[webkit-changes] [WebKit/WebKit] 8595be: Crash under RenderLayer::clearClipRectsIncludingDe...

Thu, 21 Aug 2025 09:23:01 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8595bed7b4560299bec349dffd6535db0eb1a5db
      
https://github.com/WebKit/WebKit/commit/8595bed7b4560299bec349dffd6535db0eb1a5db
  Author: Simon Fraser <simon.fra...@apple.com>
  Date:   2025-08-21 (Thu, 21 Aug 2025)

  Changed paths:
    M Source/WebCore/rendering/RenderLayer.cpp

  Log Message:
  -----------
  Crash under RenderLayer::clearClipRectsIncludingDescendants() with anchor 
positioning
https://bugs.webkit.org/show_bug.cgi?id=297693
rdar://158489734

Reviewed by Alan Baradlay.

When an anchor RenderBox is being destroyed, it calls 
`RenderLayer::clearAnchorScrollAdjustment()`
on its layer, which calls `RenderLayer::updateTransform()` which calls
`RenderLayer::clearClipRectsIncludingDescendants()`.

`clearClipRectsIncludingDescendants()` is not safe to run when in render tree 
teardown because
we don't guarantee a clean RenderLayer hierarchy; we guard against this at 
other call sites,
so do this too in `setSnapshottedScrollOffsetForAnchorPositioning()` and
`clearSnapshottedScrollOffsetForAnchorPositioning()`.

The longer term fix of making `firstChild()`/`nextSibling()` use smart pointers 
is being done elsewhere.

This is exercised by 
imported/w3c/web-platform-tests/css/css-anchor-position/anchor-scroll-chained-004.html

* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::setAnchorScrollAdjustment):
(WebCore::RenderLayer::clearAnchorScrollAdjustment):

Canonical link: https://commits.webkit.org/299014@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to