Cherry-pick 256843.7@webkit-2022.12-embargoed (3b92d70). rdar://10747…

…5202 Do not skip fragmented flow thread descendents https://bugs.webkit.org/show_bug.cgi?id=245374 rdar://98438399 Reviewed by Alan Baradlay. Do not skip fragmented flow thread descendents in initializeFragmentedFlowStateOnInsertion since its children may have a different state based on the inserted fragmented flow thread. When a fragmented flow thread is removed there is no effect on the inner fragmented flow threads so that behaviour is unchenged. * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt: Added. * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html: Added. * Source/WebCore/rendering/RenderObject.cpp: (WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants): (WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion): * Source/WebCore/rendering/RenderObject.h: Canonical link: https://commits.webkit.org/256843.7@webkit-2022.12-embargoed Canonical link: https://commits.webkit.org/262444@main
WebKit · Mar 31, 2023 · ea15ace · ea15ace
1 parent 8e4a125
commit ea15ace
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt b/LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt
@@ -0,0 +1 @@
+Pass if no crash.
diff --git a/LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html b/LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html
@@ -0,0 +1,12 @@
+<div style="column-count: 2">
+  <div style="position: relative">
+    <div style="column-count: 2">
+      <div style="position: absolute"></div>
+    </div>
+  </div>
+</div>
+Pass if no crash.
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
diff --git a/Source/WebCore/rendering/RenderObject.cpp b/Source/WebCore/rendering/RenderObject.cpp
@@ -223,7 +223,7 @@ bool RenderObject::isBlockContainer() const
         || display == DisplayType::TableCaption) && !isRenderReplaced();
 }
 
-void RenderObject::setFragmentedFlowStateIncludingDescendants(FragmentedFlowState state, const RenderElement* fragmentedFlowRoot)
+void RenderObject::setFragmentedFlowStateIncludingDescendants(FragmentedFlowState state, const RenderElement* fragmentedFlowRoot, SkipDescendentFragmentedFlow skipDescendentFragmentedFlow)
 {
     setFragmentedFlowState(state);
 
@@ -232,7 +232,7 @@ void RenderObject::setFragmentedFlowStateIncludingDescendants(FragmentedFlowStat
 
     for (auto& child : childrenOfType<RenderObject>(downcast<RenderElement>(*this))) {
         // If the child is a fragmentation context it already updated the descendants flag accordingly.
-        if (child.isRenderFragmentedFlow())
+        if (child.isRenderFragmentedFlow() && skipDescendentFragmentedFlow == SkipDescendentFragmentedFlow::Yes)
             continue;
         if (fragmentedFlowRoot && child.isOutOfFlowPositioned()) {
             // Fragmented status propagation stops at out-of-flow boundary.
@@ -248,8 +248,8 @@ void RenderObject::setFragmentedFlowStateIncludingDescendants(FragmentedFlowStat
             if (!isInsideMulticolumnFlow())
                 continue;
         }
-        ASSERT(state != child.fragmentedFlowState());
-        child.setFragmentedFlowStateIncludingDescendants(state, fragmentedFlowRoot);
+        ASSERT(skipDescendentFragmentedFlow == SkipDescendentFragmentedFlow::No || state != child.fragmentedFlowState());
+        child.setFragmentedFlowStateIncludingDescendants(state, fragmentedFlowRoot, skipDescendentFragmentedFlow);
     }
 }
 
@@ -292,7 +292,7 @@ void RenderObject::initializeFragmentedFlowStateOnInsertion()
         return;
 
     auto* enclosingFragmentedFlow = locateEnclosingFragmentedFlow();
-    setFragmentedFlowStateIncludingDescendants(computedState, enclosingFragmentedFlow ? enclosingFragmentedFlow->parent() : nullptr);
+    setFragmentedFlowStateIncludingDescendants(computedState, enclosingFragmentedFlow ? enclosingFragmentedFlow->parent() : nullptr, SkipDescendentFragmentedFlow::No);
 }
 
 void RenderObject::resetFragmentedFlowStateOnRemoval()

diff --git a/Source/WebCore/rendering/RenderObject.h b/Source/WebCore/rendering/RenderObject.h
@@ -297,7 +297,8 @@ class RenderObject : public CachedImageClient {
         InsideInFragmentedFlow = 1,
     };
 
-    void setFragmentedFlowStateIncludingDescendants(FragmentedFlowState, const RenderElement* fragmentedFlowRoot);
+    enum class SkipDescendentFragmentedFlow { No, Yes };
+    void setFragmentedFlowStateIncludingDescendants(FragmentedFlowState, const RenderElement* fragmentedFlowRoot, SkipDescendentFragmentedFlow = SkipDescendentFragmentedFlow::Yes);
 
     FragmentedFlowState fragmentedFlowState() const { return m_bitfields.fragmentedFlowState(); }
     void setFragmentedFlowState(FragmentedFlowState state) { m_bitfields.setFragmentedFlowState(state); }