Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d8bf29799f0fcb1edc436e15a7c2b487c1aff803
https://github.com/WebKit/WebKit/commit/d8bf29799f0fcb1edc436e15a7c2b487c1aff803
Author: Alan Baradlay <[email protected]>
Date: 2026-04-23 (Thu, 23 Apr 2026)
Changed paths:
A
LayoutTests/fast/css-generated-content/first-letter-stale-checked-ptr-crash-expected.txt
A
LayoutTests/fast/css-generated-content/first-letter-stale-checked-ptr-crash.html
M Source/WebCore/page/LocalFrameViewLayoutContext.h
M Source/WebCore/rendering/updating/RenderTreeBuilder.cpp
M Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp
M Source/WebCore/testing/Internals.cpp
M Source/WebCore/testing/Internals.h
M Source/WebCore/testing/Internals.idl
Log Message:
-----------
Inserting a text node before ::first-letter can crash on CheckedPtr
https://bugs.webkit.org/show_bug.cgi?id=313007
<rdar://175223463>
Reviewed by Antti Koivisto.
1. When a text node is prepended before an existing ::first-letter split,
updateAfterDescendants detects the stale first-letter and calls setText
on the remaining text fragment.
2. setText destroys the anonymous first-letter wrapper via
RenderTreeBuilder::destroy.
This frees the wrapper and its children, but CheckedPtrs to the wrapper
(anonymousFirstLetterContainer) and the remaining text (remainingText)
still reference the dead objects. When these CheckedPtrs go out of scope,
their destructors crash on the scribbled-to-zero checked count.
The fix is to use WeakPtr instead of CheckedPtr for these locals. WeakPtr
is the correct smart pointer here because these renderers can be destroyed
as part of the normal setText/createRenderers flow - they are not guaranteed
to outlive the pointer, which is the contract CheckedPtr enforces.
Also added an Internals API (setImmediateRendererDestructionEnabled) to bypass
the deferred renderer destruction list for testing. Normally, destroyed
renderers
are moved to a detached list and freed later, which hides stale pointer bugs.
Immediate destruction frees the memory right away, making these bugs
reproducible.
Test: fast/css-generated-content/first-letter-stale-checked-ptr-crash.html
*
LayoutTests/fast/css-generated-content/first-letter-stale-checked-ptr-crash-expected.txt:
Added.
*
LayoutTests/fast/css-generated-content/first-letter-stale-checked-ptr-crash.html:
Added.
* Source/WebCore/page/LocalFrameViewLayoutContext.h:
* Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::destroy):
* Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp:
(WebCore::RenderTreeBuilder::FirstLetter::updateAfterDescendants):
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::setImmediateRendererDestructionEnabled):
* Source/WebCore/testing/Internals.h:
* Source/WebCore/testing/Internals.idl:
Canonical link: https://commits.webkit.org/311864@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
