Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6de0a6e596b6b251fe46c8b12b05a62aea4afb64
https://github.com/WebKit/WebKit/commit/6de0a6e596b6b251fe46c8b12b05a62aea4afb64
Author: Ryosuke Niwa <[email protected]>
Date: 2024-05-01 (Wed, 01 May 2024)
Changed paths:
A
LayoutTests/editing/style/apply-style-split-text-element-at-end-crash-expected.txt
A LayoutTests/editing/style/apply-style-split-text-element-at-end-crash.html
M Source/WebCore/editing/CompositeEditCommand.cpp
M Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp
Log Message:
-----------
Crash in CheckedPtr::decrementPtrCount via
SplitTextNodeContainingElementCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=273581
<rdar://127116949>
Reviewed by Wenson Hsieh.
The crash was caused by SplitTextNodeContainingElementCommand::doApply holding
onto a CheckedPtr
of RenderObject until across a call to splitElement, which could trigger a
layout and delete
the render object. Fixed the crash by reducing the scope of CheckedPtr.
Also remove the debug assertion in CompositeEditCommand::appendNode which gets
hit with the
newly added test case.
*
LayoutTests/editing/style/apply-style-split-text-element-at-end-crash-expected.txt:
Added.
* LayoutTests/editing/style/apply-style-split-text-element-at-end-crash.html:
Added.
* Source/WebCore/editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::appendNode):
* Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp:
(WebCore::SplitTextNodeContainingElementCommand::doApply):
Canonical link: https://commits.webkit.org/278242@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
