[webkit-changes] [276398] branches/safari-611-branch

Wed, 21 Apr 2021 16:40:01 -0700

Title: [276398] branches/safari-611-branch
Revision
276398
Author
[email protected]
Date
2021-04-21 16:39:06 -0700 (Wed, 21 Apr 2021)

Log Message

Cherry-pick r274064. rdar://problem/76962988

    REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
    https://bugs.webkit.org/show_bug.cgi?id=222720

    Patch by Carlos Garcia Campos <[email protected]> on 2021-03-08
    Reviewed by Ryosuke Niwa.

    Source/WebCore:

    The list of assigned nodes contains weak pointers, we should check the node hasn't been destroyed.

    Test: fast/html/details-set-inner-text-crash.html

    * dom/ComposedTreeIterator.cpp:
    (WebCore::ComposedTreeIterator::traverseNextInShadowTree):

    LayoutTests:

    * fast/html/details-set-inner-text-crash-expected.txt: Added.
    * fast/html/details-set-inner-text-crash.html: Added.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274064 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-611-branch/LayoutTests/ChangeLog (276397 => 276398)


--- branches/safari-611-branch/LayoutTests/ChangeLog	2021-04-21 23:06:48 UTC (rev 276397)
+++ branches/safari-611-branch/LayoutTests/ChangeLog	2021-04-21 23:39:06 UTC (rev 276398)
@@ -1,3 +1,39 @@
+2021-04-21  Alan Coon  <[email protected]>
+
+        Cherry-pick r274064. rdar://problem/76962988
+
+    REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
+    https://bugs.webkit.org/show_bug.cgi?id=222720
+    
+    Patch by Carlos Garcia Campos <[email protected]> on 2021-03-08
+    Reviewed by Ryosuke Niwa.
+    
+    Source/WebCore:
+    
+    The list of assigned nodes contains weak pointers, we should check the node hasn't been destroyed.
+    
+    Test: fast/html/details-set-inner-text-crash.html
+    
+    * dom/ComposedTreeIterator.cpp:
+    (WebCore::ComposedTreeIterator::traverseNextInShadowTree):
+    
+    LayoutTests:
+    
+    * fast/html/details-set-inner-text-crash-expected.txt: Added.
+    * fast/html/details-set-inner-text-crash.html: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274064 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-03-08  Carlos Garcia Campos  <[email protected]>
+
+            REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
+            https://bugs.webkit.org/show_bug.cgi?id=222720
+
+            Reviewed by Ryosuke Niwa.
+
+            * fast/html/details-set-inner-text-crash-expected.txt: Added.
+            * fast/html/details-set-inner-text-crash.html: Added.
+
 2021-04-15  Russell Epstein  <[email protected]>
 
         Cherry-pick r275656. rdar://problem/76727574

Added: branches/safari-611-branch/LayoutTests/fast/html/details-set-inner-text-crash-expected.txt (0 => 276398)


--- branches/safari-611-branch/LayoutTests/fast/html/details-set-inner-text-crash-expected.txt	                        (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/html/details-set-inner-text-crash-expected.txt	2021-04-21 23:39:06 UTC (rev 276398)
@@ -0,0 +1 @@
+PASS

Added: branches/safari-611-branch/LayoutTests/fast/html/details-set-inner-text-crash.html (0 => 276398)


--- branches/safari-611-branch/LayoutTests/fast/html/details-set-inner-text-crash.html	                        (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/html/details-set-inner-text-crash.html	2021-04-21 23:39:06 UTC (rev 276398)
@@ -0,0 +1,17 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function test() {
+    x4.click();
+    x4.innerText = "PASS";
+}
+
+function on_details_click() {
+    x4.prepend(document.getElementById("x43"));
+    x70.addEventListener("DOMNodeRemoved", on_details_click);
+}
+</script>
+<body _onload_="test()">
+<details id="x4" open="" _onclick_="on_details_click()">
+<summary id="x70" hidden="">

Modified: branches/safari-611-branch/Source/WebCore/ChangeLog (276397 => 276398)


--- branches/safari-611-branch/Source/WebCore/ChangeLog	2021-04-21 23:06:48 UTC (rev 276397)
+++ branches/safari-611-branch/Source/WebCore/ChangeLog	2021-04-21 23:39:06 UTC (rev 276398)
@@ -1,3 +1,43 @@
+2021-04-21  Alan Coon  <[email protected]>
+
+        Cherry-pick r274064. rdar://problem/76962988
+
+    REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
+    https://bugs.webkit.org/show_bug.cgi?id=222720
+    
+    Patch by Carlos Garcia Campos <[email protected]> on 2021-03-08
+    Reviewed by Ryosuke Niwa.
+    
+    Source/WebCore:
+    
+    The list of assigned nodes contains weak pointers, we should check the node hasn't been destroyed.
+    
+    Test: fast/html/details-set-inner-text-crash.html
+    
+    * dom/ComposedTreeIterator.cpp:
+    (WebCore::ComposedTreeIterator::traverseNextInShadowTree):
+    
+    LayoutTests:
+    
+    * fast/html/details-set-inner-text-crash-expected.txt: Added.
+    * fast/html/details-set-inner-text-crash.html: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274064 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-03-08  Carlos Garcia Campos  <[email protected]>
+
+            REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
+            https://bugs.webkit.org/show_bug.cgi?id=222720
+
+            Reviewed by Ryosuke Niwa.
+
+            The list of assigned nodes contains weak pointers, we should check the node hasn't been destroyed.
+
+            Test: fast/html/details-set-inner-text-crash.html
+
+            * dom/ComposedTreeIterator.cpp:
+            (WebCore::ComposedTreeIterator::traverseNextInShadowTree):
+
 2021-04-16  Russell Epstein  <[email protected]>
 
         Cherry-pick r275485. rdar://problem/76412930

Modified: branches/safari-611-branch/Source/WebCore/dom/ComposedTreeIterator.cpp (276397 => 276398)


--- branches/safari-611-branch/Source/WebCore/dom/ComposedTreeIterator.cpp	2021-04-21 23:06:48 UTC (rev 276397)
+++ branches/safari-611-branch/Source/WebCore/dom/ComposedTreeIterator.cpp	2021-04-21 23:39:06 UTC (rev 276398)
@@ -162,10 +162,11 @@
     if (is<HTMLSlotElement>(current())) {
         auto& slot = downcast<HTMLSlotElement>(current());
         if (auto* assignedNodes = slot.assignedNodes()) {
-            context().slotNodeIndex = 0;
-            auto* assignedNode = assignedNodes->at(0).get();
-            m_contextStack.append(Context(*assignedNode->parentElement(), *assignedNode, Context::Slotted));
-            return;
+            if (auto assignedNode = assignedNodes->at(0)) {
+                context().slotNodeIndex = 0;
+                m_contextStack.append(Context(*assignedNode->parentElement(), *assignedNode, Context::Slotted));
+                return;
+            }
         }
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to