ASAN_SEGV | Hard null deref |LayoutIntegration::BoxTree::layoutBoxFor…

…Renderer; LayoutIntegration::LineLayout::enclosingBorderBoxRectFor; WebCore::RenderInline::linesBoundingBox. https://bugs.webkit.org/show_bug.cgi?id=266567. rdar://114586645. Reviewed by Alan Baradlay. similar to 107979394, apply handling for repainting a freshly inserted sticky inline box. * LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt: Added. * LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html: Added. * LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline for rdar://119187070. * Source/WebCore/rendering/RenderInline.cpp: (WebCore::RenderInline::linesBoundingBox const): Originally-landed-as: 272448.75@safari-7618-branch (2534e02). rdar://124556813 Canonical link: https://commits.webkit.org/276404@main
WebKit · Mar 20, 2024 · 81b0d44 · 81b0d44
1 parent e095431
commit 81b0d44
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 4 deletions.
diff --git a/LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt b/LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt
@@ -0,0 +1 @@
+PASS if no crash.
diff --git a/LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html b/LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html
@@ -0,0 +1,15 @@
+<style>
+*, image { path('M 0') -1px; border-top-left-radius: 1vmax }
+#htmlvar00006 { display: inline; separate; position: sticky; }
+#htmlvar00003, #htmlvar00003 { content: url(#svgvar00008); }
+#htmlvar00008 { path('M -1'); 0em; position: fixed; }
+</style>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+</script>
+<q list="htmlvar00002">PASS if no crash.</q>
+<p id="htmlvar00003" focus="true"></p>
+<form id="htmlvar00006" behavior="scroll">
+    <legend id="htmlvar00008" mayscript="false"></legend>
+</form>
diff --git a/...ted/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt b/...ted/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
@@ -24,6 +24,7 @@ PASS Appending and removing children to mtext
 FAIL Appending and removing children to munder assert_approx_equals: block position (child 0) expected 0 +/- 1 but got 3
 FAIL Appending and removing children to munderover assert_approx_equals: block position (child 0) expected 0 +/- 1 but got 7
 FAIL Appending and removing children to semantics assert_approx_equals: block position (child 0) expected -33431774 +/- 1 but got -33431794
+|LayoutIntegration::BoxTree::layoutBoxForRenderer; LayoutIntegration::LineLayout::enclosingBorderBoxRectFor; WebCore::RenderInline::linesBoundingBox.)
 maction:
 mfrac:
 mmultiscripts:
@@ -36,4 +37,3 @@ msup:
 munder:
 munderover:
 semantics:
-
diff --git a/Source/WebCore/rendering/RenderInline.cpp b/Source/WebCore/rendering/RenderInline.cpp
@@ -505,14 +505,20 @@ LayoutUnit RenderInline::innerPaddingBoxHeight() const
 
 IntRect RenderInline::linesBoundingBox() const
 {
+    IntRect result;
+
     if (auto* layout = LayoutIntegration::LineLayout::containing(*this)) {
         if (!layout->contains(*this))
-            return { };
+            return result;
+
+        if (!layoutBox()) {
+            // Repaint may be issued on subtrees during content mutation with newly inserted renderers.
+            ASSERT(needsLayout());
+            return result;
+        }
         return enclosingIntRect(layout->enclosingBorderBoxRectFor(*this));
     }
 
-    IntRect result;
-
     // See <rdar://problem/5289721>, for an unknown reason the linked list here is sometimes inconsistent, first is non-zero and last is zero.  We have been
     // unable to reproduce this at all (and consequently unable to figure ot why this is happening).  The assert will hopefully catch the problem in debug
     // builds and help us someday figure out why.  We also put in a redundant check of lastLineBox() to avoid the crash for now.