Bug 188935

Summary: Check for null renderer in canBeScrolledIntoView
Product: WebKit Reporter: Don Olmstead <don.olmstead>
Component: WebCore Misc.Assignee: Don Olmstead <don.olmstead>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, commit-queue, darin, mcatanzaro, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
simon.fraser: review+
Patch none

Description Don Olmstead 2018-08-24 15:46:06 PDT 
There's no check on parentNode->renderer() before its used within canBeScrolledIntoView.

Associated Chromium fix with layout test https://chromium-review.googlesource.com/c/chromium/src/+/550255
Comment 1 Don Olmstead 2018-08-24 15:47:50 PDT 
Adding the following in the for loop fixes the problem.

+        if (UNLIKELY(!parentNode->renderer()))
+            continue;

Its EOD here so if nobody gets to this by Monday I'll just throw together a patch with the layout test in it.
Comment 2 Don Olmstead 2018-08-28 17:09:42 PDT 
Created attachment 348361 [details]
Patch

Port of the chromium fix
Comment 3 Simon Fraser (smfr) 2018-08-28 17:29:10 PDT 
Comment on attachment 348361 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=348361&action=review

> Source/WebCore/page/SpatialNavigation.cpp:708
> +        if (UNLIKELY(!parentNode->renderer()))

The UNLIKELY() seems unnecessary.
Comment 4 Don Olmstead 2018-08-28 18:15:39 PDT 
Created attachment 348371 [details]
Patch

Address review comments
Comment 5 WebKit Commit Bot 2018-08-28 22:05:32 PDT 
Comment on attachment 348371 [details]
Patch

Clearing flags on attachment: 348371

Committed r235457: <https://trac.webkit.org/changeset/235457>
Comment 6 WebKit Commit Bot 2018-08-28 22:05:34 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2018-08-28 22:06:14 PDT 
<rdar://problem/43829010>