Avoid stack overflow triggered by out-of-band layout of flexbox child.

Avoid stack overflow triggered by out-of-band layout of flexbox child.

Flexbox uses LayoutBlock::finishDelayUpdateScrollInfo(), which may jump to some
arbitrary block in the subtree and lay it out directly. This is bad, at least
for multicol, since it requires that a flow thread be entered have its children
laid out without skipping any parents in the chain.

LayoutMulticolFlowThread::skipColumnSpanner() was called on the wrong flow
thread, which resulted in m_lastSetWorkedOn pointing to a column set that was
part of an inner flow thread, and not the flow thread we called. That made
columnSetAtBlockOffset() return a column set from an inner flow thread, causing
an infinite recursion when walking upwards in the flow thread ancestry chain).

So the spanner was in the inner flow thread, but it was the outer flow thread
that got called. This happened because our LayoutState says that's the
innermost flow thread being laid out at the moment, because
finishDelayUpdateScrollInfo() just teleported and laid out a descendant of the
inner flow thread.

Luckily there's a safer way of obtaining the flow thread associated with a
spanner, so do that instead.

This is not a perfect fix. LayoutState still points to the wrong flow thread
(we just avoid asking it). The root cause remains (out-of-band layout), and
there may be other bugs caused by this. For multicol, we're still not in the
clear. Since we have a skipColumnSpanner() call without laying out the flow
thread, we'll get an assertion failure next time we lay out the flow thread,
because it will assert that there be no m_lastSetWorkedOn (but
skipColumnSpanner() has set that one while not laying out the flow thread).

But at least we're getting rid of the infinite recursion.

Since we now call skipColumnSpanner() on a LayoutMultiColumnFlowThread, instead
of on a LayoutFlowThread, we need to make that method public (private overrides
is just asking for trouble). And since this is the only caller, make it
non-virtual while at it. LayoutFlowThread no longer needs this.

BUG=526664
R=jchaffraix@chromium.org,leviw@chromium.org

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=202519

[mstensho (USE GERRIT), 2015-09-04 15:05:08]

I think LayoutBlock::finishDelayUpdateScrollInfo() is just black magic that
needs to be exorcised, but in the meantime, I was thinking that it's a good idea
to avoid infinite recursions. There'll still be assertion failures, though. :(

[mstensho (USE GERRIT), 2015-09-13 06:43:31]

mstensho@opera.com changed reviewers:
+ leviw@chromium.org

[leviw_travelin_and_unemployed, 2015-09-14 09:58:46]

leviw@chromium.org changed reviewers:
+ szager@chromium.org

[leviw_travelin_and_unemployed, 2015-09-14 09:58:46]

szager just worked on this code, so I'll have him put the official stamp on, but
seems like a reasonable bandaid to me.

This is one of the single greatest CL descriptions I've ever read.

[szager1, 2015-09-17 18:50:12]

In reviewing this patch, I took my first look at the multi-column code:

https://i.imgur.com/0tlqT2F.gifv

Patch looks fine to me, but I agree that there are likely a lot more land mines
out there.

lgtm

[mstensho (USE GERRIT), 2015-09-18 08:32:21]

The CQ bit was checked by mstensho@opera.com

[commit-bot: I haz the power, 2015-09-18 08:32:26]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1328923002/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1328923002/40001

[commit-bot: I haz the power, 2015-09-18 10:56:51]

Committed patchset #3 (id:40001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=202519