Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2757278b899d7543c54534314ddf8d7026ce7349
https://github.com/WebKit/WebKit/commit/2757278b899d7543c54534314ddf8d7026ce7349
Author: Kiet Ho <[email protected]>
Date: 2026-06-01 (Mon, 01 Jun 2026)
Changed paths:
M Source/WebCore/page/IntersectionObserver.cpp
Log Message:
-----------
[intersection-observer] IntersectionObserver::updateObservations could modify
m_observationTargets when iterating through it
rdar://178339073
https://bugs.webkit.org/show_bug.cgi?id=315957
Reviewed by Simon Fraser.
313834@main adds this code to IntersectionObserver::updateObservations to avoid
updating
observations if the target's document is detached:
for (auto& target : observationTargets()) {
if (!root() && !target.document().isFullyActive()) {
m_targetsWaitingForFirstObservation.removeFirstMatching([&](auto&
pendingTarget) {
return pendingTarget.ptr() == ⌖
});
continue;
}
[...]
}
m_targetsWaitingForFirstObservation owns ref-counted Elements. If
removeFirstMatching
removes an Element, and its only reference is in
m_targetsWaitingForFirstObservation,
the element gets destroyed. As the element is used in an intersection observer,
its
destructor calls IntersectionObserver::unobserve to de-register itself, which
removes
the Element from m_observationTargets. But the for loop is also iterating
through
m_observationTargets (by observationTargets()). This leads to use-after-free as
the
iterator reaches the removed element. Fix this by making a copy of
observationTargets()
before iterating through it. Also take this opportunity to make `target`
refcounted.
This was found by ASan bot on this test: media/destructor-logging-crash.html
* Source/WebCore/page/IntersectionObserver.cpp:
(WebCore::IntersectionObserver::updateObservations):
Canonical link: https://commits.webkit.org/314315@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
