: 60px;
+ width: 10px;
+ }
+</style>
+<div class="container">
+ <div class="item" style="width: 80px;"></div>
+ <div class="item"></div>
+ <div class="item"></div>
+ <div class="item"></div>
+</div>
+
+<div class="column-gap"></div>
+<div class="row-gap" style="top: 50px;"></div>
+<div class="row-gap" style="top: 110px;"></div>
diff --git a/testing/web-platform/tests/css/css-gaps/flex/flex-gap-decorations-029.html b/testing/web-platform/tests/css/css-gaps/flex/flex-gap-decorations-029.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<title>
+ CSS Gap Decorations: flex gaps are painted when there are no column gaps on the first and last rows.
+</title>
+<link rel="help" href="https://drafts.csswg.org/css-gaps-1/">
+<link rel="match" href="flex-gap-decorations-029-ref.html">
+<link rel="author" title="Sam Davis Omekara Jr." href="mailto:samomekarajr@microsoft.com">
+<style>
+ body {
+ margin: 0px;
+ }
+ .flex-container {
+ height: 110px;
+ width: 110px;
+ display: flex;
+ flex-wrap: wrap;
+
+ gap: 10px;
+ column-rule: pink solid 10px;
+ row-rule: green solid 10px;
+ }
+ .flex-item {
+ background: skyblue;
+ width: 50px;
+ height: 50px;
+ }
+</style>
+<div class="flex-container">
+ <div class="flex-item" style="width: 80px;"></div>
+ <div class="flex-item"></div>
+ <div class="flex-item"></div>
+ <div class="flex-item"></div>
+</div>
