Title: [285732] trunk
- Revision
- 285732
- Author
- commit-qu...@webkit.org
- Date
- 2021-11-12 11:02:40 -0800 (Fri, 12 Nov 2021)
Log Message
Null check host in SlotAssignment::assignSlots
https://bugs.webkit.org/show_bug.cgi?id=230899
Patch by Rob Buis <rb...@igalia.com> on 2021-11-12
Reviewed by Darin Adler.
Source/WebCore:
Null check host in SlotAssignment::assignSlots.
Tests: fast/shadow-dom/shadow-root-gc-crash.html
* dom/SlotAssignment.cpp:
(WebCore::SlotAssignment::assignSlots):
LayoutTests:
* fast/shadow-dom/shadow-root-gc-crash-expected.txt: Added.
* fast/shadow-dom/shadow-root-gc-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (285731 => 285732)
--- trunk/LayoutTests/ChangeLog 2021-11-12 18:29:14 UTC (rev 285731)
+++ trunk/LayoutTests/ChangeLog 2021-11-12 19:02:40 UTC (rev 285732)
@@ -1,3 +1,13 @@
+2021-11-12 Rob Buis <rb...@igalia.com>
+
+ Null check host in SlotAssignment::assignSlots
+ https://bugs.webkit.org/show_bug.cgi?id=230899
+
+ Reviewed by Darin Adler.
+
+ * fast/shadow-dom/shadow-root-gc-crash-expected.txt: Added.
+ * fast/shadow-dom/shadow-root-gc-crash.html: Added.
+
2021-11-12 Antoine Quint <grao...@webkit.org>
[Web Animations] Accelerated animations with a single keyframe don't account for prior forward-filling animations
Added: trunk/LayoutTests/fast/shadow-dom/shadow-root-gc-crash-expected.txt (0 => 285732)
--- trunk/LayoutTests/fast/shadow-dom/shadow-root-gc-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-root-gc-crash-expected.txt 2021-11-12 19:02:40 UTC (rev 285732)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/fast/shadow-dom/shadow-root-gc-crash.html (0 => 285732)
--- trunk/LayoutTests/fast/shadow-dom/shadow-root-gc-crash.html (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-root-gc-crash.html 2021-11-12 19:02:40 UTC (rev 285732)
@@ -0,0 +1,15 @@
+<script>
+ _onload_ = () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ let div0 = document.createElement('div');
+ div0.appendChild(document.createElement('slot'));
+ div0.appendChild(document.createElement('slot'));
+ let div1 = document.createElement('div');
+ div1.attachShadow({mode: 'open'}).appendChild(div0);
+ div1.appendChild(document.createElement('div'));
+ div0.appendChild(document.createElement('div'));
+ window.GCController?.collect();
+ document.write("PASS");
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (285731 => 285732)
--- trunk/Source/WebCore/ChangeLog 2021-11-12 18:29:14 UTC (rev 285731)
+++ trunk/Source/WebCore/ChangeLog 2021-11-12 19:02:40 UTC (rev 285732)
@@ -1,3 +1,17 @@
+2021-11-12 Rob Buis <rb...@igalia.com>
+
+ Null check host in SlotAssignment::assignSlots
+ https://bugs.webkit.org/show_bug.cgi?id=230899
+
+ Reviewed by Darin Adler.
+
+ Null check host in SlotAssignment::assignSlots.
+
+ Tests: fast/shadow-dom/shadow-root-gc-crash.html
+
+ * dom/SlotAssignment.cpp:
+ (WebCore::SlotAssignment::assignSlots):
+
2021-11-12 Chris Dumez <cdu...@apple.com>
Disable MathML when in Captive Portal Mode
Modified: trunk/Source/WebCore/dom/SlotAssignment.cpp (285731 => 285732)
--- trunk/Source/WebCore/dom/SlotAssignment.cpp 2021-11-12 18:29:14 UTC (rev 285731)
+++ trunk/Source/WebCore/dom/SlotAssignment.cpp 2021-11-12 19:02:40 UTC (rev 285732)
@@ -356,12 +356,13 @@
for (auto& entry : m_slots)
entry.value->assignedNodes.shrink(0);
- auto& host = *shadowRoot.host();
- for (auto* child = host.firstChild(); child; child = child->nextSibling()) {
- if (!is<Text>(*child) && !is<Element>(*child))
- continue;
- auto slotName = slotNameForHostChild(*child);
- assignToSlot(*child, slotName);
+ if (auto* host = shadowRoot.host()) {
+ for (auto* child = host->firstChild(); child; child = child->nextSibling()) {
+ if (!is<Text>(*child) && !is<Element>(*child))
+ continue;
+ auto slotName = slotNameForHostChild(*child);
+ assignToSlot(*child, slotName);
+ }
}
for (auto& entry : m_slots)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
