[Webkit-unassigned] [Bug 199224] Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 13 06:28:00 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=199224
--- Comment #12 from Sergio Villar Senin <svillar at igalia.com> ---
Comment on attachment 406503
--> https://bugs.webkit.org/attachment.cgi?id=406503
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=406503&action=review
> LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash.html:2
> +<body>
Nit: you don't need those two. Simply use <!DOCTYPE html> and remove also the closing tags.
> Source/WebCore/editing/markup.cpp:671
> + if (pastEnd && (isDescendantOf(*pastEnd, *n) || !next))
Not sure if the !next check should be in a different if () block.
For example what happens if !pastEnd and !next ? In theory we'd end up having n == nullptr in the next iteration leading to a crash, wouldn't we?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200813/08e9e23d/attachment.htm>
More information about the webkit-unassigned
mailing list