[Webkit-unassigned] [Bug 222720] REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 15 17:26:00 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222720
--- Comment #21 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Carlos Garcia Campos from comment #19)
> So, a possible fix would be to add the new nodes found wile iterating the
> children for removal to the collected children vector. That would keep them
> alive, but I'm not sure it's right to return them in the children vector or
> not. If not, we could just keep a separate vector for nodes added while
> other were removed.
That might be an okay alternative. But to do that, we need to be careful with how to do that. Since ContainerNode::removeAllChildrenWithScriptAssertion uses while loop for when m_firstChild is not null, we can probably update the vector as we do like so:
unsigned i = 0;
while (RefPtr<Node> child = m_firstChild) {
children[i] = child;
i++;
...
We need to be very careful with this approach because removeAllChildrenWithScriptAssertion is a pretty hot function. We could end up introducing a new perf regression. Given this is the second regression we're trying to fix for https://trac.webkit.org/r272900, which is a security bug, I don't think we want to take this path.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210316/0fde4991/attachment.htm>
More information about the webkit-unassigned
mailing list