Bug 206109

Summary: Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
Product: WebKit Reporter: Jack <shihchieh_lee>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, esprehn+autocc, ews-watchlist, glenn, koivisto, kondapallykalyan, pdr, rniwa, simon.fraser, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Jack
Reported 2020-01-10 16:29:00 PST
<rdar://problem/56600343>
Attachments
Patch (4.40 KB, patch)
2020-01-23 19:20 PST, Jack 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jack
Comment 1 2020-01-23 19:20:28 PST
Created attachment 388645 [details] Patch
Jack
Comment 2 2020-01-23 19:24:30 PST
In this test case, CANVAS is being inserted into FIELDSET before LEGEND. However, since FIELDSET has multi columns, so the parent is set to “RenderMultiColumnFlowThread” in FIELDSET, while “beforechild” remains to be LEGEND, causing the while loop in attachIgnoringContinuation to access null pointer since a common parent cannot be found.
Jack
Comment 3 2020-01-23 19:29:47 PST
(In reply to Jack from comment #1) > Created attachment 388645 [details] > Patch The patch would insert CANVAS into RenderMultiColumnFlowThread, same as when CANVAS is statically inserted before LEGEND (by <fieldset> <canvas id="CANVAS"></canvas><legend id="LEGEND"></legend>). (B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout B---YGLC -+ RenderView at (0,0) size 0x0 renderer->(0x61700003e600) layout->[normal child] B-----L- -+* HTML RenderBlock at (0,0) size 0x0 renderer->(0x61200004dec0) node->(0x60c0000a6b40) layout->[self][normal child] B---YGL- -+ RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d980) [Rs:0x0 Re:0x0] layout->[self][normal child] B-----L- -+ BODY RenderBody at (0,0) size 0x0 renderer->(0x61200004e1c0) node->(0x60c0000a8280) [Rs:0x0 Re:0x0] layout->[self][normal child] B---YGL- -+ RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d680) [Rs:0x0 Re:0x0] layout->[self][normal child] B-----L- -+ FIELDSET RenderFieldSet at (0,0) size 0x0 renderer->(0x61200004e4c0) node->(0x6110000ad240) [Rs:0x0 Re:0x0] layout->[self][normal child] B---YGL- -+ RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d380) [Rs:0x0 Re:0x0] layout->[self][normal child] B---YG-- -+ RenderBlock at (0,0) size 0x0 renderer->(0x61200004edc0) [Rs:0x0 Re:0x0] layout->[self][normal child] I-----L- -+ CANVAS RenderHTMLCanvas at (0,0) size 0x0 renderer->(0x61200004e7c0) node->(0x61200005fd40) [Rs:0x0 Re:0x0] layout->[self] B---YG-- -+ RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003b440) [Rs:0x0 Re:0x0] layout->[self] B-----L- -+ LEGEND RenderBlock at (0,0) size 0x0 renderer->(0x61200004eac0) node->(0x60c0000a8580) [Rs:0x0 Re:0x0] layout->[self] B---YG-- -+ RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003be40) [Rs:0x0 Re:0x0] layout->[self] B---YG-- -+ RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003c640) layout->[self]
WebKit Commit Bot
Comment 4 2020-01-24 11:12:13 PST
The commit-queue encountered the following flaky tests while processing attachment 388645 [details]: editing/spelling/spellcheck-attribute.html bug 206178 (authors: g.czajkowski@samsung.com, mark.lam@apple.com, and rniwa@webkit.org) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 5 2020-01-24 11:12:50 PST
Comment on attachment 388645 [details] Patch Clearing flags on attachment: 388645 Committed r255083: <https://trac.webkit.org/changeset/255083>
WebKit Commit Bot
Comment 6 2020-01-24 11:12:52 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.