From 84d708bb188b5871ec81a3b610bea89a549008ab Mon Sep 17 00:00:00 2001
From: Ian Kilpatrick <ikilpatrick@chromium.org>
Date: Sun, 4 Aug 2024 22:44:34 -0700
Subject: [PATCH] [layout] Fix null-deref when attempting to mark a scrollbar
 for layout

Custom scrollbar parts are weird in that they don't have a parent.
We'd unconditionally attempt to access their containing block
causing a null-deref.

Fixed: 355016913
Change-Id: I9c32cf7efc00543021111bb3eaa1e8488052264f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5760674
Reviewed-by: David Grogan <dgrogan@chromium.org>
Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1337141}
---
 css/css-scrollbars/invalid-needs-layout-crash.html | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 css/css-scrollbars/invalid-needs-layout-crash.html

diff --git a/css/css-scrollbars/invalid-needs-layout-crash.html b/css/css-scrollbars/invalid-needs-layout-crash.html
new file mode 100644
index 00000000000000..0b0ae427897894
--- /dev/null
+++ b/css/css-scrollbars/invalid-needs-layout-crash.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<style>
+#target::-webkit-scrollbar { position: absolute; }
+#target.crash::-webkit-scrollbar { right: 0 }
+</style>
+<div id="target" style="width: 100px; height: 100px; overflow: auto;"><div style="height: 200px;"></div></div>
+<script>
+document.body.offsetTop;
+document.getElementById('target').classList.add('crash');
+</script>