[Webkit-unassigned] [Bug 222720] REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 18 03:29:14 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222720
--- Comment #37 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to Antti Koivisto from comment #36)
> Isn't it the same exact issue with the only difference being whether anyone
> is holding the removed nodes alive or not? If nothing keeps them alive you
> get the nullptr crash, if someone does you'll see a parentless element.
No, we are not keeping the removed nodes alive in the end, we are just removing nullptr entries from the assigned vector before returning them. But the other removed nodes, protected by the children vector, don't have a parent anymore. That happened before this patch.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210318/a7c85f38/attachment.htm>
More information about the webkit-unassigned
mailing list