[Webkit-unassigned] [Bug 206107] Nullptr crash in WebCore::findPlaceForCounter with display: contents sibling

Mon Jan 27 17:20:58 PST 2020

https://bugs.webkit.org/show_bug.cgi?id=206107

--- Comment #1 from Jack <shihchieh_lee at apple.com> ---
Root cause of the crash:
In function “findPlaceForCounter”, function “previousSiblingOrParent” will skip all sliblings before a sibling that has display content and finds its parent. On the other hand, function “previousInPreOrder” will search through all the siblings.

In this particular test case, when previousInPreOrder is inserting a counter for “SELECT”, previousSiblingOrParent function starts from TIME but jump to BODY since OL’s renderer is null.

This root cause if verified by modifying function previousSiblingOrParent such that it will return the next slibling if previous one has display content.

*BODY   0x60c00009a300 (renderer 0x61200004d740) 
        SELECT  0x613000064f80 (renderer 0x6150000a0d00) 
        OL      0x60e000058720 (renderer 0x0) 
                TIME    0x60c00009a540 (renderer 0x6110000da240) 
        Q       0x60c00009a600 (renderer 0x6110000da380)  STYLE=counter-increment: c 1;
        #text   0x60800004c720 "\n"

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200128/00a46ceb/attachment.htm>