[Webkit-unassigned] [Bug 206109] Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 23 19:24:30 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=206109
--- Comment #2 from Jack <shihchieh_lee at apple.com> ---
In this test case, CANVAS is being inserted into FIELDSET before LEGEND. However, since FIELDSET has multi columns, so the parent is set to “RenderMultiColumnFlowThread” in FIELDSET, while “beforechild” remains to be LEGEND, causing the while loop in attachIgnoringContinuation to access null pointer since a common parent cannot be found.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200124/4120d743/attachment.htm>
More information about the webkit-unassigned
mailing list