Changeset 272931 in webkit

Timestamp:

Feb 16, 2021 2:55:52 PM (3 years ago)

Author:

Alan Bujtas

Message:

RenderElement::containingBlockForAbsolutePosition may call RenderObject::containingBlock recursively
​https://bugs.webkit.org/show_bug.cgi?id=221976
<rdar://problem/72775667>

Reviewed by Simon Fraser.

When a RenderInline happens to be absolute positioned (this is a highly incorrect state, see webkit.org/b/221994), containingBlockForAbsolutePosition() calls containingBlock()
with |this| and in return containingBlock() calls back on containingBlockForAbsolutePosition() with the same renderer.
This patch ensures that we always call containingBlock() from containingBlockForAbsolutePosition() with an ancestor -mostly with the parent().

• rendering/RenderElement.cpp:

(WebCore::RenderElement::containingBlockForAbsolutePosition const):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• rendering/RenderElement.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-02-16  Zalan Bujtas  <zalan@apple.com>
+
+        RenderElement::containingBlockForAbsolutePosition may call RenderObject::containingBlock recursively
+        https://bugs.webkit.org/show_bug.cgi?id=221976
+        <rdar://problem/72775667>
+
+        Reviewed by Simon Fraser.
+
+        When a RenderInline happens to be absolute positioned (this is a highly incorrect state, see webkit.org/b/221994), containingBlockForAbsolutePosition() calls containingBlock()
+        with |this| and in return containingBlock() calls back on containingBlockForAbsolutePosition() with the same renderer.
+        This patch ensures that we always call containingBlock() from containingBlockForAbsolutePosition() with an ancestor -mostly with the parent().
+
+        * rendering/RenderElement.cpp:
+        (WebCore::RenderElement::containingBlockForAbsolutePosition const):
+
 2021-02-16  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/rendering/RenderElement.cpp

@@ -602 +602 @@
 RenderBlock* RenderElement::containingBlockForAbsolutePosition() const
 {
-    // A relatively positioned RenderInline forwards its absolute positioned descendants to
-    // its nearest non-anonymous containing block (to avoid having a positioned objects list in all RenderInlines).
-    auto* renderer = isRenderInline() ? const_cast<RenderElement*>(downcast<RenderElement>(this)) : parent();
-    while (renderer && !renderer->canContainAbsolutelyPositionedObjects())
-        renderer = renderer->parent();
+    auto nearestNonAnonymousContainingBlockIncludingSelf = [&] (auto* renderer) {
+        while (renderer && (!is<RenderBlock>(*renderer) || renderer->isAnonymousBlock()))
+            renderer = renderer->containingBlock();
+        return downcast<RenderBlock>(renderer);
+    };
+
+    if (is<RenderInline>(*this) && style().position() == PositionType::Relative) {
+        // A relatively positioned RenderInline forwards its absolute positioned descendants to
+        // its nearest non-anonymous containing block (to avoid having positioned objects list in RenderInlines).
+        return nearestNonAnonymousContainingBlockIncludingSelf(parent());
+    }
+    auto* ancestor = parent();
+    while (ancestor && !ancestor->canContainAbsolutelyPositionedObjects())
+        ancestor = ancestor->parent();
     // Make sure we only return non-anonymous RenderBlock as containing block.
-    while (renderer && (!is<RenderBlock>(*renderer) || renderer->isAnonymousBlock()))
-        renderer = renderer->containingBlock();
-    return downcast<RenderBlock>(renderer);
+    return nearestNonAnonymousContainingBlockIncludingSelf(ancestor);
 }