Skip to content
Permalink
Browse files
REGRESSION (r294291): Another nullptr crash with ::first-letter
https://bugs.webkit.org/show_bug.cgi?id=240795
<rdar://93645746>

Reviewed by Alan Bujtas.

* LayoutTests/fast/css/first-letter-remove-crash-expected.txt: Added.
* LayoutTests/fast/css/first-letter-remove-crash.html: Added.
* LayoutTests/fast/css/first-letter-removed-added-expected.txt:

* Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp:
(WebCore::RenderTreeBuilder::FirstLetter::updateStyle):

We should always find :first-letter style when we get here.

* Source/WebCore/style/StyleTreeResolver.cpp:
(WebCore::Style::TreeResolver::resolveElement):

Rebuild the renderer subtree if ::first-letter pseudo-class stops applying.

Canonical link: https://commits.webkit.org/250908@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294736 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
anttijk committed May 24, 2022
1 parent e546019 commit 16673ef4f0095857fa0ccf8a09a21153b2c4f101
Showing 5 changed files with 30 additions and 5 deletions.
@@ -0,0 +1 @@
aa
@@ -0,0 +1,17 @@
<style>
html::first-letter {
width: 0;
}
</style>
<script>
if (window.testRunner)
testRunner.dumpAsText();
onload = () => {
document.execCommand('SelectAll');
document.body.append('aa');
document.documentElement.append('');
document.body.offsetTop;
document.body.style.overflow = 'clip';
};
</script>

@@ -34,7 +34,7 @@ PASS document.getElementById('test3').offsetWidth == document.getElementById('re
FAIL document.getElementById('test4').offsetWidth == document.getElementById('ref4').offsetWidth should be true. Was false.
PASS document.getElementById('test5').offsetWidth == document.getElementById('ref5').offsetWidth is true
PASS document.getElementById('test6').offsetWidth == document.getElementById('ref6').offsetWidth is true
FAIL document.getElementById('test7').offsetWidth == document.getElementById('ref7').offsetWidth should be true. Was false.
PASS document.getElementById('test7').offsetWidth == document.getElementById('ref7').offsetWidth is true
PASS document.getElementById('test8').offsetWidth == document.getElementById('ref8').offsetWidth is true
PASS successfullyParsed is true

@@ -175,7 +175,7 @@ void RenderTreeBuilder::FirstLetter::updateStyle(RenderBlock& firstLetterBlock,

auto pseudoStyle = styleForFirstLetter(firstLetterContainer);
if (!pseudoStyle) {
m_builder.destroy(*firstLetter, CanCollapseAnonymousBlock::No);
ASSERT_NOT_REACHED();
return;
}

@@ -261,10 +261,17 @@ auto TreeResolver::resolveElement(Element& element, ResolutionType resolutionTyp

auto resolveAndAddPseudoElementStyle = [&](PseudoId pseudoId) {
auto pseudoElementUpdate = resolvePseudoElement(element, pseudoId, update);
auto pseudoElementChange = [&] {
if (pseudoElementUpdate)
return pseudoElementUpdate->change == Change::None ? Change::None : Change::NonInherited;
if (!existingStyle || !existingStyle->getCachedPseudoStyle(pseudoId))
return Change::None;
// If ::first-letter goes aways rebuild the renderers.
return pseudoId == PseudoId::FirstLetter ? Change::Renderer : Change::NonInherited;
}();
update.change = std::max(update.change, pseudoElementChange);
if (!pseudoElementUpdate)
return Change::None;
if (pseudoElementUpdate->change != Change::None)
update.change = std::max(update.change, Change::NonInherited);
return pseudoElementChange;
if (pseudoElementUpdate->recompositeLayer)
update.recompositeLayer = true;
update.style->addCachedPseudoStyle(WTFMove(pseudoElementUpdate->style));

0 comments on commit 16673ef

Please sign in to comment.