[Webkit-unassigned] [Bug 222720] REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 11 21:16:51 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=222720
--- Comment #17 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Antti Koivisto from comment #15)
> In any case this doesn't seem like a correct fix to me.
That's what I thought so I discussed about this with Carlos.
(In reply to Ryosuke Niwa from comment #9)
> This is because Element::removedFromAncestor is the one that calls
> ShadowRoot::hostChildElementDidChange but we wouldn't call
> ShadowRoot::didRemoveAllChildrenOfShadowHost() until
> Element::childrenChanged is called later.
Because we wouldn't invalidate the slot assignment until ShadowRoot::didRemoveAllChildrenOfShadowHost is called, we'd hit this nullptr in the out-of-date slot assignment.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210312/555e4758/attachment-0001.htm>
More information about the webkit-unassigned
mailing list