[Webkit-unassigned] [Bug 222720] REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 11 04:06:55 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=222720
--- Comment #16 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to Antti Koivisto from comment #14)
> Presumably it should traverse to the next assigned node? It is bit difficult
> to say since this seems like some sort of error situation.
>
> Why does this vector even contain null weakptrs? Is the DOM tree being
> mutated during traversal? If so, then that's the real bug.
No, there's no mutation during traversal.
> If there is no mutations then why does assignedNodes() return a vector that
> contains nullptrs in the first place? Can't we fix the assignments instead?
> Or even just clean up the vector before returning it?
Note that the vector doesn't contain pointers, but WeakPtr, so it becomes nullptr when the node is destroyed. See comment #6 and comment #7. I guess we could remove nullptr elements from the Vector before returning it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210311/1e740014/attachment.htm>
More information about the webkit-unassigned
mailing list