[Webkit-unassigned] [Bug 206917] Crash in RenderTreeBuilder::Table::findOrCreateParentForChild with multicol spanner
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 30 08:05:31 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=206917
--- Comment #2 from zalan <zalan at apple.com> ---
I think a more correct fix would adjust the beforeChild in case of a spanner so that the rest of the function would just operate on this new candidate position.
diff --git a/Source/WebCore/rendering/updating/RenderTreeBuilderTable.cpp b/Source/WebCore/rendering/updating/RenderTreeBuilderTable.cpp
index 18dd26c7b37..ab67975f442 100644
--- a/Source/WebCore/rendering/updating/RenderTreeBuilderTable.cpp
+++ b/Source/WebCore/rendering/updating/RenderTreeBuilderTable.cpp
@@ -89,6 +89,22 @@ RenderElement& RenderTreeBuilder::Table::findOrCreateParentForChild(RenderTableS
if (is<RenderTableRow>(child))
return parent;
+ if (is<RenderBox>(beforeChild)) {
+ // Adjust the beforeChild if it happens to be a spanner and the its actual location is somewhere else in the render tree.
+ auto& beforeChildBox = downcast<RenderBox>(*beforeChild);
+ if (auto* enclosingFragmentedFlow = parent.enclosingFragmentedFlow()) {
+ auto columnSpannerPlaceholderForBeforeChild = [&]() -> RenderObject* {
+ if (!is<RenderMultiColumnFlow>(enclosingFragmentedFlow))
+ return nullptr;
+ auto& multiColumnFlow = downcast<RenderMultiColumnFlow>(*enclosingFragmentedFlow);
+ return multiColumnFlow.findColumnSpannerPlaceholder(&beforeChildBox);
+ };
+
+ if (auto* spannerPlaceholder = columnSpannerPlaceholderForBeforeChild())
+ beforeChild = spannerPlaceholder;
+ }
+ }
+
auto* lastChild = beforeChild ? beforeChild : parent.lastRow();
if (is<RenderTableRow>(lastChild) && lastChild->isAnonymous() && !lastChild->isBeforeOrAfterContent()) {
if (beforeChild == lastChild)
and here is a bit simpler test case.
<style>
body {
display: table-header-group;
overflow-y: -webkit-paged-x;
}
div {
column-span: all;
}
</style>
<body><span id=span></span><div></div><script>
document.body.offsetHeight;
span.outerText = "remove";
document.body.innerText = "This test verifies that adding an element which is a sibling to a multicol spanner finds the correct table row. Test passes if WebKit does not crash. PASS";
if (window.testRunner)
testRunner.dumpAsText();
</script>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200130/0fdde1a5/attachment-0001.htm>
More information about the webkit-unassigned
mailing list