[webkit-changes] [WebKit/WebKit] 35318b: Crash under ~RenderMenuList due to CheckedPtr usage

Chris Dumez noreply at github.com
Tue Feb 13 15:25:21 PST 2024


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 35318b4d54071007738a10e00831558603e590bd
      https://github.com/WebKit/WebKit/commit/35318b4d54071007738a10e00831558603e590bd
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-02-13 (Tue, 13 Feb 2024)

  Changed paths:
    M Source/WebCore/html/HTMLSelectElement.cpp
    M Source/WebCore/rendering/RenderMenuList.cpp

  Log Message:
  -----------
  Crash under ~RenderMenuList due to CheckedPtr usage
https://bugs.webkit.org/show_bug.cgi?id=269322
rdar://119790256

Reviewed by Alan Baradlay.

>From the crash trace, we can see that HTMLSelectElement::defaultEventHandler()
holds a CheckedPtr to its RenderMenuList renderer and calls showPopup() on
the renderer. This ends up running JS, which removes the select element from
the DOM and in turns destroys the renderer. The usage is currently safe since
nothing is using the renderer after the JS has run. However, it was tripping
the CheckedPtr assertion.

To address the issue, switch to using WeakPtr for now and add comments to
clarify lifetime. We should consider refactoring this in a follow up though.

* Source/WebCore/html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::platformHandleKeydownEvent):
(WebCore::HTMLSelectElement::menuListDefaultEventHandler):
(WebCore::HTMLSelectElement::showPicker):
* Source/WebCore/rendering/RenderMenuList.cpp:
(RenderMenuList::showPopup):

Canonical link: https://commits.webkit.org/274586@main




More information about the webkit-changes mailing list