Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 934b6b65a06e071b0ca74a1ea432b627de893a79
https://github.com/WebKit/WebKit/commit/934b6b65a06e071b0ca74a1ea432b627de893a79
Author: Yulun Wu <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
A LayoutTests/fast/table/rowspan-zero-insert-row-crash-expected.txt
A LayoutTests/fast/table/rowspan-zero-insert-row-crash.html
M Source/WebCore/rendering/RenderTableCell.cpp
M Source/WebCore/rendering/RenderTableCell.h
M Source/WebCore/rendering/RenderTableRow.cpp
Log Message:
-----------
[table] Properly handle rowspan=0 when display:none rows are present
https://bugs.webkit.org/show_bug.cgi?id=308235
<rdar://170463967>
Reviewed by Alan Baradlay.
This PR fixes an issue where calculateRowSpanForRowspanZero() was
counting total rows in the DOM tree which included rows with display:none.
However, these rows are not part of the render tree and caused rowSpan()
for rowspan=0 cells to return a span larger than that of m_grid.size(),
leading to an out of bounds error in layoutRows().
This PR fixes this bug by:
1. updating calculateRowSpanForRowspanZero() to count
the total number of rows by walking the render tree.
We should walk the render tree to count the total number of rows because:
1) The DOM structure includes rows with display:none which are not
created in the
render tree. This causes overcounting and an eventual index out of
bounds error.
2) renderSection->numRows() returns m_grid.size(), but m_grid is
cleared and rebuilt
incrementally during recalcCells(), so it would undercount rows not yet
processed.
When called during initial construction (before all rows exist),
calculateRowSpanForRowSpanZero()
may return a temporarily incorrect value. However, inserting a table
cell with the
rowspan=0 property will setNeedsCellRecalc() and recalcCells() will
recompute the span
correctly at layout time once the full render tree is available.
2. updating didInsertTableCell() to call setNeedsCellRecalc() when
an item with rowspan=0 is inserted. This is necessary because render
tree walks in calculateRowSpanForRowspanZero() undercount future rows
that have not been inserted yet. setNeedsCellRecalc() triggers a
full rebuild by recalcCells() at layout time when the correct span
can be computed.
* LayoutTests/fast/table/rowspan-zero-insert-row-crash-expected.txt: Added.
* LayoutTests/fast/table/rowspan-zero-insert-row-crash.html: Added.
* Source/WebCore/rendering/RenderTableCell.cpp:
(WebCore::RenderTableCell::calculateRowSpanForRowSpanZero const):
(WebCore::RenderTableCell::calculateRowSpanForRowspanZero const):
* Source/WebCore/rendering/RenderTableCell.h:
(WebCore::RenderTableCell::rowSpan const):
(WebCore::RenderTableCell::hasRowSpanZero const):
* Source/WebCore/rendering/RenderTableRow.cpp:
(WebCore::RenderTableRow::didInsertTableCell):
Canonical link: https://commits.webkit.org/308093@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
