[webkit-changes] [WebKit/WebKit] 277383: Fix crash in style invalidation when element has n...

Tue, 02 Dec 2025 12:35:21 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 277383f502897a94b43f4302a56e922fdfa1876c
      
https://github.com/WebKit/WebKit/commit/277383f502897a94b43f4302a56e922fdfa1876c
  Author: Ruthvik Konda <[email protected]>
  Date:   2025-11-24 (Mon, 24 Nov 2025)

  Changed paths:
    A LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash-expected.txt
    A LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash.html
    M Source/WebCore/html/HTMLElement.cpp
    M Source/WebCore/style/StyleInvalidator.cpp

  Log Message:
  -----------
  Fix crash in style invalidation when element has no parent during removal
https://bugs.webkit.org/show_bug.cgi?id=301879
rdar://163025404

Reviewed by Antti Koivisto.

This is a fuzzer found bug that results in a crash.
When hidePopoverInternal() is called during element removal (due to outerText 
being set),
style invalidation runs even when parentNode is null. This is
incorrect. We shouldn't be entering style invalidation in this case at all.
While the rest of the cleanup in hidePopoverInternal() is necessary, style
invalidation is not here.

As a result, this fix adds a null check to only perform style invalidation
when elements are NOT being removed (aka its parent still exists). Since we
add this check, the existing null check further down in 
invalidateStyleWithMatchElement()
is redundant and no longer necessary.

There were 2 previous attempted fixes for this: 286644@main and 293967@main.
286644@main had an incorrect Style::InvalidationScope::Descendants. 293967@main 
didn't
add null checks to the other relevant cases in 
invalidateStyleWithMatchElement().
This PR correctly implements the full fix.

Test: fast/dom/Element/nth-child-of-popover-open-crash.html

* LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash-expected.txt: 
Added.
* LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash.html: Added.
* Source/WebCore/html/HTMLElement.cpp:
(WebCore::HTMLElement::hidePopoverInternal):
* Source/WebCore/style/StyleInvalidator.cpp:
(WebCore::Style::Invalidator::invalidateStyleWithMatchElement):

Canonical link: https://commits.webkit.org/303507@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to