From 84705736a5338d344fe92acf959b49a015079b8a Mon Sep 17 00:00:00 2001 From: Ting-Yu Lin Date: Tue, 19 Dec 2023 16:33:58 +0000 Subject: [PATCH] Bug 1870103 - Disallow fragmentation-imposed block-size growth for replaced elements. r=dholbert Differential Revision: https://phabricator.services.mozilla.com/D196811 --- layout/generic/nsFlexContainerFrame.cpp | 5 +++++ .../textarea-input-flex-items-in-multicol-crash.html | 12 ++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 testing/web-platform/tests/css/css-break/flexbox/textarea-input-flex-items-in-multicol-crash.html diff --git a/layout/generic/nsFlexContainerFrame.cpp b/layout/generic/nsFlexContainerFrame.cpp index 236539ed4db9..2163564cf86c 100644 --- a/layout/generic/nsFlexContainerFrame.cpp +++ b/layout/generic/nsFlexContainerFrame.cpp @@ -6070,6 +6070,11 @@ nsReflowStatus nsFlexContainerFrame::ReflowFlexItem( if (!aReflowInput.IsInFragmentedContext()) { return false; } + if (aItem.Frame()->IsReplaced()) { + // Disallow fragmentation-imposed block-size growth for replaced elements + // since they are monolithic, and cannot be fragmented. + return false; + } if (aItem.HasAspectRatio()) { // Aspect-ratio's automatic content-based minimum size doesn't work // properly in a fragmented context (Bug 1868284) when we use 'auto' diff --git a/testing/web-platform/tests/css/css-break/flexbox/textarea-input-flex-items-in-multicol-crash.html b/testing/web-platform/tests/css/css-break/flexbox/textarea-input-flex-items-in-multicol-crash.html new file mode 100644 index 000000000000..49ae5199e356 --- /dev/null +++ b/testing/web-platform/tests/css/css-break/flexbox/textarea-input-flex-items-in-multicol-crash.html @@ -0,0 +1,12 @@ + + + + + + +
+
+ + +
+