Cherry-pick 267815.637@safari-7617-branch (87a8ec6). https://bugs.web…

…kit.org/show_bug.cgi?id=266273 ASAN_ILL | LayoutIntegration::BoxTree::rendererForLayoutBox; WebCore::TextBoxPainter::TextBoxPainter; WebCore::ModernTextBoxPainter::ModernTextBoxPainter https://bugs.webkit.org/show_bug.cgi?id=266273 rdar://119187070 Reviewed by Alan Baradlay. similar to rdar://104598552, add positioned child in RenderMathMLScripts also. * LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt: Added. * LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html: Added. * LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline based on this fix. * Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp: (WebCore::RenderMathMLScripts::layoutBlock): Canonical link: https://commits.webkit.org/267815.637@safari-7617-branch
WebKit · Jan 23, 2024 · 19a6ed3 · 19a6ed3
1 parent d9a850d
commit 19a6ed3
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 3 deletions.
diff --git a/LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt b/LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt
@@ -0,0 +1,6 @@
+Test passes if no crash.
+
+7
+k
+<
+
diff --git a/LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html b/LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html
@@ -0,0 +1,28 @@
+</style>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    function GetVariable(fuzzervars, var_type) { { return fuzzervars[var_type]; } { } }
+    function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
+    function jsfuzzer() {
+        var fuzzervars = {};
+        SetVariable(fuzzervars, document, 'Document');
+        try { mathmlvar00003.prepend("1"); } catch (e) { }
+        try { /* */ var var00231 = svgvar00032.ownerDocument; } catch (e) { }
+        try { if (!var00231) { var00231 = GetVariable(fuzzervars, 'Document'); } { SetVariable(fuzzervars, 'DocumentOrShadowRoot'); } } catch (e) { }
+        try { var00231.execCommand("selectAll", false); } catch (e) { }
+        try { /* */ var00297 = mathmlvar00003.replaceChild(mathmlvar00016, mathmlvar00003.childNodes[0 % mathmlvar00003.childNodes.length]); } catch (e) { }
+    }
+</script>
+<p>Test passes if no crash.</p>
+
+<body onload=jsfuzzer()>
+    <math display="inline">
+        <msup mathbackground="red">
+            <mtext id="mathmlvar00003" style="-webkit-column-width: initial; position: absolute; class=" class1">k
+            </mtext>
+            <ms displaystyle="true">&lt;</ms>
+        </msup>
+        <mn id="mathmlvar00016" displaystyle="true">7</mn>
+    </math>
+</body>
diff --git a/...ted/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt b/...ted/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
@@ -21,8 +21,8 @@ FAIL Appending and removing children to msubsup assert_approx_equals: block posi
 FAIL Appending and removing children to msup assert_approx_equals: inline size expected 13.1875 +/- 1 but got 0
 PASS Appending and removing children to mtable
 PASS Appending and removing children to mtext
-FAIL Appending and removing children to munder assert_approx_equals: block position (child 0) expected 0 +/- 1 but got 2.5
-FAIL Appending and removing children to munderover assert_approx_equals: block position (child 0) expected 0 +/- 1 but got 6
+FAIL Appending and removing children to munder assert_approx_equals: block position (child 0) expected 0 +/- 1 but got 3
+FAIL Appending and removing children to munderover assert_approx_equals: block position (child 0) expected 6 +/- 1 but got 0
 PASS Appending and removing children to semantics
 maction:
 mfrac:

diff --git a/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp b/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp
@@ -361,8 +361,13 @@ void RenderMathMLScripts::layoutBlock(bool relayoutChildren, LayoutUnit)
     auto& reference = possibleReference.value();
 
     recomputeLogicalWidth();
-    for (auto child = firstChildBox(); child; child = child->nextSiblingBox())
+    for (auto child = firstChildBox(); child; child = child->nextSiblingBox()) {
+        if (child->isOutOfFlowPositioned()) {
+            child->containingBlock()->insertPositionedObject(*child);
+            continue;
+        }
         child->layoutIfNeeded();
+    }
 
     LayoutUnit space = spaceAfterScript();