tor-browser

commit 6968d76e609ee6390962aa18aaa2ab81dc70ebdf
parent a6eb5d12f995f5e7bf9d4f3b1fa6dfbc39cc2f27
Author: Morten Stenshorne <mstensho@chromium.org>
Date:   Fri,  9 Jan 2026 08:37:23 +0000

Bug 2009050 [wpt PR 57052] - [carousel] Avoid nullptr ::column computed style., a=testonly

Automatic update from web-platform-tests
[carousel] Avoid nullptr ::column computed style.

Make sure that ::column pseudo-elements always store computed style.
Checking display type here was wrong, since ::column pseudo-elements
never create layout boxes. If a `::column` became `display:none`, its
computed style would be set to null, which in turn would crash
somewhere. In the crash test included it would crash in
Element::GetOrCreateColumnPseudoElementIfNeeded() because of this.

This is a speculative fix for http://crbug.com/470512590

Big thanks to futhark for help with analyzing and advice!

Bug: 470512590
Change-Id: I7b62ab9c77dd6a7529415a7f2e721696d84ab25a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7362160
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Daniil Sakhapov <sakhapov@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1566152}

--

wpt-commits: 269c018da8ffc28d504e9b55b85cdd4a489f7e31
wpt-pr: 57052

Diffstat:
A
testing/web-platform/tests/css/css-overflow/scroll-marker-in-display-none-column-crash.html
 | 
52
++++++++++++++++++++++++++++++++++++++++++++++++++++

1 file changed, 52 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/css/css-overflow/scroll-marker-in-display-none-column-crash.html b/testing/web-platform/tests/css/css-overflow/scroll-marker-in-display-none-column-crash.html
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<html class="test-wait">
+  <title>Change ::column pseudo-element to display:none dynamically</title>
+  <link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+  <link rel="help" href="https://issues.chromium.org/issues/470512590">
+  <style>
+    body {
+      margin: 0;
+    }
+    #mc {
+      overflow: hidden;
+      scroll-marker-group: before;
+      columns: 1;
+      column-fill: auto;
+      width: 400px;
+      height: 100px;
+    }
+    #mc::scroll-marker-group {
+      display: flex;
+      height: 20px;
+    }
+    #mc::column::scroll-marker {
+      width: 20px;
+      content: "X";
+    }
+    #mc:hover::column {
+      display: none;
+    }
+  </style>
+  <div id="mc">
+    <!-- Create three columns. -->
+    <div style="height:300px;"></div>
+  </div>
+  <script src="/resources/testdriver.js"></script>
+  <script src="/resources/testdriver-actions.js"></script>
+  <script src="/resources/testdriver-vendor.js"></script>
+  <script>
+    async function foo() {
+      // Hover the second ::column::scroll-marker.
+      actions_promise = new test_driver.Actions()
+        .pointerMove(30, 10)
+        .send();
+      await actions_promise;
+      document.body.offsetTop;
+      mc.style.width = "401px";
+      document.body.offsetTop;
+      document.documentElement.classList.remove("test-wait");
+    }
+    document.body.offsetTop;
+    foo();
+  </script>
+</html>