Bug 206109

Summary:

Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.

Product:

WebKit

Reporter:

Jack <shihchieh_lee>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, commit-queue, esprehn+autocc, ews-watchlist, glenn, koivisto, kondapallykalyan, pdr, rniwa, simon.fraser, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	none

Description Jack 2020-01-10 16:29:00 PST

<rdar://problem/56600343>

Comment 1 Jack 2020-01-23 19:20:28 PST

Created attachment 388645 [details]
Patch

Comment 2 Jack 2020-01-23 19:24:30 PST

In this test case, CANVAS is being inserted into FIELDSET before LEGEND. However, since FIELDSET has multi columns, so the parent is set to “RenderMultiColumnFlowThread” in FIELDSET, while “beforechild” remains to be LEGEND, causing the while loop in attachIgnoringContinuation to access null pointer since a common parent cannot be found.

Comment 3 Jack 2020-01-23 19:29:47 PST

(In reply to Jack from comment #1)
> Created attachment 388645 [details]
> Patch

The patch would insert CANVAS into RenderMultiColumnFlowThread, same as when CANVAS is statically inserted before LEGEND (by <fieldset> <canvas id="CANVAS"></canvas><legend id="LEGEND"></legend>).

(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGLC -+  RenderView at (0,0) size 0x0 renderer->(0x61700003e600) layout->[normal child]
B-----L- -+*   HTML RenderBlock at (0,0) size 0x0 renderer->(0x61200004dec0) node->(0x60c0000a6b40) layout->[self][normal child]
B---YGL- -+      RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d980) [Rs:0x0 Re:0x0] layout->[self][normal child]
B-----L- -+        BODY RenderBody at (0,0) size 0x0 renderer->(0x61200004e1c0) node->(0x60c0000a8280) [Rs:0x0 Re:0x0] layout->[self][normal child]
B---YGL- -+          RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d680) [Rs:0x0 Re:0x0] layout->[self][normal child]
B-----L- -+            FIELDSET RenderFieldSet at (0,0) size 0x0 renderer->(0x61200004e4c0) node->(0x6110000ad240) [Rs:0x0 Re:0x0] layout->[self][normal child]
B---YGL- -+              RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d380) [Rs:0x0 Re:0x0] layout->[self][normal child]
B---YG-- -+                RenderBlock at (0,0) size 0x0 renderer->(0x61200004edc0) [Rs:0x0 Re:0x0] layout->[self][normal child]
I-----L- -+                  CANVAS RenderHTMLCanvas at (0,0) size 0x0 renderer->(0x61200004e7c0) node->(0x61200005fd40) [Rs:0x0 Re:0x0] layout->[self]
B---YG-- -+              RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003b440) [Rs:0x0 Re:0x0] layout->[self]
B-----L- -+              LEGEND RenderBlock at (0,0) size 0x0 renderer->(0x61200004eac0) node->(0x60c0000a8580) [Rs:0x0 Re:0x0] layout->[self]
B---YG-- -+          RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003be40) [Rs:0x0 Re:0x0] layout->[self]
B---YG-- -+      RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003c640) layout->[self]

Comment 4 WebKit Commit Bot 2020-01-24 11:12:13 PST

The commit-queue encountered the following flaky tests while processing attachment 388645 [details]:

editing/spelling/spellcheck-attribute.html bug 206178 (authors: g.czajkowski@samsung.com, mark.lam@apple.com, and rniwa@webkit.org)
The commit-queue is continuing to process your patch.

Comment 5 WebKit Commit Bot 2020-01-24 11:12:50 PST

Comment on attachment 388645 [details]
Patch

Clearing flags on attachment: 388645

Committed r255083: <https://trac.webkit.org/changeset/255083>

Comment 6 WebKit Commit Bot 2020-01-24 11:12:52 PST

All reviewed patches have been landed.  Closing bug.