[webkit-changes] [WebKit/WebKit] 0be766: "NULL Object : Crash under WebCore::RenderObject::...

Mon Mar 18 09:34:27 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0be766940c18b3f779d8cac89d2e9696720e1b91
      https://github.com/WebKit/WebKit/commit/0be766940c18b3f779d8cac89d2e9696720e1b91
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-03-18 (Mon, 18 Mar 2024)

  Changed paths:
    A LayoutTests/dom/html/document-renderobject-null-crash-expected.txt
    A LayoutTests/dom/html/document-renderobject-null-crash.html
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  "NULL Object : Crash under WebCore::RenderObject::~RenderObject; WebCore::RenderText::~RenderText; WebCore::RenderTreeBuilder::destroy"
https://bugs.webkit.org/show_bug.cgi?id=267297
rdar://119186861.

Reviewed by Alan Baradlay.

Document::caretPositionFromPoint API is using CheckPtr to get RenderObject
even though the Object is already destroyed. In order to make sure CheckedPtr
is valid the render needs to be destroyed earlier not after. Using updateLayoutIgnorePendingStylesheets API for uptodate renderer tree.

* LayoutTests/dom/html/document-renderobject-null-crash-expected.txt: Added test expected file.
* LayoutTests/dom/html/document-renderobject-null-crash.html: Added test case.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::caretPositionFromPoint): Added updateLayoutIgnorePendingStylesheets to get updated renderer tree before using CheckedPtr.

Originally-landed-as: 272448.251 at safari-7618-branch (9baf7178103b). rdar://124556134
Canonical link: https://commits.webkit.org/276275@main

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications