206109 2020-01-10 16:29:00 -0800 Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout. 2020-01-24 11:12:52 -0800 1 1 1 Unclassified WebKit Layout and Rendering WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 shihchieh_lee webkit-unassigned bfulgham commit-queue esprehn+autocc ews-watchlist glenn koivisto kondapallykalyan pdr rniwa simon.fraser zalan oldest_to_newest 1605382 0 shihchieh_lee 2020-01-10 16:29:00 -0800 <rdar://problem/56600343> 1610492 1 388645 shihchieh_lee 2020-01-23 19:20:28 -0800 Created attachment 388645 Patch 1610493 2 shihchieh_lee 2020-01-23 19:24:30 -0800 In this test case, CANVAS is being inserted into FIELDSET before LEGEND. However, since FIELDSET has multi columns, so the parent is set to “RenderMultiColumnFlowThread” in FIELDSET, while “beforechild” remains to be LEGEND, causing the while loop in attachIgnoringContinuation to access null pointer since a common parent cannot be found. 1610494 3 shihchieh_lee 2020-01-23 19:29:47 -0800 (In reply to Jack from comment #1) > Created attachment 388645 [details] > Patch The patch would insert CANVAS into RenderMultiColumnFlowThread, same as when CANVAS is statically inserted before LEGEND (by <fieldset> <canvas id="CANVAS"></canvas><legend id="LEGEND"></legend>). (B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout B---YGLC -+ RenderView at (0,0) size 0x0 renderer->(0x61700003e600) layout->[normal child] B-----L- -+* HTML RenderBlock at (0,0) size 0x0 renderer->(0x61200004dec0) node->(0x60c0000a6b40) layout->[self][normal child] B---YGL- -+ RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d980) [Rs:0x0 Re:0x0] layout->[self][normal child] B-----L- -+ BODY RenderBody at (0,0) size 0x0 renderer->(0x61200004e1c0) node->(0x60c0000a8280) [Rs:0x0 Re:0x0] layout->[self][normal child] B---YGL- -+ RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d680) [Rs:0x0 Re:0x0] layout->[self][normal child] B-----L- -+ FIELDSET RenderFieldSet at (0,0) size 0x0 renderer->(0x61200004e4c0) node->(0x6110000ad240) [Rs:0x0 Re:0x0] layout->[self][normal child] B---YGL- -+ RenderMultiColumnFlowThread at (0,0) size 0x0 renderer->(0x61600005d380) [Rs:0x0 Re:0x0] layout->[self][normal child] B---YG-- -+ RenderBlock at (0,0) size 0x0 renderer->(0x61200004edc0) [Rs:0x0 Re:0x0] layout->[self][normal child] I-----L- -+ CANVAS RenderHTMLCanvas at (0,0) size 0x0 renderer->(0x61200004e7c0) node->(0x61200005fd40) [Rs:0x0 