From d0fa23bcb3d6c3d73f6bd3e65608f715b9169025 Mon Sep 17 00:00:00 2001
From: Jonathan Kew <jkew@mozilla.com>
Date: Thu, 14 Nov 2024 11:13:09 +0000
Subject: [PATCH] Ensure we always have a float manager during block-frame
 reflow.

Normally we shouldn't be starting reflow from a block that is not a BFC,
and so BlockNeedsFloatManager would return true for the reflow root.

What happens in the testcase here, though, is that we call PresShell::FrameNeedsReflow
for the <article> block (because we've just added a child to it), which is fine:
it's a BFC at that moment.

Then we restyle, and during restyling we remove the NS_BLOCK_BFC flag because the
newly-added element means that the <article> no longer matches ::only-child, and
so we lose the `contain` property that was previously set. So <article> is no longer
a BFC, but we've already recorded it in the PresShell's mDirtyRoots.

We then call PresShell::FrameNeedsReflow for the foreignObject, which adds that
to mDirtyRoots as well.

And then we flush layout, reflowing first the foreignObject (because it is the
shallower of the two dirty-roots) and then the <article> block. We might expect
that the reflow of the SVGForeignObject would fix things, because it would reflow
all its descendants (including <article>) safely, but there's an early-return in
SVGForeignObjectFrame::Reflow in the case where it is zero-sized (which it is here).

So the <article> block remains dirty, and PresShell::ProcessReflowCommands tries
to reflow it directly even though it is no longer a BFC, and that's when we crash
due to not having a float manager.

Removing that early-return from SVGForeignObjectFrame::Reflow would avoid the crash,
but in any case I think we should make nsBlockFrame::Reflow handle this situation
as there may be other code-paths that potentially set up a similar scenario of
attempting to reflow from a root that has lost its BFC-ness.

Differential Revision: https://phabricator.services.mozilla.com/D228778

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1928724
gecko-commit: 421d7bf240078ff30871183289ce376441fadb09
gecko-reviewers: layout-reviewers, emilio
---
 .../contain-dynamic-change-crash.html         | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 css/css-contain/crashtests/contain-dynamic-change-crash.html

diff --git a/css/css-contain/crashtests/contain-dynamic-change-crash.html b/css/css-contain/crashtests/contain-dynamic-change-crash.html
new file mode 100644
index 00000000000000..43d590bf06570a
--- /dev/null
+++ b/css/css-contain/crashtests/contain-dynamic-change-crash.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1928724">
+
+<style>
+*:only-child {
+  contain: size layout paint;
+}
+</style>
+
+<script>
+document.addEventListener("DOMContentLoaded", () => {
+  a.getBoundingClientRect();
+  a.appendChild(c);
+  b.scrollBy();
+})
+</script>
+
+<body>
+<svg>
+<animateMotion id="b">
+</animateMotion>
+<foreignObject id="a">
+<article>
+<data id="c">