[Webkit-unassigned] [Bug 222720] REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 6 23:39:23 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222720
--- Comment #45 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 425264
--> https://bugs.webkit.org/attachment.cgi?id=425264
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=425264&action=review
> Source/WebCore/dom/ContainerNode.cpp:631
> + if (auto* assignedSlot = oldChild.assignedSlot(); UNLIKELY(assignedSlot))
This will most likely cause a perf regression.
We should check that this node has rareData and then call shadowRoot().
Then the call should happen like all other functions from ShadowRoot -> SlotAssignment.
> Source/WebCore/dom/SlotAssignment.cpp:339
> + auto* slot = m_slots.get(slotNameFromAttributeValue(slotElement.attributeWithoutSynchronization(nameAttr)));
I don't think this is right. This won't work for details element for example.
> Source/WebCore/dom/SlotAssignment.cpp:343
> + slot->assignedNodes.removeAllMatching([&child] (const auto& item) {
> + return item.get() == &child;
> + });
What code will be destructing the render object of this child?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210407/b287b97c/attachment.htm>
More information about the webkit-unassigned
mailing list