Fix null pointer dereference in AutoscrollController.

A fieldset element creates an anonymous block for its contents (see LayoutFieldset::InsertedIntoTree), which may be passed as |scrollable| to AutoscrollController::StartMiddleClickAutoscroll. It seems we don't need to access scrollable->GetNode() in the first place. We can just start the layout tree walk from scrollable itself. Bug: 1488016 Change-Id: I43da256d48f827c818636848abcd659095a94a7c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5076640 Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Commit-Queue: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/main@{#1231408}
web-platform-tests · Nov 30, 2023 · 7743dbe · 7743dbe
1 parent 5904d19
commit 7743dbe
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/...n-replaced-elements/the-fieldset-and-legend-elements/crashtests/fieldset-middleclick.html b/...n-replaced-elements/the-fieldset-and-legend-elements/crashtests/fieldset-middleclick.html
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html class="test-wait">
+<head>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-actions.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<style>
+#f {
+  overflow-y: scroll;
+  width: 100px;
+  height: 100px;
+}
+</style>
+</head>
+<body>
+<fieldset id="f">
+  <p>test</p>
+  <p>test</p>
+  <p>test</p>
+  <p>test</p>
+  <p>test</p>
+  <p>test</p>
+</fieldset>
+<script>
+onload = async () => {
+  const actions = new test_driver.Actions();
+  const button = {button: actions.ButtonType.MIDDLE};
+  await actions.
+      pointerMove(50, 50).
+      pointerDown(button).
+      pointerUp(button).
+      send();
+  document.documentElement.className = "";
+};
+</script>
+</body>
+</html>