Re:0x0] layout->[self] B---YG-- -+ RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003b440) [Rs:0x0 Re:0x0] layout->[self] B-----L- -+ LEGEND RenderBlock at (0,0) size 0x0 renderer->(0x61200004eac0) node->(0x60c0000a8580) [Rs:0x0 Re:0x0] layout->[self] B---YG-- -+ RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003be40) [Rs:0x0 Re:0x0] layout->[self] B---YG-- -+ RenderMultiColumnSet at (0,0) size 0x0 renderer->(0x61400003c640) layout->[self] 1610769 4 commit-queue 2020-01-24 11:12:13 -0800 The commit-queue encountered the following flaky tests while processing attachment 388645: editing/spelling/spellcheck-attribute.html bug 206178 (authors: g.czajkowski@samsung.com, mark.lam@apple.com, and rniwa@webkit.org) The commit-queue is continuing to process your patch. 1610772 5 388645 commit-queue 2020-01-24 11:12:50 -0800 Comment on attachment 388645 Patch Clearing flags on attachment: 388645 Committed r255083: <https://trac.webkit.org/changeset/255083> 1610773 6 commit-queue 2020-01-24 11:12:52 -0800 All reviewed patches have been landed. Closing bug. 388645 2020-01-23 19:20:28 -0800 2020-01-24 11:12:50 -0800 Patch bug-206109-20200123192027.patch text/plain 4510 shihchieh_lee U3VidmVyc2lvbiBSZXZpc2lvbjogMjU1MDQzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggODU0MzczNGMwMGFhZTRh ZGFiZjRkZmMwZDI3MjEzODFhNjBiODZlNC4uMGQ2YzVkNjIyNzQ2ZTMxMzYyYzZiYjg1OGQwNTUx ZjgzZWM4YmJjOSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDIwLTAxLTIzICBKYWNr IExlZSAgPHNoaWhjaGllaF9sZWVAYXBwbGUuY29tPgorCisgICAgICAgIE51bGxwdHIgZGVyZWYg aW4gV2ViQ29yZTo6UmVuZGVyVHJlZUJ1aWxkZXI6OkJsb2NrOjphdHRhY2hJZ25vcmluZ0NvbnRp bnVhdGlvbiB3aGVuIGFuIGVsZW1lbnQgaXMgaW5zZXJ0ZWQgYmVmb3JlIGxlZ2VuZCB1bmRlciBt dWx0aS1jb2x1bW4gbGF5b3V0LgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9MjA2MTA5CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgVGVzdDogZmFzdC9mb3Jtcy9maWVsZHNldC9maWVsZHNldC1jcmFzaC1pbnNl cnQtYmVmb3JlLWxlZ2VuZC11bmRlci1tdWx0aWNvbC5odG1sCisKKyAgICAgICAgKiByZW5kZXJp bmcvdXBkYXRpbmcvUmVuZGVyVHJlZUJ1aWxkZXJCbG9ja0Zsb3cuY3BwOgorICAgICAgICAoV2Vi Q29yZTo6UmVuZGVyVHJlZUJ1aWxkZXI6OkJsb2NrRmxvdzo6YXR0YWNoKToKKwogMjAyMC0wMS0y MyAgSmVyIE5vYmxlICA8amVyLm5vYmxlQGFwcGxlLmNvbT4KIAogICAgICAgICBbRU1FXSBLZXkg cmVuZXdhbCBmYWlscyB3aGVuIHVzaW5nIEFWQ29udGVudEtleVJlcG9ydEdyb3VwCmRpZmYgLS1n aXQgYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvdXBkYXRpbmcvUmVuZGVyVHJlZUJ1aWxkZXJC