[webkit-changes] [WebKit/WebKit] 6eb9af: REGRESSION(310995@main): Crash in RenderTableSecti...

Fri, 24 Apr 2026 17:04:54 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 6eb9af92610770c1dd7cedf6626f659dab974079
      
https://github.com/WebKit/WebKit/commit/6eb9af92610770c1dd7cedf6626f659dab974079
  Author: Alan Baradlay <[email protected]>
  Date:   2026-04-24 (Fri, 24 Apr 2026)

  Changed paths:
    A 
LayoutTests/fast/table/nested-anonymous-table-section-baseline-before-layout-crash-expected.txt
    A 
LayoutTests/fast/table/nested-anonymous-table-section-baseline-before-layout-crash.html
    M Source/WebCore/rendering/RenderTableSection.cpp

  Log Message:
  -----------
  REGRESSION(310995@main): Crash in 
RenderTableSection::baselineFromCellContentEdges
https://bugs.webkit.org/show_bug.cgi?id=313270
<rdar://175500253>

Reviewed by Simon Fraser.

310995@main changed baselineFromCellContentEdges from using cell->logicalTop()
to m_rowPos[cell->rowIndex()]. The problem is that m_rowPos is only populated
during layout (in calcRowLogicalHeight), but m_grid is populated earlier during
tree construction. These two vectors can be out of sync.

When a table cell captures its old baseline before layout (cellBaselinePosition
is called before layoutBlock), it can recurse through firstLineBaseline into a
nested anonymous table whose section has rows in m_grid but an empty m_rowPos
(because that nested table has never been laid out yet).

Return nullopt from firstLineBaseline/lastLineBaseline when m_rowPos hasn't
been sized for the current grid. All callers already handle nullopt as "no 
baseline
available.". This matches with what we did before 310995@main.

* 
LayoutTests/fast/table/nested-anonymous-table-section-baseline-before-layout-crash-expected.txt:
 Added.
* 
LayoutTests/fast/table/nested-anonymous-table-section-baseline-before-layout-crash.html:
 Added.
* Source/WebCore/rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::firstLineBaseline const):
(WebCore::RenderTableSection::lastLineBaseline const):
 Note that m_rowPos stores the top edge of each row plus the bottom edge of the 
last row, so calcRowLogicalHeight sizes it to m_grid.size() + 1.

Canonical link: https://commits.webkit.org/311989@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to