[webkit-changes] [WebKit/WebKit] 1f89cb: [IFC] Crash in EllipsisBoxPainter::paint when inli...

Wed, 21 Jan 2026 05:33:36 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1f89cbb0564a01ae567efcc97002295ee5d5e988
      
https://github.com/WebKit/WebKit/commit/1f89cbb0564a01ae567efcc97002295ee5d5e988
  Author: Alan Baradlay <[email protected]>
  Date:   2026-01-21 (Wed, 21 Jan 2026)

  Changed paths:
    A 
LayoutTests/fast/inline/inline-content-with-ellipsis-after-partial-layout-crash-expected.txt
    A 
LayoutTests/fast/inline/inline-content-with-ellipsis-after-partial-layout-crash.html
    M 
Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp
    M 
Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContent.cpp
    M 
Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContent.h

  Log Message:
  -----------
  [IFC] Crash in EllipsisBoxPainter::paint when inline content had partial 
layout
https://bugs.webkit.org/show_bug.cgi?id=305897
<rdar://168453702>

Reviewed by Antti Koivisto.

1. LineBox's index is always relative to the whole content (line index 5 is the 
5th line overall).
2. Partial content layout may start at an in-between index.
3. 'display content' structure only contains the lines being laid out.

If partial content layout starts at line 4, and we finished with 2 lines 
already (4th and 5th)
in createDisplayContentForInlineContent when constructing the display content 
for the 3rd line (6th overall)
- LineBox's index is 5.
- display content size (excluding the new content) is 2.

displayContent.setLineEllipsis(5, WTF::move(*ellipsis)) on 'display content' 
with 3 lines overinflates the lineEllipsis vector causing ellipsis mismatch at 
paint time.

Test: fast/inline/inline-content-with-ellipsis-after-partial-layout-crash.html

* 
LayoutTests/fast/inline/inline-content-with-ellipsis-after-partial-layout-crash-expected.txt:
 Added.
* 
LayoutTests/fast/inline/inline-content-with-ellipsis-after-partial-layout-crash.html:
 Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForInlineContent):
* 
Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContent.cpp:
(WebCore::InlineDisplay::Content::setEllipsisOnTrailingLine):
* 
Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContent.h:

Canonical link: https://commits.webkit.org/305937@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to