bG9ja0Zsb3cuY3BwIGIvU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL3VwZGF0aW5nL1JlbmRlclRy ZWVCdWlsZGVyQmxvY2tGbG93LmNwcAppbmRleCAyYzJiNTA4ZmFjNWM2ZmM4NDYyODVjOWZmYTg5 NWE3YjQwMjJiOGVhLi5hNjE1MWU1YzAyNDc5YjY2ZDZjMTA0Zjk4Y2YyZTYyNjk0ZGNmMjg3IDEw MDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvdXBkYXRpbmcvUmVuZGVyVHJlZUJ1 aWxkZXJCbG9ja0Zsb3cuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3JlbmRlcmluZy91cGRhdGlu Zy9SZW5kZXJUcmVlQnVpbGRlckJsb2NrRmxvdy5jcHAKQEAgLTM5LDggKzM5LDEzIEBAIFJlbmRl clRyZWVCdWlsZGVyOjpCbG9ja0Zsb3c6OkJsb2NrRmxvdyhSZW5kZXJUcmVlQnVpbGRlciYgYnVp bGRlcikKIAogdm9pZCBSZW5kZXJUcmVlQnVpbGRlcjo6QmxvY2tGbG93OjphdHRhY2goUmVuZGVy QmxvY2tGbG93JiBwYXJlbnQsIFJlbmRlclB0cjxSZW5kZXJPYmplY3Q+IGNoaWxkLCBSZW5kZXJP YmplY3QqIGJlZm9yZUNoaWxkKQogewotICAgIGlmIChwYXJlbnQubXVsdGlDb2x1bW5GbG93KCkg JiYgKCFwYXJlbnQuaXNGaWVsZHNldCgpIHx8ICFjaGlsZC0+aXNMZWdlbmQoKSkpCisgICAgaWYg KHBhcmVudC5tdWx0aUNvbHVtbkZsb3coKSAmJiAoIXBhcmVudC5pc0ZpZWxkc2V0KCkgfHwgIWNo aWxkLT5pc0xlZ2VuZCgpKSkgeworICAgICAgICBpZiAocGFyZW50LmlzRmllbGRzZXQoKSAmJiBi ZWZvcmVDaGlsZCAmJiBiZWZvcmVDaGlsZC0+aXNMZWdlbmQoKSkKKyAgICAgICAgICAgIHJldHVy biBtX2J1aWxkZXIuYmxvY2tCdWlsZGVyKCkuYXR0YWNoKCpwYXJlbnQubXVsdGlDb2x1bW5GbG93 KCksIFdURk1vdmUoY2hpbGQpLCBudWxscHRyKTsKKwogICAgICAgICByZXR1cm4gbV9idWlsZGVy LmF0dGFjaCgqcGFyZW50Lm11bHRpQ29sdW1uRmxvdygpLCBXVEZNb3ZlKGNoaWxkKSwgYmVmb3Jl Q2hpbGQpOworICAgIH0KKwogICAgIGF1dG8qIGJlZm9yZUNoaWxkT3JQbGFjZWhvbGRlciA9IGJl Zm9yZUNoaWxkOwogICAgIGlmIChhdXRvKiBjb250YWluaW5nRnJhZ21lbnRlZEZsb3cgPSBwYXJl bnQuZW5jbG9zaW5nRnJhZ21lbnRlZEZsb3coKSkKICAgICAgICAgYmVmb3JlQ2hpbGRPclBsYWNl aG9sZGVyID0gbV9idWlsZGVyLm11bHRpQ29sdW1uQnVpbGRlcigpLnJlc29sdmVNb3ZlZENoaWxk KCpjb250YWluaW5nRnJhZ21lbnRlZEZsb3csIGJlZm9yZUNoaWxkKTsKZGlmZiAtLWdpdCBhL0xh eW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCA0ODVhMTM5 MDgxMmJmZGZiYjIyNTAyYWYwMGM4NzQ4MmNkNmYyYzA2Li5lZTRhYjUyN2M0YjQ2YTRjYjJiZTM4 NjM3YzUxYzNiZGZkOWRkYjJiIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysr IGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMjAtMDEtMjMgIEph Y2sgTGVlICA8c2hpaGNoaWVoX2xlZUBhcHBsZS5jb20+CisKKyAgICAgICAgTnVsbHB0ciBkZXJl ZiBpbiBXZWJDb3JlOjpSZW5kZXJUcmVlQnVpbGRlcjo6QmxvY2s6OmF0dGFjaElnbm9yaW5nQ29u dGludWF0aW9uIHdoZW4gYW4gZWxlbWVudCBpcyBpbnNlcnRlZCBiZWZvcmUgbGVnZW5kIHVuZGVy IG11bHRpLWNvbHVtbiBsYXlvdXQuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0yMDYxMDkKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMh