[Webkit-unassigned] [Bug 125449] Harden column splitting code against bad casts.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 9 08:32:24 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=125449
--- Comment #2 from Darin Adler <darin at apple.com> 2013-12-09 08:30:39 PST ---
(From update of attachment 218756)
View in context: https://bugs.webkit.org/attachment.cgi?id=218756&action=review
> Source/WebCore/ChangeLog:11
> + Make sure that |curr| is a descendant of |fromBlock|. We need to check
> + in every iteration of the loop because moveChildrenTo could have moved
> + |curr|. This is a mitigation and not really a fix against a class of
> + tree craziness.
If this fixes a bug we need a test case demonstrating the bug. If it doesn’t we should not make a code change.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list