Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d030f866382e08d435256019406253718dc11a17
https://github.com/WebKit/WebKit/commit/d030f866382e08d435256019406253718dc11a17
Author: Chirag M Shah <[email protected]>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Cherry-pick 252432.689@safari-7614-branch (706a0693c737). rdar://103520049
Correctly teardown children for elements with NULL renderer which have
display contents changed.
rdar://problem/99616850
Reviewed by Antti Koivisto.
- When an element has display-contents:true, we don't created a renderer
for it, but its children may still have rendenders which point to
nodes in the DOM. When certain nodes in the DOM are torn down, these
renderers were holding stale references, which caused use-after-free
issues. The patch fixes the issue by correcting the teardown logic for
such nodes.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
Canonical link: https://commits.webkit.org/252432.689@safari-7614-branch
Canonical link: https://commits.webkit.org/258098@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
