[Webkit-unassigned] [Bug 205132] Null Ptr Deref @ WTF::TypeCastTraits<WebCore::HTMLTextFormControlElement const, WebCore::Element const, false>::isType

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 11 17:37:45 PST 2019


https://bugs.webkit.org/show_bug.cgi?id=205132

--- Comment #9 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Jack from comment #8)
> (In reply to Ryosuke Niwa from comment #7)
> > (In reply to Jack from comment #6)
> > > (In reply to Ryosuke Niwa from comment #5)
> > > > > Source/WebCore/html/shadow/TextControlInnerElements.cpp:176
> > > > > +    if (shadowHost() && shadowHostStyle) {
> > > > 
> > > > This isn't right. We shouldn't have nullptr for shadowHostStyle here. We
> > > > need to figure out how we're getting there.
> > > 
> > > I did check the flag when this element was created. When instantiating
> > > TextControlInnerTextElement, the argument "document" passed to the
> > > constructor has IsShadowRootFlag set to false, and the element simply copy
> > > that flag.
> > 
> > ?? Document is never a shadow root.
> > 
> > TextControlInnerElements exists inside the shadow tree of a HTMLInputElement
> > / HTMLTextAreaElement. The shadow host of such a shadow tree is
> > HTMLInputElement / HTMLTextAreaElement. See
> > https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_shadow_DOM
> 
> This is the implementation:

I don't follow what you're trying to say with this. Again, document is never a shadow root and that is fully expected. We probably need to talk about this in person with a whiteboard.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191212/48eaf6ad/attachment.htm>


More information about the webkit-unassigned mailing list