[Webkit-unassigned] [Bug 222720] REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 18 23:42:25 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222720
--- Comment #40 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Carlos Garcia Campos from comment #39)
> (In reply to Antti Koivisto from comment #38)
> > I think that's what I just said.
>
> I got it know, my point is that the parentless issue happens with or without
> this patch, that's why I opened a separate bug. I can fix it in this bug in
> any case if you prefer that. But I wonder, if the parentless elements should
> not be included in the composed tree, then we might end up not clearing the
> renders again (that was the original bug).
This is the second regression from r272900 after the initial patch had failed to fully address the issue. We can't afford to further prolong & complicate all these security fixes.
Note that https://bugs.webkit.org/show_bug.cgi?id=223378 is also a security bug if we fail to properly detach the render object from those nodes.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210319/9a1bacda/attachment.htm>
More information about the webkit-unassigned
mailing list