[webkit-changes] [WebKit/WebKit] 6de0a6: Crash in CheckedPtr::decrementPtrCount via SplitTe...
Ryosuke Niwa
noreply at github.com
Wed May 1 18:27:27 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6de0a6e596b6b251fe46c8b12b05a62aea4afb64
https://github.com/WebKit/WebKit/commit/6de0a6e596b6b251fe46c8b12b05a62aea4afb64
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2024-05-01 (Wed, 01 May 2024)
Changed paths:
A LayoutTests/editing/style/apply-style-split-text-element-at-end-crash-expected.txt
A LayoutTests/editing/style/apply-style-split-text-element-at-end-crash.html
M Source/WebCore/editing/CompositeEditCommand.cpp
M Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp
Log Message:
-----------
Crash in CheckedPtr::decrementPtrCount via SplitTextNodeContainingElementCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=273581
<rdar://127116949>
Reviewed by Wenson Hsieh.
The crash was caused by SplitTextNodeContainingElementCommand::doApply holding onto a CheckedPtr
of RenderObject until across a call to splitElement, which could trigger a layout and delete
the render object. Fixed the crash by reducing the scope of CheckedPtr.
Also remove the debug assertion in CompositeEditCommand::appendNode which gets hit with the
newly added test case.
* LayoutTests/editing/style/apply-style-split-text-element-at-end-crash-expected.txt: Added.
* LayoutTests/editing/style/apply-style-split-text-element-at-end-crash.html: Added.
* Source/WebCore/editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::appendNode):
* Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp:
(WebCore::SplitTextNodeContainingElementCommand::doApply):
Canonical link: https://commits.webkit.org/278242@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list