Title: [256089] trunk
- Revision
- 256089
- Author
- [email protected]
- Date
- 2020-02-08 06:10:25 -0800 (Sat, 08 Feb 2020)
Log Message
Crash in RenderTreeBuilder::Table::findOrCreateParentForChild with multicol spanner
https://bugs.webkit.org/show_bug.cgi?id=206917
Patch by Doug Kelly <[email protected]> on 2020-02-08
Reviewed by Zalan Bujtas.
Source/WebCore:
During render tree construction, multi-column spanners are moved from their original tree position to
next to the enclosing anonymous fragmented flow and we mark their previous location with a spanner placeholder.
If we try to add a new renderer right before the spanner (beforeChild is the spanner renderer), we need to use
the spanner's original position as the insertion point.
This patch addresses the mismatching position issue by adjusting the spanner beforeChild right before
we start searching for the final insertion point.
Test: fast/multicol/spanner-crash-when-finding-table-parent.html
* rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::attach):
* rendering/updating/RenderTreeBuilderTable.cpp:
(WebCore::RenderTreeBuilder::Table::findOrCreateParentForChild):
LayoutTests:
* fast/multicol/spanner-crash-when-finding-table-parent-expected.txt: Added.
* fast/multicol/spanner-crash-when-finding-table-parent.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (256088 => 256089)
--- trunk/LayoutTests/ChangeLog 2020-02-08 10:35:40 UTC (rev 256088)
+++ trunk/LayoutTests/ChangeLog 2020-02-08 14:10:25 UTC (rev 256089)
@@ -1,3 +1,13 @@
+2020-02-08 Doug Kelly <[email protected]>
+
+ Crash in RenderTreeBuilder::Table::findOrCreateParentForChild with multicol spanner
+ https://bugs.webkit.org/show_bug.cgi?id=206917
+
+ Reviewed by Zalan Bujtas.
+
+ * fast/multicol/spanner-crash-when-finding-table-parent-expected.txt: Added.
+ * fast/multicol/spanner-crash-when-finding-table-parent.html: Added.
+
2020-02-07 Wenson Hsieh <[email protected]>
[iOS] Double tapping shouldn't scroll the page when the body has `overflow: hidden`
Added: trunk/LayoutTests/fast/multicol/spanner-crash-when-finding-table-parent-expected.txt (0 => 256089)
--- trunk/LayoutTests/fast/multicol/spanner-crash-when-finding-table-parent-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/spanner-crash-when-finding-table-parent-expected.txt 2020-02-08 14:10:25 UTC (rev 256089)
@@ -0,0 +1 @@
+This test verifies that adding an element which is a sibling to a multicol spanner finds the correct table row. Test passes if WebKit does not crash. PASS
Added: trunk/LayoutTests/fast/multicol/spanner-crash-when-finding-table-parent.html (0 => 256089)
--- trunk/LayoutTests/fast/multicol/spanner-crash-when-finding-table-parent.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/spanner-crash-when-finding-table-parent.html 2020-02-08 14:10:25 UTC (rev 256089)
@@ -0,0 +1,21 @@
+<style>
+body {
+ display: table-header-group;
+ overflow-y: -webkit-paged-x;
+}
+div {
+ column-span: all;
+}
+</style>
+<body>
+ <span id=span></span>
+ <div></div>
+ <script>
+ document.body.offsetHeight;
+ span.outerText = "remove";
+ document.body.offsetHeight;
+ document.body.innerText = "This test verifies that adding an element which is a sibling to a multicol spanner finds the correct table row. Test passes if WebKit does not crash. PASS";
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (256088 => 256089)
--- trunk/Source/WebCore/ChangeLog 2020-02-08 10:35:40 UTC (rev 256088)
+++ trunk/Source/WebCore/ChangeLog 2020-02-08 14:10:25 UTC (rev 256089)
@@ -1,3 +1,24 @@
+2020-02-08 Doug Kelly <[email protected]>
+
+ Crash in RenderTreeBuilder::Table::findOrCreateParentForChild with multicol spanner
+ https://bugs.webkit.org/show_bug.cgi?id=206917
+
+ Reviewed by Zalan Bujtas.
+
+ During render tree construction, multi-column spanners are moved from their original tree position to
+ next to the enclosing anonymous fragmented flow and we mark their previous location with a spanner placeholder.
+ If we try to add a new renderer right before the spanner (beforeChild is the spanner renderer), we need to use
+ the spanner's original position as the insertion point.
+ This patch addresses the mismatching position issue by adjusting the spanner beforeChild right before
+ we start searching for the final insertion point.
+
+ Test: fast/multicol/spanner-crash-when-finding-table-parent.html
+
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::attach):
+ * rendering/updating/RenderTreeBuilderTable.cpp:
+ (WebCore::RenderTreeBuilder::Table::findOrCreateParentForChild):
+
2020-02-07 Jon Lee <[email protected]>
Web Inspector: Revert slim toolbar
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (256088 => 256089)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2020-02-08 10:35:40 UTC (rev 256088)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2020-02-08 14:10:25 UTC (rev 256089)
@@ -38,6 +38,7 @@
#include "RenderMathMLFenced.h"
#include "RenderMenuList.h"
#include "RenderMultiColumnFlow.h"
+#include "RenderMultiColumnSpannerPlaceholder.h"
#include "RenderRuby.h"
#include "RenderRubyBase.h"
#include "RenderRubyRun.h"
@@ -208,6 +209,20 @@
if (is<RenderText>(beforeChild)) {
if (auto* wrapperInline = downcast<RenderText>(*beforeChild).inlineWrapperForDisplayContents())
beforeChild = wrapperInline;
+ } else if (is<RenderBox>(beforeChild)) {
+ // Adjust the beforeChild if it happens to be a spanner and the its actual location is inside the fragmented flow.
+ auto& beforeChildBox = downcast<RenderBox>(*beforeChild);
+ if (auto* enclosingFragmentedFlow = parent.enclosingFragmentedFlow()) {
+ auto columnSpannerPlaceholderForBeforeChild = [&]() -> RenderMultiColumnSpannerPlaceholder* {
+ if (!is<RenderMultiColumnFlow>(enclosingFragmentedFlow))
+ return nullptr;
+ auto& multiColumnFlow = downcast<RenderMultiColumnFlow>(*enclosingFragmentedFlow);
+ return multiColumnFlow.findColumnSpannerPlaceholder(&beforeChildBox);
+ };
+
+ if (auto* spannerPlaceholder = columnSpannerPlaceholderForBeforeChild())
+ beforeChild = spannerPlaceholder;
+ }
}
if (is<RenderTableRow>(parent)) {
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilderTable.cpp (256088 => 256089)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilderTable.cpp 2020-02-08 10:35:40 UTC (rev 256088)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilderTable.cpp 2020-02-08 14:10:25 UTC (rev 256089)
@@ -107,7 +107,7 @@
// If beforeChild is inside an anonymous cell/row, insert into the cell or into
// the anonymous row containing it, if there is one.
auto* parentCandidate = lastChild;
- while (parentCandidate && parentCandidate->parent()->isAnonymous() && !is<RenderTableRow>(*parentCandidate))
+ while (parentCandidate && parentCandidate->parent() && parentCandidate->parent()->isAnonymous() && !is<RenderTableRow>(*parentCandidate))
parentCandidate = parentCandidate->parent();
if (is<RenderTableRow>(parentCandidate) && parentCandidate->isAnonymous() && !parentCandidate->isBeforeOrAfterContent())
return downcast<RenderElement>(*parentCandidate);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
