[Webkit-unassigned] [Bug 222720] REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 7 00:18:06 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222720
--- Comment #47 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 425264
--> https://bugs.webkit.org/attachment.cgi?id=425264
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=425264&action=review
> Source/WebCore/dom/ContainerNode.cpp:634
> destroyRenderTreeIfNeeded(oldChild);
Antti and I have discussed this over FaceTime.
We just need destruct the render tree here instead of in ShadowRoot::hostChildElementDidChange which happens after the node had been removed.
Additionally, we need to destruct the render tree of assigned nodes in executeNodeInsertionWithScriptAssertion before we insert nodes somehow
so that we can get rid of the render objects of the slot fallback content.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210407/65f5c94b/attachment.htm>
More information about the webkit-unassigned
mailing list