[Webkit-unassigned] [Bug 206109] Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 23 19:29:47 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=206109

--- Comment #3 from Jack <shihchieh_lee at apple.com> ---
(In reply to Jack from comment #1)
> Created attachment 388645 [details]
> Patch

The patch would insert CANVAS into RenderMultiColumnFlowThread, same as when CANVAS is statically inserted before LEGEND (by <fieldset> <canvas id="CANVAS"></canvas><legend id="LEGEND"></legend>).

(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGLC -+  RenderView at (0,0) size 0x0 renderer->(0x61700003e600) layout->[normal child]
B-----L- -+*   HTML RenderBlock at (0,0) size 0x0 renderer->(0x61200004dec0) node->(0x60c0000a6b40) layout->[self][normal child]
B---YGL- -+      RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d980) [Rs:0x0 Re:0x0] layout->[self][normal child]
B-----L- -+        BODY RenderBody at (0,0) size 0x0 renderer->(0x61200004e1c0) node->(0x60c0000a8280) [Rs:0x0 Re:0x0] layout->[self][normal child]
B---YGL- -+          RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d680) [Rs:0x0 Re:0x0] layout->[self][normal child]
B-----L- -+            FIELDSET RenderFieldSet at (0,0) size 0x0 renderer->(0x61200004e4c0) node->(0x6110000ad240) [Rs:0x0 Re:0x0] layout->[self][normal child]
B---YGL- -+              RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d380) [Rs:0x0 Re:0x0] layout->[self][normal child]
B---YG-- -+                RenderBlock at (0,0) size 0x0 renderer->(0x61200004edc0) [Rs:0x0 Re:0x0] layout->[self][normal child]
I-----L- -+                  CANVAS RenderHTMLCanvas at (0,0) size 0x0 renderer->(0x61200004e7c0) node->(0x61200005fd40) [Rs:0x0 Re:0x0] layout->[self]
B---YG-- -+              RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003b440) [Rs:0x0 Re:0x0] layout->[self]
B-----L- -+              LEGEND RenderBlock at (0,0) size 0x0 renderer->(0x61200004eac0) node->(0x60c0000a8580) [Rs:0x0 Re:0x0] layout->[self]
B---YG-- -+          RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003be40) [Rs:0x0 Re:0x0] layout->[self]
B---YG-- -+      RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003c640) layout->[self]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200124/e47824b9/attachment.htm>

More information about the webkit-unassigned mailing list