[Webkit-unassigned] [Bug 206724] Nullptr crash when setting custom properties on detached style
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 27 16:18:39 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=206724
Ryosuke Niwa <rniwa at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rniwa at webkit.org
--- Comment #5 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Darin Adler from comment #4)
> Comment on attachment 388631 [details]
> Patch
>
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=388631&action=review
>
> What causes the crash? It seems like the setCustomProperty function already
> tries to handle a null document. Where does the crash occur?
Ah, the crash happens because we try to dereference parentStyleSheet(), not document itself.
> >> Source/WebCore/css/PropertySetCSSStyleDeclaration.h:63
> >> + WeakPtr<Document> m_lastDocument;
> >
> > This doesn’t seem like the right approach to me.
>
> I think this could be done with just a plain Ref<Document> that is
> initialized when the declaration is created and always used. I don’t think
> there’s any real risk of a reference cycle. And then we would not have to
> complicate the clearParentRule and clearParentElement functions.
We can't quite do that the document associated with a given PropertySetCSSStyleDeclaration can change when the owner element gets adopted to another document (e.g. via document.adoptNode).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200128/513a2043/attachment.htm>
More information about the webkit-unassigned
mailing list