[webkit-changes] [WebKit/WebKit] 621e3b: Data race in Range::visitNodesConcurrently during ...

Ryosuke Niwa Sat, 06 Jun 2026 13:03:55 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 621e3bf30e1d188679b927a6ea34c0c8971e020c
      
https://github.com/WebKit/WebKit/commit/621e3bf30e1d188679b927a6ea34c0c8971e020c
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-06-06 (Sat, 06 Jun 2026)


  Changed paths:
    M Source/WebCore/dom/Range.cpp

  Log Message:
  -----------
  Data race in Range::visitNodesConcurrently during GC, leading to a 
use-after-free of RangeBoundaryPoint container nodes
https://bugs.webkit.org/show_bug.cgi?id=311261
rdar://174214346

Unreviewed. Addressing the review comments in the original PR.

* Source/WebCore/dom/Range.cpp:
(WebCore::Range::setStart):
(WebCore::Range::setEnd):
(WebCore::boundaryNodeChildrenChanged):
(WebCore::Range::nodeChildrenChanged):
(WebCore::boundaryNodeChildrenWillBeRemoved):
(WebCore::Range::nodeChildrenWillBeRemoved):
(WebCore::boundaryNodeWillBeRemoved):
(WebCore::Range::nodeWillBeRemoved):
(WebCore::boundaryTextInserted):
(WebCore::Range::textInserted):
(WebCore::boundaryTextRemoved):
(WebCore::Range::textRemoved):
(WebCore::boundaryTextNodesMerged):
(WebCore::Range::textNodesMerged):
(WebCore::boundaryTextNodesSplit):
(WebCore::Range::textNodeSplit):

Originally-landed-as: 305413.632@safari-7624-branch (0c74ffa4edbc). 
rdar://174214346
Canonical link: https://commits.webkit.org/314707@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

[webkit-changes] [WebKit/WebKit] 621e3b: Data race in Range::visitNodesConcurrently during ...

Reply via email to