Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a1c0f13ff6a03165d4f4fce97103a52783d9e18b
https://github.com/WebKit/WebKit/commit/a1c0f13ff6a03165d4f4fce97103a52783d9e18b
Author: Chris Dumez <[email protected]>
Date: 2025-11-08 (Sat, 08 Nov 2025)
Changed paths:
M Source/WebCore/page/ResizeObservation.cpp
M Source/WebCore/page/ResizeObserver.cpp
M Source/WebCore/page/ResizeObserverEntry.h
Log Message:
-----------
Regression(301243@main?) Potential null dereference of m_target in
ResizeObservation::computeTargetLocation()
https://bugs.webkit.org/show_bug.cgi?id=302197
rdar://164271295
Reviewed by Ryosuke Niwa.
>From the crash, we can tell that we're doing a null dereference of m_target
in ResizeObservation::computeTargetLocation(), m_target being a WeakPtr.
I suspect this is a regression from 301243@main. The targets used to be kept
alive via the `m_activeObservationTargets` Vector, which used to contain
`GCReacheableRef<Element>` types. 301243@main updated the Vector to contain
`WeakPtr<Element>` and then relied on
`JSResizeObserver::visitAdditionalChildren()`
to visit the targets in the Vector. Something must be wrong with the leak fix in
301243@main. In particular, I think that updating the stack Vectors in
`ResizeObserver::deliverObservations()` to also use WeakPtr instead of
GCReacheableRef
was a mistake. The Vectors seemed useless after 301243@main as they contained
WeakPtrs and were unused. I think those vectors have to keep using
GCReacheableRef
to make sure the targets and their JS wrappers are kept alive while we deliver
the
observations. We need those vectors on the stack because the function clears
`m_activeObservationTargets` before delivering the observations and thus
`JSResizeObserver::visitAdditionalChildren()` will no longer be able to visit
the
targets on the GC thread.
Because my fix above may be insufficient and is speculative since we do not have
a reproduction case, I also added a null check in
ResizeObservation::computeTargetLocation()
to avoid the null dereference. I also updated the call site to avoid
constructing a
ResizeObserverEntry for a target that has already been destroyed, since there
is no point and it may cause trouble later on since the code may expect the
target to be still alive.
* Source/WebCore/page/ResizeObservation.cpp:
(WebCore::ResizeObservation::computeTargetLocation const):
* Source/WebCore/page/ResizeObserver.cpp:
(WebCore::ResizeObserver::deliverObservations):
* Source/WebCore/page/ResizeObserverEntry.h:
(WebCore::ResizeObserverEntry::create):
(WebCore::ResizeObserverEntry::target const):
(WebCore::ResizeObserverEntry::ResizeObserverEntry):
Canonical link: https://commits.webkit.org/302765@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
