[Webkit-unassigned] [Bug 199224] Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 13 11:42:57 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=199224

--- Comment #14 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 406503
  --> https://bugs.webkit.org/attachment.cgi?id=406503
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=406503&action=review

>>> Source/WebCore/editing/markup.cpp:671
>>> +            if (pastEnd && (isDescendantOf(*pastEnd, *n) || !next))
>> 
>> Not sure if the !next check should be in a different if () block. 
>> 
>> For example what happens if !pastEnd and !next ? In theory we'd end up having n == nullptr in the next iteration leading to a crash, wouldn't we?
> 
> And what do we use then for next if pastEnd is also nullptr? I would need a test to understand that case, I'm afraid.

The loop will terminate if next is null and pastEnd is also null because the loop invariant is that n != pastEnd.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200813/5f6a05ee/attachment.htm>


More information about the webkit-unassigned mailing list