Bug 1816574 - Force fit the content in nested multicol when ReflowConfig::mForceAuto is true. r=emilio

The testcase was originated from D169662 written by Daniel Holbert, which was discovered by fuzzer in bug 1756202. Note that the crashtest that hangs the browser might not always be reproducible locally. It is reproducible on "Linux 18.04 x64 WebRender tsan opt" build on try. Differential Revision: https://phabricator.services.mozilla.com/D170532
2023-02-22 19:21:04 +00:00 · 2023-02-22 19:21:04 +00:00 · d79c824a60
--- a/layout/generic/crashtests/1816574.html
+++ b/layout/generic/crashtests/1816574.html
@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <style>
+      * {
+          grid-gap: 164.70272054344653vw 68%;
+      }
+  </style>
+  <script>
+    document.addEventListener('DOMContentLoaded', () => {
+      const style = document.createElement("style")
+      document.documentElement.appendChild(style)
+      style.textContent = `
+        @font-face { }
+        * {
+          column-width: 161.0069566994682Q;
+          offset-anchor: left 0ex top -32ch;
+          break-inside: avoid;
+        }`
+      style.sheet.insertRule(`* {
+        aspect-ratio: 2334586695.701634 / 653082496.7273545 ! important;
+        margin-top: -84em;
+        min-inline-size: 162em;
+        font-size-adjust: 8198;
+      }`, 0)
+    })
+  </script>
+</head>
+<h4></h4>
+<svg></svg>
+<fieldset>
+  <legend>
+    <cite>
+       e\r𠪢0i𝅯󠇩0*=𝤵*=\n‏<6E>' lang='ar'>
+      <h5></h5>
+    </cite>
+  </legend>
+</fieldset>
+</html>
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@ -817,3 +817,4 @@ load 1776079.html
 asserts(0-2) load 1791606.html
 load 1799749.html
 pref(layout.css.content-visibility.enabled,true) asserts(1-4) load 1807958.html # asserts from integer overflow & bogus sizes
+load 1816574.html
--- a/layout/generic/nsColumnSetFrame.cpp
+++ b/layout/generic/nsColumnSetFrame.cpp
@ -635,6 +635,11 @@ nsColumnSetFrame::ColumnBalanceData nsColumnSetFrame::ReflowColumns(
            aReflowInput.mParentReflowInput->mFrame->HasAnyStateBits(
                NS_FRAME_HAS_MULTI_COLUMN_ANCESTOR);
        if (isNestedMulticol) {
+          if (aConfig.mForceAuto) {
+            // If we are forced to fill columns sequentially, force fit the
+            // content whether we are at top of page or not.
+            return true;
+          }
          if (aReflowInput.mFlags.mIsTopOfPage) {
            // If this is the last balancing reflow in a nested multicol, we
            // want to force fit content to avoid infinite loops.