Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1cf5f56743f94898b859eb813eb3ce62cb413895
https://github.com/WebKit/WebKit/commit/1cf5f56743f94898b859eb813eb3ce62cb413895
Author: Alan Baradlay <[email protected]>
Date: 2023-01-15 (Sun, 15 Jan 2023)
Changed paths:
A LayoutTests/fast/inline/line-spanning-inline-box-crash-expected.html
A LayoutTests/fast/inline/line-spanning-inline-box-crash.html
M
Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.cpp
M
Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.h
Log Message:
-----------
[IFC] Infinite recursion in
Layout::LineBoxVerticalAligner::layoutBoundsForInlineBoxSubtree
https://bugs.webkit.org/show_bug.cgi?id=249942
<rdar://104223956>
Reviewed by Antti Koivisto.
layoutBoundsForInlineBoxSubtree recursively visits an inline box subtree (<span
id=parent><img><span id=child><img></span></span>) to
figure out enclosing ascent/descent.
This patch turns this recursive approach into iterative by using the inline box
list on the line box instead of
using the layout tree structure. Now we simply start iterating through the
inline level boxes on the line box
from the inline box in question until either the end of line or when we are
back to the same parent.
i.e instead of calling layoutBoundsForInlineBoxSubtree() with <span parent>
followed by <span child>
layoutBoundsForInlineBoxSubtree(<span parent>) call uses the inline level box
list:
[inline box <span parent>][inline level box <img>][inline box <span
child>][inline level box <img>]
The problem with using the layout tree structure is that we may find layout
boxes not present on the current line
e.g. <span><img><br><img></span>
Here (using the layout tree) we find the <img> (which is wrapped to the next
line due to <br>)
and calling LineBox::inlineLevelBoxForLayoutBox() with a layout box that's not
on the current line returns unexpected result.
* LayoutTests/fast/inline/line-spanning-inline-box-crash-expected.html: Added.
* LayoutTests/fast/inline/line-spanning-inline-box-crash.html: Added.
*
Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.cpp:
(WebCore::Layout::LineBoxVerticalAligner::layoutBoundsForInlineBoxSubtree
const):
(WebCore::Layout::LineBoxVerticalAligner::alignInlineLevelBoxes const):
*
Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.h:
Canonical link: https://commits.webkit.org/258933@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
