[webkit-changes] [WebKit/WebKit] 0d0caf: Use RefPtr local variable for nextChild in insertC...
Mikhail R. Gadelha
noreply at github.com
Wed May 15 16:50:57 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0d0caf9579718608843389ad1dcf5961c5cce63e
https://github.com/WebKit/WebKit/commit/0d0caf9579718608843389ad1dcf5961c5cce63e
Author: Mikhail R. Gadelha <mikhail at igalia.com>
Date: 2024-05-15 (Wed, 15 May 2024)
Changed paths:
A LayoutTests/fast/dom/set-attribute-and-normalize-in-event-expected.txt
A LayoutTests/fast/dom/set-attribute-and-normalize-in-event.html
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Use RefPtr local variable for nextChild in insertChildrenBeforeWithoutPreInsertionValidityCheck
https://bugs.webkit.org/show_bug.cgi?id=268765
rdar://122122623
Reviewed by Ryosuke Niwa and Chris Dumez.
This patch adds a RefPtr to hold a reference to nextChild so that the
pointer stay valid through the scope of the function.
In the test case, the removeChild() call (from the before() call in the js
script) triggers a DOMSubtreeModified event, which eventually calls normalize.
The normalize() call can destroy text elements when normalizing the content of
the node if there is no one holding the reference to that node, so holding
nextChild in a RefPtr prevents us from reading an invalid pointer.
* LayoutTests/fast/dom/set-attribute-and-normalize-in-event-expected.txt: Added.
* LayoutTests/fast/dom/set-attribute-and-normalize-in-event.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::insertChildrenBeforeWithoutPreInsertionValidityCheck):
Originally-landed-as: 274097.10 at webkit-2024.2-embargoed (65b1fae34533). rdar://128089683
Canonical link: https://commits.webkit.org/278837@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list