[Webkit-unassigned] [Bug 199224] Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 13 11:42:57 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=199224
--- Comment #14 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 406503
--> https://bugs.webkit.org/attachment.cgi?id=406503
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=406503&action=review
>>> Source/WebCore/editing/markup.cpp:671
>>> + if (pastEnd && (isDescendantOf(*pastEnd, *n) || !next))
>>
>> Not sure if the !next check should be in a different if () block.
>>
>> For example what happens if !pastEnd and !next ? In theory we'd end up having n == nullptr in the next iteration leading to a crash, wouldn't we?
>
> And what do we use then for next if pastEnd is also nullptr? I would need a test to understand that case, I'm afraid.
The loop will terminate if next is null and pastEnd is also null because the loop invariant is that n != pastEnd.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200813/5f6a05ee/attachment.htm>
More information about the webkit-unassigned
mailing list