[Webkit-unassigned] [Bug 205132] Null Ptr Deref @ WTF::TypeCastTraits<WebCore::HTMLTextFormControlElement const, WebCore::Element const, false>::isType

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 11 17:30:35 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=205132

--- Comment #8 from Jack <shihchieh_lee at apple.com> ---
(In reply to Ryosuke Niwa from comment #7)
> (In reply to Jack from comment #6)
> > (In reply to Ryosuke Niwa from comment #5)
> > > > Source/WebCore/html/shadow/TextControlInnerElements.cpp:176
> > > > +    if (shadowHost() && shadowHostStyle) {
> > > 
> > > This isn't right. We shouldn't have nullptr for shadowHostStyle here. We
> > > need to figure out how we're getting there.
> > 
> > I did check the flag when this element was created. When instantiating
> > TextControlInnerTextElement, the argument "document" passed to the
> > constructor has IsShadowRootFlag set to false, and the element simply copy
> > that flag.
> 
> ?? Document is never a shadow root.
> 
> TextControlInnerElements exists inside the shadow tree of a HTMLInputElement
> / HTMLTextAreaElement. The shadow host of such a shadow tree is
> HTMLInputElement / HTMLTextAreaElement. See
> https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_shadow_DOM

This is the implementation:
1. TextControlInnerTextElement receives document as input.
inline TextControlInnerTextElement::TextControlInnerTextElement(Document& document)
    : HTMLDivElement(divTag, document)

2. TextControlInnerTextElement calls the base constructor all the way to Node constructor, which assign document to m_treeScope.
Node::Node(Document& document, ConstructionType type)
    : m_nodeFlags(type)
    , m_treeScope(&document)

3. When TextControlInnerTextElement::resolveCustomStyle is called, it looks for shadowHost by the following functions, which looks into treeScope().rootNode(). 
Element* Node::shadowHost() const
{
    if (ShadowRoot* root = containingShadowRoot())
        return root->host();
    return nullptr;
}

ShadowRoot* Node::containingShadowRoot() const
{
    ContainerNode& root = treeScope().rootNode();
    return is<ShadowRoot>(root) ? downcast<ShadowRoot>(&root) : nullptr;
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191212/fe6cc10b/attachment.htm>

More information about the webkit-unassigned mailing list