206106 2020-01-10 15:43:35 -0800 Null Ptr Deref READ @ WebCore::RenderMultiColumnFlow::lastMultiColumnSet const 2020-01-24 17:37:27 -0800 1 1 1 Unclassified WebKit Layout and Rendering WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 shihchieh_lee webkit-unassigned bfulgham commit-queue ews-feeder ggaren koivisto product-security rniwa simon.fraser webkit-bug-importer zalan oldest_to_newest 1605360 0 shihchieh_lee 2020-01-10 15:43:35 -0800 <rdar://problem/56685305> 1606676 1 387725 shihchieh_lee 2020-01-14 16:26:06 -0800 Created attachment 387725 Patch 1610763 2 shihchieh_lee 2020-01-24 11:03:22 -0800 In this test case RenderMultiColumnFlowThread is being detached from LI RenderListItem, so the code tries to move its children to its parent (by searching for sibling and creating new RenderMultiColumnSet). However, because the nodes are being destroyed in preorder in function RenderTreeBuilder::destroy, no parent can be found for child insertion. Tried changing the destroy function to call detach in post-order, and the problem can be solved. 1610764 3 shihchieh_lee 2020-01-24 11:04:02 -0800 After discussing with Geoff 1610771 4 shihchieh_lee 2020-01-24 11:12:21 -0800 After discussing with Geoff, Alan and Antti, it was determined that the best approach is to check null multicolumn container (parent) and just exit the column processing functions. Doing so help expedite destroy process. If later other functions also try to refer container in destroy process, we should exit the function immediately. Ideally we should avoid moving children altogether, but that will require some refactoring, so we put null check for now. (In reply to Jack from comment #3) > After discussing with Geoff 1610775 5 shihchieh_lee 2020-01-24 11:15:59 -0800 Alan also verified with setting multi-column to 2 then 1 to make sure an element will be correctly attached back to multi-column container when RenderMultiColumnFlowThread is detached. Below is the html to verify RenderMultiColumnFlowThread attach/detach: <div id = container> <div>foo</div> <div>bar</div> </div> <script> container.style.webkitColumnCount = "2"; setTimeout(function() { container.style.webkitColumnCount = "1"; }, 5000); </script> 1610779 6 shihchieh_lee 2020-01-24 11:20:59 -0800 Change the bug to non-security since the parent pointer is correctly set to null when a render element is detached. The pointer will not point to random or freed address. 1610949 7 commit-queue 2020-01-24 17:36:49 -0800 The commit-queue encountered the following flaky tests while processing attachment 387725: editing/spelling/spellcheck-attribute.html bug 206178 (authors: g.czajkowski@samsung.com, mark.lam@apple.com, and rniwa@webkit.org) The commit-queue is continuing to process your patch. 1610950 8 387725 commit-queue 2020-01-24 17:37:25 -0800 Comment on attachment 387725 Patch Clearing flags on attachment: 387725 Committed r255113: <https://trac.webkit.org/changeset/255113> 1610951 9 commit-queue 2020-01-24 17:37:27 -0800 All reviewed patches have been landed. Closing bug. 387725 2020-01-14 16:26:06 -0800 2020-01-24 17:37:25 -0800 Patch bug-206106-20200114162606.patch text/plain 2639 shihchieh_lee U3VidmVyc2lvbiBSZXZpc2lvbjogMjUzOTgyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYjEzMzliZGY4NTgzMzgx MTRhNjAwYTg1OGY0MjAyZWNhMGFmM2JlZi4uMTkzZTI3MzViZGIxMzRmNWQxMjQ4M2JiMzRiNzlh