[webkit-changes] [WebKit/WebKit] 1cf5f5: [IFC] Infinite recursion in Layout::LineBoxVertica...

Alan Baradlay noreply at github.com
Sun Jan 15 10:43:24 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1cf5f56743f94898b859eb813eb3ce62cb413895
      https://github.com/WebKit/WebKit/commit/1cf5f56743f94898b859eb813eb3ce62cb413895
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-01-15 (Sun, 15 Jan 2023)

  Changed paths:
    A LayoutTests/fast/inline/line-spanning-inline-box-crash-expected.html
    A LayoutTests/fast/inline/line-spanning-inline-box-crash.html
    M Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.cpp
    M Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.h

  Log Message:
  -----------
  [IFC] Infinite recursion in Layout::LineBoxVerticalAligner::layoutBoundsForInlineBoxSubtree
https://bugs.webkit.org/show_bug.cgi?id=249942
<rdar://104223956>

Reviewed by Antti Koivisto.

layoutBoundsForInlineBoxSubtree recursively visits an inline box subtree (<span id=parent><img><span id=child><img></span></span>) to
figure out enclosing ascent/descent.
This patch turns this recursive approach into iterative by using the inline box list on the line box instead of
using the layout tree structure. Now we simply start iterating through the inline level boxes on the line box
from the inline box in question until either the end of line or when we are back to the same parent.

i.e instead of calling layoutBoundsForInlineBoxSubtree() with <span parent> followed by <span child>
layoutBoundsForInlineBoxSubtree(<span parent>) call uses the inline level box list:
[inline box <span parent>][inline level box <img>][inline box <span child>][inline level box <img>]

The problem with using the layout tree structure is that we may find layout boxes not present on the current line
e.g. <span><img><br><img></span>
Here (using the layout tree) we find the <img> (which is wrapped to the next line due to <br>)
and calling LineBox::inlineLevelBoxForLayoutBox() with a layout box that's not on the current line returns unexpected result.

* LayoutTests/fast/inline/line-spanning-inline-box-crash-expected.html: Added.
* LayoutTests/fast/inline/line-spanning-inline-box-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.cpp:
(WebCore::Layout::LineBoxVerticalAligner::layoutBoundsForInlineBoxSubtree const):
(WebCore::Layout::LineBoxVerticalAligner::alignInlineLevelBoxes const):
* Source/WebCore/layout/formattingContexts/inline/InlineLineBoxVerticalAligner.h:

Canonical link: https://commits.webkit.org/258933@main

More information about the webkit-changes mailing list