From 617f1c4c9c7f1525abc47967d4c7734fed3ff525 Mon Sep 17 00:00:00 2001
From: Antti Koivisto <antti@apple.com>
Date: Mon, 20 May 2024 11:36:34 -0700
Subject: [PATCH] Cherry-pick 279005@main (c2f9092d3a8e).
 https://bugs.webkit.org/show_bug.cgi?id=268770

    Nullptr crash due to `display:block ruby` and continuations
    https://bugs.webkit.org/show_bug.cgi?id=268770
    rdar://121960530

    Reviewed by Alan Baradlay.

    Continuations may end up splitting anonymous 'display:ruby' box inside block ruby.

    * LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt: Added.
    * LayoutTests/fast/ruby/ruby-block-continuation-crash.html: Added.
    * Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp:
    (WebCore::RenderTreeBuilder::Ruby::findOrCreateParentForStyleBasedRubyChild):

    Find the correct anonymous box from nested continuation structure.

    Canonical link: https://commits.webkit.org/279005@main

Canonical link: https://commits.webkit.org/274313.286@webkitglib/2.44
---
 .../ruby/ruby-block-continuation-crash-expected.txt |  3 +++
 .../fast/ruby/ruby-block-continuation-crash.html    |  9 +++++++++
 .../rendering/updating/RenderTreeBuilderRuby.cpp    | 13 ++++++++++---
 3 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt
 create mode 100644 LayoutTests/fast/ruby/ruby-block-continuation-crash.html

diff --git a/LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt b/LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt
new file mode 100644
index 000000000000..f85a15505104
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt
@@ -0,0 +1,3 @@
+base with
+forced
+line break annotation This test passes if it doesn't crash.
diff --git a/LayoutTests/fast/ruby/ruby-block-continuation-crash.html b/LayoutTests/fast/ruby/ruby-block-continuation-crash.html
new file mode 100644
index 000000000000..3f762d4236ea
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-block-continuation-crash.html
@@ -0,0 +1,9 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<ruby style="position: absolute">
+  <rb><span>base with <div>forced</div> line break</span></rb>
+  <rt>annotation</rt>
+</ruby>
+This test passes if it doesn't crash.
diff --git a/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp b/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp
index 62d8b6803323..9f7634612822 100644
--- a/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp
+++ b/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp
@@ -271,10 +271,17 @@ RenderElement& RenderTreeBuilder::Ruby::findOrCreateParentForStyleBasedRubyChild
     if (!child.isRenderText() && child.style().display() == DisplayType::Ruby && parent.style().display() == DisplayType::RubyBlock)
         return parent;
 
-    if (parent.style().display() == DisplayType::RubyBlock && parent.firstChild()) {
+    if (parent.style().display() == DisplayType::RubyBlock) {
         // See if we have an anonymous ruby box already.
-        ASSERT(parent.firstChild()->style().display() == DisplayType::Ruby);
-        return downcast<RenderElement>(*parent.firstChild());
+        // FIXME: It should be the immediate child but continuations can break this assumption.
+        for (CheckedPtr first = parent.firstChild(); first; first = first->firstChildSlow()) {
+            if (!first->isAnonymous()) {
+                ASSERT_NOT_REACHED();
+                break;
+            }
+            if (first->style().display() == DisplayType::Ruby)
+                return downcast<RenderElement>(*first);
+        }
     }
 
     if (parent.style().display() != DisplayType::Ruby) {
-- 
2.45.2