ZjA5MzI3NjIzMyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDIwLTAxLTE0ICBKYWNr IExlZSAgPHNoaWhjaGllaF9sZWVAYXBwbGUuY29tPgorCisgICAgICAgIE51bGwgUHRyIERlcmVm IFJFQUQgQCBXZWJDb3JlOjpSZW5kZXJNdWx0aUNvbHVtbkZsb3c6Omxhc3RNdWx0aUNvbHVtblNl dCBjb25zdAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MjA2MTA2CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg Q291bGQgbm90IHdyaXRlIGEgcmVwcm9kdWNpYmxlIGZhc3QgdGVzdCBjYXNlIGZvciB0aGlzLgor CisgICAgICAgICogcmVuZGVyaW5nL1JlbmRlck11bHRpQ29sdW1uRmxvdy5jcHA6CisgICAgICAg IChXZWJDb3JlOjpSZW5kZXJNdWx0aUNvbHVtbkZsb3c6Omxhc3RNdWx0aUNvbHVtblNldCBjb25z dCk6CisgICAgICAgICogcmVuZGVyaW5nL3VwZGF0aW5nL1JlbmRlclRyZWVCdWlsZGVyTXVsdGlD b2x1bW4uY3BwOgorICAgICAgICAoV2ViQ29yZTo6UmVuZGVyVHJlZUJ1aWxkZXI6Ok11bHRpQ29s dW1uOjpwcm9jZXNzUG9zc2libGVTcGFubmVyRGVzY2VuZGFudCk6CisKIDIwMjAtMDEtMDIgIEFs ZXggQ2hyaXN0ZW5zZW4gIDxhY2hyaXN0ZW5zZW5Ad2Via2l0Lm9yZz4KIAogICAgICAgICBBZGQg U1BJIHRvIGRpc2FibGUgQ09SUyBvbiByZXF1ZXN0cyB0byBVUkxzIG1hdGNoaW5nIGEgcGF0dGVy bgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlck11bHRpQ29sdW1u Rmxvdy5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTXVsdGlDb2x1bW5GbG93 LmNwcAppbmRleCA0MTAzZGFkNDg0NGRkMjRhMzAyYTczMmFmMjIxOWFjOTAwMDFjYmI1Li40M2Mw YmY2NDBlZDQ0MGQzMzllYmFkYTA1NGJmN2M1Yjg4NzUwZjUxIDEwMDY0NAotLS0gYS9Tb3VyY2Uv V2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTXVsdGlDb2x1bW5GbG93LmNwcAorKysgYi9Tb3VyY2Uv V2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTXVsdGlDb2x1bW5GbG93LmNwcApAQCAtNzQsNiArNzQs OCBAQCBSZW5kZXJNdWx0aUNvbHVtblNldCogUmVuZGVyTXVsdGlDb2x1bW5GbG93OjpmaXJzdE11 bHRpQ29sdW1uU2V0KCkgY29uc3QKIAogUmVuZGVyTXVsdGlDb2x1bW5TZXQqIFJlbmRlck11bHRp Q29sdW1uRmxvdzo6bGFzdE11bHRpQ29sdW1uU2V0KCkgY29uc3QKIHsKKyAgICBBU1NFUlQobXVs dGlDb2x1bW5CbG9ja0Zsb3coKSk7CisKICAgICBmb3IgKFJlbmRlck9iamVjdCogc2libGluZyA9 IG11bHRpQ29sdW1uQmxvY2tGbG93KCktPmxhc3RDaGlsZCgpOyBzaWJsaW5nOyBzaWJsaW5nID0g c2libGluZy0+cHJldmlvdXNTaWJsaW5nKCkpIHsKICAgICAgICAgaWYgKGlzPFJlbmRlck11bHRp Q29sdW1uU2V0Pigqc2libGluZykpCiAgICAgICAgICAgICByZXR1cm4gZG93bmNhc3Q8UmVuZGVy TXVsdGlDb2x1bW5TZXQ+KHNpYmxpbmcpOwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcmVu ZGVyaW5nL3VwZGF0aW5nL1JlbmRlclRyZWVCdWlsZGVyTXVsdGlDb2x1bW4uY3BwIGIvU291cmNl L1dlYkNvcmUvcmVuZGVyaW5nL3VwZGF0aW5nL1JlbmRlclRyZWVCdWlsZGVyTXVsdGlDb2x1bW4u Y3BwCmluZGV4IDQxODc4OTMyNGVhYzAzNGFjMDFiNzI1MTExODg0YjA3ZWUwYjc3NDEuLmE2MTY5 M2RhN2Q4ZjNhYzYwOTU4MjZhNWM3ZmUxOGNjN2M5YjFhYWQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9X ZWJDb3JlL3JlbmRlcmluZy91cGRhdGluZy9SZW5kZXJUcmVlQnVpbGRlck11bHRpQ29sdW1uLmNw cAorKysgYi9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvdXBkYXRpbmcvUmVuZGVyVHJlZUJ1aWxk ZXJNdWx0aUNvbHVtbi5jcHAKQEAgLTI4Miw2ICsyODIsOSBAQCBSZW5kZXJPYmplY3QqIFJlbmRl clRyZWVCdWlsZGVyOjpNdWx0aUNvbHVtbjo6cHJvY2Vzc1Bvc3NpYmxlU3Bhbm5lckRlc2NlbmRh bnQoUgogICAgIFJlbmRlck9iamVjdCogaW5zZXJ0QmVmb3JlTXVsdGljb2xDaGlsZCA9IG51bGxw dHI7CiAgICAgUmVuZGVyT2JqZWN0KiBuZXh0RGVzY2VuZGFudCA9ICZkZXNjZW5kYW50OwogCisg ICAgaWYgKCFtdWx0aWNvbENvbnRhaW5lcikKKyAgICAgICAgcmV0dXJuIG51bGxwdHI7CisKICAg ICBpZiAoaXNWYWxpZENvbHVtblNwYW5uZXIoZmxvdywgZGVzY2VuZGFudCkpIHsKICAgICAgICAg Ly8gVGhpcyBpcyBhIHNwYW5uZXIgKGNvbHVtbi1zcGFuOmFsbCkuIFN1Y2ggcmVuZGVyZXJzIGFy ZSBtb3ZlZCBmcm9tIHdoZXJlIHRoZXkgd291bGQKICAgICAgICAgLy8gb3RoZXJ3aXNlIG9jY3Vy IGluIHRoZSByZW5kZXIgdHJlZSB0byBiZWNvbWluZyBhIGRpcmVjdCBjaGlsZCBvZiB0aGUgbXVs dGljb2wgY29udGFpbmVyLAo=