[Webkit-unassigned] [Bug 261421] New: REGRESSION(267280 at main): costco.com crash in WebCore::ShorthandSerializer::serializeGridTemplate const

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 11 11:41:25 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=261421

            Bug ID: 261421
           Summary: REGRESSION(267280 at main): costco.com crash in
                    WebCore::ShorthandSerializer::serializeGridTemplate
                    const
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sgill26 at apple.com

Created attachment 467643

  --> https://bugs.webkit.org/attachment.cgi?id=467643&action=review

Testcase

Costco's checkout page uses element.TextContent = "" and this ends up disconnecting some nodes from the tree. When the ShorthandSerializer tries to get the value for each of the longhands of grid-template, the ComputedStyleExtractor is unable to resolve the RenderStyle to use via computeRenderStyleForProperty and returns nullptr for the longhand value. This results in a hard nullptr deref ShorthandSerializer::longhandValue

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230911/d6165431/attachment-0001.htm>

More information about the webkit-unassigned mailing list