Bug 287905
| Summary: | Flatenning may be triggered before tree is connected, and the function crashes when reaching a non-connected parent. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Pedro Varangot <pvarangot> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Pedro Varangot
This requires some specific timing/layout like in this test:
<html>
<head>
<style>
.class7 {
perspective: 0px;
}
:not(.active) {
grid;
white-space-collapse: preserve-breaks;
container: a0 / inline-size;
-webkit-mask-box-image: url();
}
</style>
<script>
function runTest() {
body = document.body;
body.style.setProperty("border-bottom-width", "thin");
something = document.elementFromPoint(0, 0);
htmlElement = document.documentElement;
htmlElement.append(body);
testRunner?.dumpAsText();
testRunner?.notifyDone();
}
testRunner?.waitUntilDone();
</script>
</head>
<body onload=runTest()>
<title>Title</title>
<p>This test passes if webkit doesn't crash</p>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<form class="class7">
<keygen />
</form>
<br />
<br />
<br />
<br />
</body>
</html>
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Pedro Varangot
<rdar://problem/143296083>
Alexey Proskuryakov
https://github.com/WebKit/WebKit/pull/40805
EWS
Committed 290774@main (4810d0915bd9): <https://commits.webkit.org/290774@main>
Reviewed commits have been landed. Closing PR #40805 and removing active labels.
EWS
Committed 289651.483@safari-7621-branch (43b00d11a701): <https://commits.webkit.org/289651.483@safari-7621-branch>
Reviewed commits have been landed. Closing PR #3057 and removing active labels.