Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f88c5d9a0c4dee653373dd5fd4d0bd20c9f1706a
https://github.com/WebKit/WebKit/commit/f88c5d9a0c4dee653373dd5fd4d0bd20c9f1706a
Author: Ryosuke Niwa <[email protected]>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
M LayoutTests/TestExpectations
M Source/WebCore/dom/ContainerNode.h
M Source/WebCore/dom/ContainerNodeInlines.h
M Source/WebCore/dom/DocumentFragment.cpp
M Source/WebCore/dom/DocumentType.cpp
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/Node.cpp
M Source/WebCore/dom/Node.h
M Source/WebCore/dom/NodeInlines.h
M Source/WebCore/dom/ShadowRoot.cpp
M Source/WebCore/dom/ShadowRoot.h
M Source/WebCore/dom/XMLDocument.cpp
M Source/WebCore/loader/SinkDocument.cpp
M Source/WebCore/mathml/MathMLUnknownElement.cpp
Log Message:
-----------
Race condition in Node::traverseToOpaqueRoot
https://bugs.webkit.org/show_bug.cgi?id=310029
<rdar://172327427>
Reviewed by Anne van Kesteren.
Store the opaque root in Node instead of computing it during a marking phase of
GC
to avoid the race condition. Also optimize a few DOM functions.
No new tests since there should be no observable behavior differences other than
the fix to the race condition and the race condition is hard to test reliably.
* LayoutTests/TestExpectations:
* Source/WebCore/dom/ContainerNode.h:
(WebCore::ContainerNode::ContainerNode):
* Source/WebCore/dom/ContainerNodeInlines.h:
(WebCore::ContainerNode::rootNode const):
* Source/WebCore/dom/DocumentFragment.cpp:
* Source/WebCore/dom/DocumentType.cpp:
* Source/WebCore/dom/Element.cpp:
(WebCore::ShadowRoot::setHost):
(WebCore::Element::addShadowRoot):
* Source/WebCore/dom/Node.cpp:
(WebCore::Node::Node):
(WebCore::Node::isDescendantOf const): Added an optimization to avoid tree
traversal if the root node of two trees differ.
(WebCore::Node::isShadowIncludingDescendantOf const): Ditto.
(WebCore::Node::isComposedTreeDescendantOf const): Ditto.
(WebCore::traverseToShadowIncludingRoot):
(WebCore::Node::updateShadowIncludingRoot):
(WebCore::Node::insertionSteps):
(WebCore::Node::removingSteps):
(WebCore::Node::shadowIncludingRoot const): Deleted.
(WebCore::Node::opaqueRoot const): Deleted.
(WebCore::Node::traverseToOpaqueRoot const): Deleted.
* Source/WebCore/dom/Node.h:
(WebCore::Node::shadowIncludingRoot const):
* Source/WebCore/dom/NodeInlines.h:
(WebCore::Node::rootNode const):
* Source/WebCore/dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::ShadowRoot):
* Source/WebCore/dom/ShadowRoot.h:
* Source/WebCore/dom/XMLDocument.cpp:
* Source/WebCore/loader/SinkDocument.cpp:
* Source/WebCore/mathml/MathMLUnknownElement.cpp:
Originally-landed-as: 305413.522@rapid/safari-7624.2.5.110-branch
(76bd64baa59e). rdar://176062041
Canonical link: https://commits.webkit.org/314670@main
Commit: 934ecdc220856de5f97da087b09923355c2c7414
https://github.com/WebKit/WebKit/commit/934ecdc220856de5f97da087b09923355c2c7414
Author: Ryosuke Niwa <[email protected]>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
A LayoutTests/fast/forms/radio-checked-detached-tree-gc-crash-expected.txt
A LayoutTests/fast/forms/radio-checked-detached-tree-gc-crash.html
M Source/WebCore/dom/ContainerNodeAlgorithms.cpp
M Source/WebCore/dom/Node.h
Log Message:
-----------
Heap use-after-free in Node::rootNode via stale m_shadowIncludingRoot
https://bugs.webkit.org/show_bug.cgi?id=312426
rdar://174490518
Reviewed by Geoffrey Garen.
The bug was caused by Node::m_shadowIncludingRoot not getting reset in
removeDetachedChildrenInContainer. Fixed the bug by resetting it to this in the
function.
Test: fast/forms/radio-checked-detached-tree-gc-crash.html
* LayoutTests/fast/forms/radio-checked-detached-tree-gc-crash-expected.txt:
Added.
* LayoutTests/fast/forms/radio-checked-detached-tree-gc-crash.html: Added.
* Source/WebCore/dom/ContainerNodeAlgorithms.cpp:
(WebCore::removeDetachedChildrenInContainer):
* Source/WebCore/dom/Node.h:
(WebCore::Node::resetShadowIncludingRoot):
Originally-landed-as: 305413.681@safari-7624-branch (7058101b207d).
rdar://176058881
Canonical link: https://commits.webkit.org/314671@main
Compare: https://github.com/WebKit/WebKit/compare/544a3bff9b31...934ecdc22085
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
