Modified: trunk/Source/WebCore/ChangeLog (288100 => 288101)
--- trunk/Source/WebCore/ChangeLog 2022-01-17 19:50:14 UTC (rev 288100)
+++ trunk/Source/WebCore/ChangeLog 2022-01-17 20:10:13 UTC (rev 288101)
@@ -1,3 +1,20 @@
+2022-01-17 Antoine Quint <[email protected]>
+
+ Crash may occur under ComputedStyleExtractor::propertyValue()
+ https://bugs.webkit.org/show_bug.cgi?id=235255
+
+ Reviewed by Antti Koivisto.
+
+ When calling getComputedStyle() after an element has had its style set to "display: none",
+ ComputedStyleExtractor::propertyValue() will first start with a non-null renderer but it will
+ become null after document.updateLayoutIgnorePendingStylesheets() is called.
+
+ To avoid this problem, we stop storing the renderer throughout the method, and instead call
+ styledRenderer() to obtain a valid renderer each time we need to access it.
+
+ * css/CSSComputedStyleDeclaration.cpp:
+ (WebCore::ComputedStyleExtractor::propertyValue):
+
2022-01-17 Sepand Parhami <[email protected]>
AX: Expose toggle buttons using role="button" as form controls.
Modified: trunk/Source/WebCore/css/CSSComputedStyleDeclaration.cpp (288100 => 288101)
--- trunk/Source/WebCore/css/CSSComputedStyleDeclaration.cpp 2022-01-17 19:50:14 UTC (rev 288100)
+++ trunk/Source/WebCore/css/CSSComputedStyleDeclaration.cpp 2022-01-17 20:10:13 UTC (rev 288101)
@@ -2495,7 +2495,7 @@
return true;
}
-static inline const RenderStyle* computeRenderStyleForProperty(Element& element, PseudoId pseudoElementSpecifier, CSSPropertyID propertyID, std::unique_ptr<RenderStyle>& ownedStyle, RenderElement* renderer)
+static inline const RenderStyle* computeRenderStyleForProperty(Element& element, PseudoId pseudoElementSpecifier, CSSPropertyID propertyID, std::unique_ptr<RenderStyle>& ownedStyle, WeakPtr<RenderElement> renderer)
{
if (!renderer)
renderer = element.renderer();
@@ -2718,21 +2718,18 @@
std::unique_ptr<RenderStyle> ownedStyle;
const RenderStyle* style = nullptr;
- RenderElement* renderer = nullptr;
bool forceFullLayout = false;
if (updateLayout) {
Document& document = m_element->document();
updateStyleIfNeededForProperty(*styledElement, propertyID);
- renderer = styledRenderer();
-
- if (propertyID == CSSPropertyDisplay && !renderer && is<SVGElement>(*styledElement) && !downcast<SVGElement>(*styledElement).isValid())
+ if (propertyID == CSSPropertyDisplay && !styledRenderer() && is<SVGElement>(*styledElement) && !downcast<SVGElement>(*styledElement).isValid())
return nullptr;
- style = computeRenderStyleForProperty(*styledElement, m_pseudoElementSpecifier, propertyID, ownedStyle, renderer);
+ style = computeRenderStyleForProperty(*styledElement, m_pseudoElementSpecifier, propertyID, ownedStyle, styledRenderer());
// FIXME: Some of these cases could be narrowed down or optimized better.
- forceFullLayout = isLayoutDependent(propertyID, style, renderer)
+ forceFullLayout = isLayoutDependent(propertyID, style, styledRenderer())
|| styledElement->isInShadowTree()
|| (document.styleScope().resolverIfExists() && document.styleScope().resolverIfExists()->hasViewportDependentMediaQueries() && document.ownerElement());
@@ -2740,15 +2737,13 @@
document.updateLayoutIgnorePendingStylesheets();
}
- if (!updateLayout || forceFullLayout) {
- style = computeRenderStyleForProperty(*styledElement, m_pseudoElementSpecifier, propertyID, ownedStyle, renderer);
- renderer = styledRenderer();
- }
+ if (!updateLayout || forceFullLayout)
+ style = computeRenderStyleForProperty(*styledElement, m_pseudoElementSpecifier, propertyID, ownedStyle, styledRenderer());
if (!style)
return nullptr;
- return valueForPropertyInStyle(*style, propertyID, renderer);
+ return valueForPropertyInStyle(*style, propertyID, styledRenderer());
}
RefPtr<CSSValue> ComputedStyleExtractor::valueForPropertyInStyle(const RenderStyle& style, CSSPropertyID propertyID, RenderElement* renderer)
