[Webkit-unassigned] [Bug 207241] Nullptr crash in WebCore::findPlaceForCounter with pseudo element that has display:contents host.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 4 17:00:49 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=207241

--- Comment #1 from Jack <shihchieh_lee at apple.com> ---
<rdar://57707864>

In this test case, we are looking for host of a pseudo element in function findPlaceForCounter. However, the host element (Q) happens to have display contents, so its renderer is null, which is not an expected end of searching logic. The code goes into wrong path and crashes.

(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGLC -+  RenderView at (0,0) size 0x0 renderer->(0x61700003cd80) layout->[normal child]
B-----L- -+    HTML RenderBlock at (0,0) size 0x0 renderer->(0x61200004f9c0) node->(0x60c0000a0f00) layout->[self][normal child]
B------- -+      BODY RenderBody at (0,0) size 0x0 renderer->(0x61200004fb40) node->(0x60c0000a2580) layout->[self][normal child]
I----G-- -+*       <pseudo> RenderInline renderer->(0x6110000d6000) node->(0x60d00003cb30) layout->[self][normal child]
I---YG-- -+          RenderQuote renderer->(0x6110000d6140) layout->[self][normal child]
I---YG-- -+            RenderText renderer->(0x60d00003cf40) layout->[self]
N------- -+        INPUT RenderTextControl at (0,0) size 0x0 renderer->(0x61200004fcc0) node->(0x61200005f440) layout->[self][normal child]
B--O--L- -+          DIV RenderBlock at (0,0) size 0x0 renderer->(0x61200004fe40) node->(0x60c0000a2880) layout->[self]
I------- -+        #text RenderText renderer->(0x60b000052840) node->(0x6080000520a0) length->(1) "\n" layout->[self]
I----G-- -+        <pseudo> RenderInline renderer->(0x6110000d6280) node->(0x60d00003cc00) layout->[self][normal child]
I---YG-- -+          RenderQuote renderer->(0x6110000d63c0) layout->[self][normal child]
I---YG-- -+            RenderText renderer->(0x60d000046800) layout->[self]

BODY    0x60c0000a2580 (renderer 0x61200004fb40) 
        Q       0x60c0000a2640 (renderer 0x0) 
*               INPUT   0x61200005f440 (renderer 0x61200004fcc0) 
                        #document-fragment      0x61200005f5c0 (renderer 0x0)  (needs style recalc) (child needs style recalc)
                                DIV     0x60c0000a2880 (renderer 0x61200004fe40) 
                #text   0x6080000520a0 "\n"

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200205/df41be9f/attachment-0001.htm>

More information about the webkit-unassigned mailing list