Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0d0caf9579718608843389ad1dcf5961c5cce63e
https://github.com/WebKit/WebKit/commit/0d0caf9579718608843389ad1dcf5961c5cce63e
Author: Mikhail R. Gadelha <[email protected]>
Date: 2024-05-15 (Wed, 15 May 2024)
Changed paths:
A LayoutTests/fast/dom/set-attribute-and-normalize-in-event-expected.txt
A LayoutTests/fast/dom/set-attribute-and-normalize-in-event.html
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Use RefPtr local variable for nextChild in
insertChildrenBeforeWithoutPreInsertionValidityCheck
https://bugs.webkit.org/show_bug.cgi?id=268765
rdar://122122623
Reviewed by Ryosuke Niwa and Chris Dumez.
This patch adds a RefPtr to hold a reference to nextChild so that the
pointer stay valid through the scope of the function.
In the test case, the removeChild() call (from the before() call in the js
script) triggers a DOMSubtreeModified event, which eventually calls normalize.
The normalize() call can destroy text elements when normalizing the content of
the node if there is no one holding the reference to that node, so holding
nextChild in a RefPtr prevents us from reading an invalid pointer.
* LayoutTests/fast/dom/set-attribute-and-normalize-in-event-expected.txt: Added.
* LayoutTests/fast/dom/set-attribute-and-normalize-in-event.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::insertChildrenBeforeWithoutPreInsertionValidityCheck):
Originally-landed-as: [email protected] (65b1fae34533).
rdar://128089683
Canonical link: https://commits.webkit.org/278837@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
