[webkit-changes] [WebKit/WebKit] 0e9882: Cherry-pick 303507@main (277383f50289). https://bu...

Tue, 02 Dec 2025 12:35:37 -0800 

  Branch: refs/heads/webkitglib/2.50
  Home:   https://github.com/WebKit/WebKit
  Commit: 0e9882dc3ce00a21dad556c812e722ab2dd9e088
      
https://github.com/WebKit/WebKit/commit/0e9882dc3ce00a21dad556c812e722ab2dd9e088
  Author: Ruthvik Konda <[email protected]>
  Date:   2025-11-25 (Tue, 25 Nov 2025)

  Changed paths:
    A LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash-expected.txt
    A LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash.html
    M Source/WebCore/html/HTMLElement.cpp
    M Source/WebCore/style/StyleInvalidator.cpp

  Log Message:
  -----------
  Cherry-pick 303507@main (277383f50289). 
https://bugs.webkit.org/show_bug.cgi?id=301879

    Fix crash in style invalidation when element has no parent during removal
    https://bugs.webkit.org/show_bug.cgi?id=301879
    rdar://163025404

    Reviewed by Antti Koivisto.

    This is a fuzzer found bug that results in a crash.
    When hidePopoverInternal() is called during element removal (due to 
outerText being set),
    style invalidation runs even when parentNode is null. This is
    incorrect. We shouldn't be entering style invalidation in this case at all.
    While the rest of the cleanup in hidePopoverInternal() is necessary, style
    invalidation is not here.

    As a result, this fix adds a null check to only perform style invalidation
    when elements are NOT being removed (aka its parent still exists). Since we
    add this check, the existing null check further down in 
invalidateStyleWithMatchElement()
    is redundant and no longer necessary.

    There were 2 previous attempted fixes for this: 286644@main and 293967@main.
    286644@main had an incorrect Style::InvalidationScope::Descendants. 
293967@main didn't
    add null checks to the other relevant cases in 
invalidateStyleWithMatchElement().
    This PR correctly implements the full fix.

    Test: fast/dom/Element/nth-child-of-popover-open-crash.html

    * 
LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash-expected.txt: 
Added.
    * LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash.html: Added.
    * Source/WebCore/html/HTMLElement.cpp:
    (WebCore::HTMLElement::hidePopoverInternal):
    * Source/WebCore/style/StyleInvalidator.cpp:
    (WebCore::Style::Invalidator::invalidateStyleWithMatchElement):

    Canonical link: https://commits.webkit.org/303507@main

Canonical link: https://commits.webkit.org/298234.307@webkitglib/2.50



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to