[webkit-changes] [WebKit/WebKit] 1e64ff: Crash under ~Node() due to CheckedPtr

Chris Dumez noreply at github.com
Mon Jan 29 09:37:27 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1e64ff6225471ac624d3536c41ba9e620d647fba
      https://github.com/WebKit/WebKit/commit/1e64ff6225471ac624d3536c41ba9e620d647fba
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-01-29 (Mon, 29 Jan 2024)

  Changed paths:
    M Source/WebCore/dom/Document.h
    M Source/WebCore/dom/Element.cpp
    M Source/WebCore/dom/Node.cpp
    M Source/WebCore/dom/Node.h
    M Source/WebCore/dom/ShadowRoot.cpp
    M Source/WebCore/dom/ShadowRoot.h
    M Source/WebCore/page/scrolling/ScrollAnchoringController.cpp
    M Source/WebCore/rendering/RenderObject.cpp
    M Source/WebCore/rendering/RenderObject.h

  Log Message:
  -----------
  Crash under ~Node() due to CheckedPtr
https://bugs.webkit.org/show_bug.cgi?id=268265
rdar://120253664

Reviewed by Brent Fulgham.

Stop using CheckedPtr with Nodes completely. Ever since adopting, we've
been getting crashes in the CanMakeCheckedPtrBase destructor.

I've tried reducing the use of CheckedPtr with Nodes but the crashes are
still happening in the wild. To address the issue, I am getting rid of all
remaining usage for now.

I've switched to WeakRef/WeakPtr when possible. However, for the Node data
members I had to go back to raw pointers for now. Sadly, we can't use
WeakPtr for those at the moment because of the DOM & CSS JIT. We should
revisit to get rid of these raw pointers but for now, we need to address
the crashes caused by CheckedPtr adoption.

* Source/WebCore/dom/Document.h:
(WebCore::Document::incrementPtrCount const): Deleted.
(WebCore::Document::decrementPtrCount const): Deleted.
(WebCore::Document::registerCheckedPtr const): Deleted.
(WebCore::Document::copyCheckedPtr const): Deleted.
(WebCore::Document::moveCheckedPtr const): Deleted.
(WebCore::Document::unregisterCheckedPtr const): Deleted.
* Source/WebCore/dom/Element.cpp:
(WebCore::attrNodeListMap):
(WebCore::elementIdentifiersMap):
* Source/WebCore/dom/Node.cpp:
* Source/WebCore/dom/Node.h:
(WebCore::Node::previousSibling const):
(WebCore::Node::protectedPreviousSibling const):
(WebCore::Node::nextSibling const):
(WebCore::Node::protectedNextSibling const):
(WebCore::Node::parentNode const):
* Source/WebCore/dom/ShadowRoot.cpp:
* Source/WebCore/dom/ShadowRoot.h:
* Source/WebCore/page/scrolling/ScrollAnchoringController.cpp:
(WebCore::canIncludeElementInPriorityCandidateChain):
* Source/WebCore/rendering/RenderObject.cpp:
* Source/WebCore/rendering/RenderObject.h:

Canonical link: https://commits.webkit.org/273664@main

More information about the webkit-changes mailing list