[Webkit-unassigned] [Bug 206917] Crash in RenderTreeBuilder::Table::findOrCreateParentForChild with multicol spanner
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 30 16:00:42 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=206917
--- Comment #4 from zalan <zalan at apple.com> ---
> > and here is a bit simpler test case.
> >
> > <style>
> > body {
> > display: table-header-group;
> > overflow-y: -webkit-paged-x;
> > }
> > div {
> > column-span: all;
> > }
> > </style>
> > <body><span id=span></span><div></div><script>
> > document.body.offsetHeight;
> > span.outerText = "remove";
> > document.body.innerText = "This test verifies that adding an element which
> > is a sibling to a multicol spanner finds the correct table row. Test passes
> > if WebKit does not crash. PASS";
> > if (window.testRunner)
> > testRunner.dumpAsText();
> > </script>
>
> In my testing, this doesn't trigger the same codepath as the original test
> case...
It looks like the unrelated "document.body.innerText = " has a side effect. We need to force a style recalc/layout first by calling document.body.offsetHeight;
This should do:
document.body.offsetHeight;
span.outerText = "remove";
document.body.offsetHeight;
document.body.innerText = "This test verifies that adding an element which is a sibling to a multicol spanner finds the correct table row. Test passes if WebKit does not crash. PASS";
if (window.testRunner)
testRunner.dumpAsText();
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200131/abd24414/attachment.htm>
More information about the webkit-unassigned
mailing list