[content-visibility] Crash under RenderTableSection::paintObject when continuation is present

alanbaradlay · alanbaradlay · commit ea9223dccf8a · 2024-06-14T07:15:52.000-07:00
https://bugs.webkit.org/show_bug.cgi?id=275463 <rdar://126112896> Reviewed by Antti Koivisto. See FIXME comment in RenderTable::paint. * LayoutTests/fast/dynamic/content-visibility-crash-with-continuation-and-table-expected.txt: Added. * LayoutTests/fast/dynamic/content-visibility-crash-with-continuation-and-table.html: Added. * Source/WebCore/rendering/RenderTable.cpp: (WebCore::RenderTable::paint): Canonical link: https://commits.webkit.org/280011@main
diff --git a/LayoutTests/fast/dynamic/content-visibility-crash-with-continuation-and-table-expected.txt b/LayoutTests/fast/dynamic/content-visibility-crash-with-continuation-and-table-expected.txt
@@ -0,0 +1,2 @@
+ PASS if no crash or assert.
+
diff --git a/LayoutTests/fast/dynamic/content-visibility-crash-with-continuation-and-table.html b/LayoutTests/fast/dynamic/content-visibility-crash-with-continuation-and-table.html
@@ -0,0 +1,11 @@
+<style>
+div, span {
+  content-visibility: auto;
+}
+</style>
+<div><span><table rules="none"><td></td><colgroup><video controls="controls"></colgroup><td></td>
+PASS if no crash or assert.
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+</script>
diff --git a/Source/WebCore/rendering/RenderTable.cpp b/Source/WebCore/rendering/RenderTable.cpp
@@ -720,6 +720,19 @@ void RenderTable::addOverflowFromChildren()
 
 void RenderTable::paint(PaintInfo& paintInfo, const LayoutPoint& paintOffset)
 {
+    auto isSkippedContent = [&] {
+        if (style().usedContentVisibility() == ContentVisibility::Visible)
+            return false;
+        // FIXME: Tables can never be skipped content roots. If a table is _inside_ a skipped subtree, we should have bailed out at the skipped root ancestor.
+        // However with continuation (see webkit.org/b/275459) used visibility values does not always get propagated properly and
+        // we may end up here with a dirty (skipped) table.
+        if (auto* containingBlock = this->containingBlock(); containingBlock && containingBlock->isAnonymousBlock() && !containingBlock->style().hasSkippedContent())
+            return true;
+        return false;
+    };
+    if (isSkippedContent())
+        return;
+
     LayoutPoint adjustedPaintOffset = paintOffset + location();
 
     PaintPhase paintPhase = paintInfo.phase;