KS4KKworICAgICAgICAqIGZhc3QvZm9ybXMvZmllbGRzZXQvZmllbGRzZXQtY3Jhc2gtaW5zZXJ0 LWJlZm9yZS1sZWdlbmQtdW5kZXItbXVsdGljb2wtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAg ICAgKiBmYXN0L2Zvcm1zL2ZpZWxkc2V0L2ZpZWxkc2V0LWNyYXNoLWluc2VydC1iZWZvcmUtbGVn ZW5kLXVuZGVyLW11bHRpY29sLmh0bWw6IEFkZGVkLgorCiAyMDIwLTAxLTIzICBEaWVnbyBQaW5v IEdhcmNpYSAgPGRwaW5vQGlnYWxpYS5jb20+CiAKICAgICAgICAgW0dUS10gR2FyZGVuaW5nLCBy ZWJhc2VsaW5lcyBhbmQgdXBkYXRlIFRlc3RFeHBlY3RhdGlvbnMKZGlmZiAtLWdpdCBhL0xheW91 dFRlc3RzL2Zhc3QvZm9ybXMvZmllbGRzZXQvZmllbGRzZXQtY3Jhc2gtaW5zZXJ0LWJlZm9yZS1s ZWdlbmQtdW5kZXItbXVsdGljb2wtZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvZmFzdC9mb3Jt cy9maWVsZHNldC9maWVsZHNldC1jcmFzaC1pbnNlcnQtYmVmb3JlLWxlZ2VuZC11bmRlci1tdWx0 aWNvbC1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uNDc2MTUyYTk0NmNhNjJkODE0MDg2OTcwYzAw NTM2NDcwZmJkNWUwZAotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvZm9ybXMv ZmllbGRzZXQvZmllbGRzZXQtY3Jhc2gtaW5zZXJ0LWJlZm9yZS1sZWdlbmQtdW5kZXItbXVsdGlj b2wtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsNCBAQAorCitUZXN0cyBpbnNlcnRpbmcgYW4gZWxl bWVudCBiZWZvcmUgbGVnZW5kIHVuZGVyIG11bHRpLWNvbHVtbiBsYXlvdXQuCisKK1RoZSB0ZXN0 IHBhc3NlcyBpZiBXZWJLaXQgZG9lc24ndCBjcmFzaCBvciBoaXQgYW4gYXNzZXJ0aW9uLgpkaWZm IC0tZ2l0IGEvTGF5b3V0VGVzdHMvZmFzdC9mb3Jtcy9maWVsZHNldC9maWVsZHNldC1jcmFzaC1p bnNlcnQtYmVmb3JlLWxlZ2VuZC11bmRlci1tdWx0aWNvbC5odG1sIGIvTGF5b3V0VGVzdHMvZmFz dC9mb3Jtcy9maWVsZHNldC9maWVsZHNldC1jcmFzaC1pbnNlcnQtYmVmb3JlLWxlZ2VuZC11bmRl ci1tdWx0aWNvbC5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLmFkMzgzNjg3OGNjNDUxNjhhNjNmMDRkOTdlOGI1 ZDAwYjA1YzNmNjgKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0L2Zvcm1zL2Zp ZWxkc2V0L2ZpZWxkc2V0LWNyYXNoLWluc2VydC1iZWZvcmUtbGVnZW5kLXVuZGVyLW11bHRpY29s Lmh0bWwKQEAgLTAsMCArMSwxNiBAQAorPHN0eWxlPgorKiB7IC13ZWJraXQtY29sdW1uLXdpZHRo OiAxcHg7IH0KKzwvc3R5bGU+Cis8c2NyaXB0PgorICAgIGlmICh3aW5kb3cudGVzdFJ1bm5lcikK KyAgICAgICAgdGVzdFJ1bm5lci5kdW1wQXNUZXh0KCk7CisKKyAgICBvbmxvYWQgPSBmdW5jdGlv biBmKCkgeworICAgICAgICBMRUdFTkQuYmVmb3JlKENBTlZBUyk7CisgICAgfQorPC9zY3JpcHQ+ Cis8Ym9keT4KKzxjYW52YXMgaWQ9IkNBTlZBUyI+PC9jYW52YXM+PGZpZWxkc2V0PjxsZWdlbmQg aWQ9IkxFR0VORCI+PC9sZWdlbmQ+Cis8cD4gVGVzdHMgaW5zZXJ0aW5nIGFuIGVsZW1lbnQgYmVm b3JlIGxlZ2VuZCB1bmRlciBtdWx0aS1jb2x1bW4gbGF5b3V0LjwvcD4KKzxwPiBUaGUgdGVzdCBw YXNzZXMgaWYgV2ViS2l0IGRvZXNuJ3QgY3Jhc2ggb3IgaGl0IGFuIGFzc2VydGlvbi48L3A+Cis8 L2JvZHk+Cg==