[webkit-changes] [WebKit/WebKit] bfdf5f: Cherry-pick 309133@main (11b230b2d621). https://bu...

Mon, 16 Mar 2026 05:46:06 -0700 

  Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: bfdf5fb45d8161ee6fe1c49eaf1d0352a1546442
      
https://github.com/WebKit/WebKit/commit/bfdf5fb45d8161ee6fe1c49eaf1d0352a1546442
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-03-16 (Mon, 16 Mar 2026)

  Changed paths:
    A 
LayoutTests/svg/custom/referenced-svg-resources-crash-on-slot-removal-expected.txt
    A LayoutTests/svg/custom/referenced-svg-resources-crash-on-slot-removal.html
    M Source/WebCore/rendering/ReferencedSVGResources.cpp
    M Source/WebCore/rendering/ReferencedSVGResources.h

  Log Message:
  -----------
  Cherry-pick 309133@main (11b230b2d621). 
https://bugs.webkit.org/show_bug.cgi?id=309749

    Crash in TreeScopeOrderedMap::getElementById via 
ReferencedSVGResources::~ReferencedSVGResources
    https://bugs.webkit.org/show_bug.cgi?id=309749
    <rdar://172309380>

    Reviewed by Chris Dumez.

    The crash was caused by ReferencedSVGResources's destructor calling 
getElementById to find an element
    with ID during Element::removedFromAncestor. Because TreeScopeOrderedMap 
relies on removedFromAncestor
    to update its internal states, it's not safe to call TreeScopeOrderedMap's 
member functions such as
    getElementById before we finish calling removedFromAncestor on a removed 
subtree.

    Fixed the bug by eliminating this use of 
TreeScopeOrderedMap::getElementById. Instead of looking up
    a client element with an ID in 
ReferencedSVGResources::removeClientForTarget, keep a weak reference to
    the client element in m_elementClients.

    The analysis and test co-authored with Claude AI.

    Test: svg/custom/referenced-svg-resources-crash-on-slot-removal.html

    * 
LayoutTests/svg/custom/referenced-svg-resources-crash-on-slot-removal-expected.txt:
 Added.
    * 
LayoutTests/svg/custom/referenced-svg-resources-crash-on-slot-removal.html: 
Added.
    * Source/WebCore/rendering/ReferencedSVGResources.cpp:
    (WebCore::ReferencedSVGResources::~ReferencedSVGResources):
    (WebCore::ReferencedSVGResources::addClientForTarget):
    (WebCore::ReferencedSVGResources::removeClientForTarget):
    (WebCore::ReferencedSVGResources::updateReferencedResources):
    * Source/WebCore/rendering/ReferencedSVGResources.h:

    Canonical link: https://commits.webkit.org/309133@main

Canonical link: https://commits.webkit.org/305877.205@webkitglib/2.52



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to