[webkit-changes] [WebKit/WebKit] d030f8: Cherry-pick 252432.689 at safari-7614-branch (706a069...
Chirag Shah
noreply at github.com
Mon Dec 19 14:53:00 PST 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d030f866382e08d435256019406253718dc11a17
https://github.com/WebKit/WebKit/commit/d030f866382e08d435256019406253718dc11a17
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Cherry-pick 252432.689 at safari-7614-branch (706a0693c737). rdar://103520049
Correctly teardown children for elements with NULL renderer which have
display contents changed.
rdar://problem/99616850
Reviewed by Antti Koivisto.
- When an element has display-contents:true, we don't created a renderer
for it, but its children may still have rendenders which point to
nodes in the DOM. When certain nodes in the DOM are torn down, these
renderers were holding stale references, which caused use-after-free
issues. The patch fixes the issue by correcting the teardown logic for
such nodes.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
Canonical link: https://commits.webkit.org/252432.689@safari-7614-branch
Canonical link: https://commits.webkit.org/258098@main
More information about the webkit-changes
mailing list