[webkit-changes] [WebKit/WebKit] ab4887: Data race in Range::visitNodesConcurrently during ...

Sat, 06 Jun 2026 10:41:24 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ab488735a47d06ba5753be00ae0212f76e20a5ff
      
https://github.com/WebKit/WebKit/commit/ab488735a47d06ba5753be00ae0212f76e20a5ff
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-06-06 (Sat, 06 Jun 2026)

  Changed paths:
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Range.cpp
    M Source/WebCore/dom/Range.h

  Log Message:
  -----------
  Data race in Range::visitNodesConcurrently during GC, leading to a 
use-after-free of RangeBoundaryPoint container nodes
https://bugs.webkit.org/show_bug.cgi?id=311261
rdar://173502014

Reviewed by Chris Dumez.

Add a lock for mutating m_start and m_end.

No new tests since there is no reliable way of testing this data race.

* Source/WebCore/dom/Document.cpp:
(WebCore::Document::textInserted):
(WebCore::Document::textRemoved):
* Source/WebCore/dom/Range.cpp:
(WebCore::Range::setStart):
(WebCore::Range::setEnd):
(WebCore::Range::collapse):
(WebCore::Range::selectNodeContents):
(WebCore::Range::nodeChildrenChanged):
(WebCore::Range::nodeChildrenWillBeRemoved):
(WebCore::Range::nodeWillBeRemoved):
(WebCore::Range::textInserted):
(WebCore::Range::textRemoved):
(WebCore::Range::textNodesMerged):
(WebCore::Range::textNodeSplit):
(WebCore::Range::visitNodesInGCThread const): Renamed from 
visitNodesConcurrently.
* Source/WebCore/dom/Range.h:

Originally-landed-as: 305413.623@rapid/safari-7624.2.5.110-branch 
(2c31f99593da). rdar://176061085
Canonical link: https://commits.webkit.org/314700@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to