Protect against empty layout state

https://bugs.webkit.org/show_bug.cgi?id=248771 Reviewed by Alan Baradlay. Protect against empty layout state. * LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt: Added. * LayoutTests/fast/block/crash-empty-layoutStateStack.html: Added. * Source/WebCore/rendering/RenderBlock.cpp: (WebCore::RenderBlock::layoutPositionedObject): (WebCore::RenderBlock::markForPaginationRelayoutIfNeeded): Canonical link: https://commits.webkit.org/256843.3@webkit-2022.12-embargoed
WebKit · Dec 8, 2022 · 1d7abcd · 1d7abcd
1 parent 155bed7
commit 1d7abcd
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt b/LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt
@@ -0,0 +1,2 @@
+Pass if no crash.
+
diff --git a/LayoutTests/fast/block/crash-empty-layoutStateStack.html b/LayoutTests/fast/block/crash-empty-layoutStateStack.html
@@ -0,0 +1,9 @@
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+document.write("Pass if no crash.");
+</script>
+<marquee style="display: grid">
+<math style="align-self: baseline; will-change: transform">
+  <mrow style="position: absolute"/>
+</math>
diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp
@@ -1024,7 +1024,8 @@ void RenderBlock::layoutPositionedObject(RenderBox& r, bool relayoutChildren, bo
     // If we are paginated or in a line grid, compute a vertical position for our object now.
     // If it's wrong we'll lay out again.
     LayoutUnit oldLogicalTop;
-    bool needsBlockDirectionLocationSetBeforeLayout = r.needsLayout() && view().frameView().layoutContext().layoutState()->needsBlockDirectionLocationSetBeforeLayout();
+    auto* layoutState = view().frameView().layoutContext().layoutState();
+    bool needsBlockDirectionLocationSetBeforeLayout = r.needsLayout() && layoutState && layoutState->needsBlockDirectionLocationSetBeforeLayout();
     if (needsBlockDirectionLocationSetBeforeLayout) {
         if (isHorizontalWritingMode() == r.isHorizontalWritingMode())
             r.updateLogicalHeight();
@@ -1056,7 +1057,7 @@ void RenderBlock::layoutPositionedObject(RenderBox& r, bool relayoutChildren, bo
         r.layoutIfNeeded();
     }
 
-    if (view().frameView().layoutContext().layoutState()->isPaginated() && is<RenderBlockFlow>(*this))
+    if (layoutState && layoutState->isPaginated() && is<RenderBlockFlow>(*this))
         downcast<RenderBlockFlow>(*this).adjustSizeContainmentChildForPagination(r, r.logicalTop());
 }
 
@@ -1087,7 +1088,7 @@ void RenderBlock::markPositionedObjectsForLayout()
 void RenderBlock::markForPaginationRelayoutIfNeeded()
 {
     auto* layoutState = view().frameView().layoutContext().layoutState();
-    if (needsLayout() || !layoutState->isPaginated())
+    if (needsLayout() || !layoutState || !layoutState->isPaginated())
         return;
 
     if (layoutState->pageLogicalHeightChanged() || (layoutState->pageLogicalHeight() && layoutState->pageLogicalOffset(this, logicalTop()) != pageLogicalOffset()))