haikuwebkit/LayoutTests/tables/table-col-indent-crash.html

<style>
   body { -webkit-user-modify: read-write; }
</style>

<script>
window.onload = function() {
    if (window.testRunner)
        testRunner.dumpAsText();
    window.getSelection().setPosition(tableElement);
    document.execCommand("indent", false);
    document.execCommand("indent", false);
}
</script>

<body>
  <template></template>
  <details id="details">
    <summary>
      <table id="tableElement">
        <br/>
        <col>This test passes if it doesn't crash.</col>
      </table>
    </summary>
  </details>
</body>
Crash in RenderTableCol::willBeRemovedFromTree() https://bugs.webkit.org/show_bug.cgi?id=207031 Reviewed by Antti Koivisto. Source/WebCore: A RenderTableCol's table() can be null during willBeRemovedFromTree. This can happen when the RenderTableCol's table is an ancestor rather than a direct parent. If RenderTreeBuilder::destroy is then called on an ancestor of the the RenderTableCol's table, RenderTreeBuilder::destroy proceeds down the ancestor chain, detaching each node along the way. By the time the RenderTableCol is reached, the table (a non-parent ancestor) has already been detached, so table() is null and we crash while trying to use it. The underlying bug is that RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers is getting called on the RenderTableCol's ancestor before its descendants (including the RenderTableCol) are destroyed. Fix this by changing the order of operations in RenderTreeUpdater::tearDownRenderers so that tearDownLeftoverShadowHostChildren happens before destroyAndCleanUpAnonymousWrappers. This ensures that the RenderTableCol is destroyed before destroyAndCleanUpAnonymousWrappers is called on its ancestor. Test: tables/table-col-indent-crash.html * rendering/updating/RenderTreeUpdater.cpp: (WebCore::RenderTreeUpdater::tearDownRenderers): LayoutTests: * tables/table-col-indent-crash-expected.txt: Added. * tables/table-col-indent-crash.html: Added. Canonical link: https://commits.webkit.org/220331@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@255971 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2020-02-06 19:54:37 +00:00			`<style>`
			`body { -webkit-user-modify: read-write; }`
			`</style>`

			`<script>`
			`window.onload = function() {`
			`if (window.testRunner)`
			`testRunner.dumpAsText();`
			`window.getSelection().setPosition(tableElement);`
			`document.execCommand("indent", false);`
			`document.execCommand("indent", false);`
			`}`
			`</script>`

			`<body>`
			`<template></template>`
			`<details id="details">`
			`<summary>`
			`<table id="tableElement">`
			`<br/>`
			`<col>This test passes if it doesn't crash.</col>`
			`</table>`
			`</summary>`
			`</details>`
			`</body>`