[Webkit-unassigned] [Bug 206106] Null Ptr Deref READ @ WebCore::RenderMultiColumnFlow::lastMultiColumnSet const
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 24 11:03:22 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=206106
--- Comment #2 from Jack <shihchieh_lee at apple.com> ---
In this test case RenderMultiColumnFlowThread is being detached from LI RenderListItem, so the code tries to move its children to its parent (by searching for sibling and creating new RenderMultiColumnSet). However, because the nodes are being destroyed in preorder in function RenderTreeBuilder::destroy, no parent can be found for child insertion.
Tried changing the destroy function to call detach in post-order, and the problem can be solved.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200124/2d279f1f/attachment.htm>
More information about the webkit-unassigned
mailing list