Don't hold dead layout objects in the anchor query machinery.

It's possible to enter the anchor machinery while layout is dirty (from LocalFrame::UpdateScrollSnapshots()). That's bad in itself (see crbug.com/384523570 ), but it's equally bad to keep destroyed layout objects around. Therefore, store Element* instead of LayoutObject*. Bug: 381362589 Change-Id: Ifdc3b5b8c7d30977136fd9a2572ffc3354ab472d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6097987 Commit-Queue: Morten Stenshorne <mstensho@chromium.org> Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org> Cr-Commit-Position: refs/heads/main@{#1397911}
tkntjsdw · Dec 18, 2024 · 6417320 · 6417320
1 parent 16e6fbc
commit 6417320
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/css/css-anchor-position/remove-anchor-dirty-layout.html b/css/css-anchor-position/remove-anchor-dirty-layout.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<link rel="help" href="https://issues.chromium.org/issues/381362589">
+<style>
+  #anchor {
+    anchor-name: --a;
+  }
+  #target {
+    position: absolute;
+    top: anchor(top);
+    position-anchor: --a;
+  }
+</style>
+<div id="anchor"></div>
+<div id="target"></div>
+
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+  promise_test(async t => {
+    await new Promise(resolve => requestAnimationFrame(resolve));
+    await new Promise(resolve => requestAnimationFrame(resolve));
+    await new Promise(resolve => step_timeout(resolve));
+    let element = document.getElementById("anchor");
+    element.remove();
+    await new Promise(resolve => requestAnimationFrame(resolve));
+  }, "Remove anchor");
+</script>