[IFC] Nested RenderFrameSet fails to find its container

https://bugs.webkit.org/show_bug.cgi?id=263445 <rdar://117263055> Reviewed by Antti Koivisto. See comment in LineLayout::containing. * LayoutTests/fast/frames/nested-floating-frameset-crash-expected.txt: Added. * LayoutTests/fast/frames/nested-floating-frameset-crash.html: Added. * Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp: (WebCore::LayoutIntegration::LineLayout::containing): Canonical link: https://commits.webkit.org/269610@main
WebKit · Oct 21, 2023 · 7b3eb7e · 7b3eb7e
1 parent 6a3c566
commit 7b3eb7e
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 3 deletions.
diff --git a/LayoutTests/fast/frames/nested-floating-frameset-crash-expected.txt b/LayoutTests/fast/frames/nested-floating-frameset-crash-expected.txt
@@ -0,0 +1 @@
+PASS if no crash or assert.
diff --git a/LayoutTests/fast/frames/nested-floating-frameset-crash.html b/LayoutTests/fast/frames/nested-floating-frameset-crash.html
@@ -0,0 +1,27 @@
+<style>
+frameset {
+  float: left;
+}
+
+frameset:nth-last-of-type(n) {
+  height: 0;
+}
+
+frameset:first-child :nth-of-type(n) {
+  height: 0;
+}
+</style>
+<body>PASS if no crash or assert.</body><script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+
+document.body.offsetHeight;
+let parentFrameSet = document.createElement('frameset');
+let chilFrameSet = document.createElement('frameset');
+parentFrameSet.append(chilFrameSet);
+chilFrameSet.append(document.createElement('div'));
+document.body.append(parentFrameSet);
+
+document.body.offsetTop;
+document.body.append('');
+</script>
diff --git a/Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp b/Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
@@ -123,13 +123,17 @@ LineLayout* LineLayout::containing(RenderObject& renderer)
         return nullptr;
 
     if (!renderer.isInline()) {
-
+        // IFC may contain block level boxes (floats and out-of-flow boxes).
         if (renderer.isRenderSVGBlock()) {
             // SVG content inside svg root shows up as block (see RenderSVGBlock). We only support inline root svg as "atomic content".
             return nullptr;
         }
-
-        // IFC may contain block level boxes (floats and out-of-flow boxes).
+        if (renderer.isFrameSet()) {
+            // Since RenderFrameSet is not a RenderBlock, finding container for nested framesets can't use containingBlock ancestor walk.
+            if (auto* parent = renderer.parent(); is<RenderBlockFlow>(parent))
+                return downcast<RenderBlockFlow>(*parent).modernLineLayout();
+            return nullptr;
+        }
         auto adjustedContainingBlock = [&] {
             RenderElement* containingBlock = nullptr;
             if (renderer.isOutOfFlowPositioned()) {