[Webkit-unassigned] [Bug 287905] New: Flatenning may be triggered before tree is connected, and the function crashes when reaching a non-connected parent.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 18 15:55:11 PST 2025
https://bugs.webkit.org/show_bug.cgi?id=287905
Bug ID: 287905
Summary: Flatenning may be triggered before tree is connected,
and the function crashes when reaching a non-connected
parent.
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: pvarangot at apple.com
This requires some specific timing/layout like in this test:
<html>
<head>
<style>
.class7 {
perspective: 0px;
}
:not(.active) {
grid;
white-space-collapse: preserve-breaks;
container: a0 / inline-size;
-webkit-mask-box-image: url();
}
</style>
<script>
function runTest() {
body = document.body;
body.style.setProperty("border-bottom-width", "thin");
something = document.elementFromPoint(0, 0);
htmlElement = document.documentElement;
htmlElement.append(body);
testRunner?.dumpAsText();
testRunner?.notifyDone();
}
testRunner?.waitUntilDone();
</script>
</head>
<body onload=runTest()>
<title>Title</title>
<p>This test passes if webkit doesn't crash</p>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<form class="class7">
<keygen />
</form>
<br />
<br />
<br />
<br />
</body>
</html>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20250218/89a685f8/attachment.htm>
More information about the webkit-unassigned
mailing list