Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3360d015ac9a20b8357f6a3bf100082cded0d325
https://github.com/WebKit/WebKit/commit/3360d015ac9a20b8357f6a3bf100082cded0d325
Author: Sammy Gill <[email protected]>
Date: 2025-06-05 (Thu, 05 Jun 2025)
Changed paths:
A LayoutTests/fast/css/input-before-pseudo-crash-expected.txt
A LayoutTests/fast/css/input-before-pseudo-crash.html
M Source/WebCore/rendering/RenderSlider.h
Log Message:
-----------
RenderSlider cannot have generated content.
https://bugs.webkit.org/show_bug.cgi?id=294047
rdar://144403747
Reviewed by Alan Baradlay.
<input type="range"> creates a RenderSlider which inherits from
RenderFlexibleBox. If you add some before/after floating pseudo content
and then mutate the content, this can result in a crash via a
RELEASE_ASSERT in WeakRef. This is because we fail to clean up some
caches in RenderFlexibleBox since that is an unexpected state for us to
be in.
Other renderers based on input elements, such as RenderTextControl,
override canHaveGeneratedChildren to indicate whether or not they
can have pseudo content. It seems like we do not typically allow
generated content on inputs with buttons being the sole exception. This
makes RenderSlider consistent with the other types of content/renderers.
Canonical link: https://commits.webkit.org/295904@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
