180251 – Nullptr deref in WebCore::RenderTableCaption::containingBlockLogicalWidthForContent

RESOLVED FIXED 180251

Nullptr deref in WebCore::RenderTableCaption::containingBlockLogicalWidthForContent

https://bugs.webkit.org/show_bug.cgi?id=180251

Summary Nullptr deref in WebCore::RenderTableCaption::containingBlockLogicalWidthForC...

zalan

Reported 2017-12-01 08:44:22 PST

rdar://problem/34138562

Attachments
Patch (4.70 KB, patch) 2017-12-01 08:54 PST, zalan	no flags	Details Formatted Diff Diff
Patch (4.72 KB, patch) 2017-12-01 10:43 PST, zalan	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

zalan

Comment 1 2017-12-01 08:54:31 PST

Created attachment 328095 [details] Patch

zalan

Comment 2 2017-12-01 08:59:13 PST

In an ideal world we would never end up calling containingBlockLogicalWidthForContent on a detached renderer. There's no reason why we would want the containing block's logical width unless we are performing layout.

Simon Fraser (smfr)

Comment 3 2017-12-01 10:23:29 PST

Comment on attachment 328095 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=328095&action=review > LayoutTests/fast/table/caption-crash-when-layer-backed.html:6 > + will-change: -webkit-transform; No prefix. > LayoutTests/fast/table/caption-crash-when-layer-backed.html:8 > + -webkit-background-clip: content; Not sure why this is needed.

zalan

Comment 4 2017-12-01 10:43:02 PST

Created attachment 328119 [details] Patch

zalan

Comment 5 2017-12-01 10:44:48 PST

(In reply to Simon Fraser (smfr) from comment #3) > Comment on attachment 328095 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=328095&action=review > > > LayoutTests/fast/table/caption-crash-when-layer-backed.html:6 > > + will-change: -webkit-transform; > > No prefix. > > > LayoutTests/fast/table/caption-crash-when-layer-backed.html:8 > > + -webkit-background-clip: content; > > Not sure why this is needed. backgroundClip needs to be either PaddingFillBox or ContentFillBox to force padding/border etc resolving.

WebKit Commit Bot

Comment 6 2017-12-01 11:15:36 PST

Comment on attachment 328119 [details] Patch Clearing flags on attachment: 328119 Committed r225402: <https://trac.webkit.org/changeset/225402>

WebKit Commit Bot

Comment 7 2017-12-01 11:15:38 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

zalan

Reported

2017-12-01 08:44 PST

Modified

2017-12-01 11:15 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks