This website requires JavaScript.
Explore
Help
Sign In
nephele
/
haikuwebkit
Watch
1
Star
0
Fork
You've already forked haikuwebkit
0
Code
Issues
Releases
Activity
haiku
haikuwebkit
/
LayoutTests
/
fast
/
table
/
table-split-on-insert-with-...
3 lines
3 B
Plaintext
Raw
Permalink
Normal View
History
Unescape
Escape
CrashOnOverflow in WebCore::RenderTable::cellBefore(WebCore::RenderTableCell const*) https://bugs.webkit.org/show_bug.cgi?id=225949 Reviewed by Antti Koivisto. Source/WebCore: The table section maintains a grid of rows and columns. This grid is used to jump to cells directly during layout (as opposed to tree walking). It needs to be re-populated on tree mutations e.g when a new row is added to the table. RenderTableSection::willInsertTableRow assumes that rows and cells are inserted subsequently, after each other and it's ok to ignore the grid invalidation on appends as the subsequent ::addCell() call takes care of the grid. However in some continuation split cases, we re-parent complete rows under table sections which means no subsequent ::addCell() calls. This patch addresses this case by using the same pattern we have for block continuation invalidation in RenderTreeBuilder::splitAnonymousBoxesAroundChild(). Test: fast/table/table-split-on-insert-with-section-crash.html * rendering/updating/RenderTreeBuilder.cpp: (WebCore::RenderTreeBuilder::markBoxForRelayoutAfterSplit): (WebCore::markBoxForRelayoutAfterSplit): Deleted. * rendering/updating/RenderTreeBuilder.h: * rendering/updating/RenderTreeBuilderInline.cpp: (WebCore::RenderTreeBuilder::Inline::splitInlines): LayoutTests: * fast/table/table-split-on-insert-with-section-crash-expected.txt: Added. * fast/table/table-split-on-insert-with-section-crash.html: Added. Canonical link: https://commits.webkit.org/238258@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278219 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-05-28 19:51:32 +00:00
