Repair the fragment tree spine before re-using from the cache.
It doesn't need to be a perfect hit. As long as there's any likelihood
that we're going to read from the old fragment (i.e.
NGLayoutCacheStatus::kNeedsSimplifiedLayout), we need to make sure that
the fragment is actually up-to-date before using it. A previous sub-tree
layout may have stopped rebuilding the ancestry fragment tree spine, if
something up there was marked for layout, under the assumption that this
would just be waste of time (since we're going to lay out anyway).
Bug: 1386673
Change-Id: I1d10a1191ff7ad4ebb59a2b753d0f1105e38f185
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4065941
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1077738}
diff --git a/css/css-contain/crashtests/contain-nested-crash-003.html b/css/css-contain/crashtests/contain-nested-crash-003.html
new file mode 100644
index 0000000..a7dbe7d
--- /dev/null
+++ b/css/css-contain/crashtests/contain-nested-crash-003.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1386673">
+<div style="contain:layout size;">
+ <div style="display:inline-block;">
+ <div style="contain:layout size;">
+ <div id="firstVictim"></div>
+ </div>
+ </div>
+ <div style="position:absolute;">
+ <div id="secondVictim"></div>
+ </div>
+</div>
+<script>
+ document.body.offsetTop;
+ firstVictim.style.display = "none";
+ secondVictim.style.display = "none";
+</script>
