[webkit-changes] [WebKit/WebKit] 35318b: Crash under ~RenderMenuList due to CheckedPtr usage
Chris Dumez
noreply at github.com
Tue Feb 13 15:25:21 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 35318b4d54071007738a10e00831558603e590bd
https://github.com/WebKit/WebKit/commit/35318b4d54071007738a10e00831558603e590bd
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-02-13 (Tue, 13 Feb 2024)
Changed paths:
M Source/WebCore/html/HTMLSelectElement.cpp
M Source/WebCore/rendering/RenderMenuList.cpp
Log Message:
-----------
Crash under ~RenderMenuList due to CheckedPtr usage
https://bugs.webkit.org/show_bug.cgi?id=269322
rdar://119790256
Reviewed by Alan Baradlay.
>From the crash trace, we can see that HTMLSelectElement::defaultEventHandler()
holds a CheckedPtr to its RenderMenuList renderer and calls showPopup() on
the renderer. This ends up running JS, which removes the select element from
the DOM and in turns destroys the renderer. The usage is currently safe since
nothing is using the renderer after the JS has run. However, it was tripping
the CheckedPtr assertion.
To address the issue, switch to using WeakPtr for now and add comments to
clarify lifetime. We should consider refactoring this in a follow up though.
* Source/WebCore/html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::platformHandleKeydownEvent):
(WebCore::HTMLSelectElement::menuListDefaultEventHandler):
(WebCore::HTMLSelectElement::showPicker):
* Source/WebCore/rendering/RenderMenuList.cpp:
(RenderMenuList::showPopup):
Canonical link: https://commits.webkit.org/274586@main
More information about the webkit-changes
mailing list