Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Crash in ElementDescendantIterator::operator--() when calling m_ances…
…torSiblingStack.last() https://bugs.webkit.org/show_bug.cgi?id=156715 <rdar://problem/25750864> Reviewed by Antti Koivisto. Source/WebCore: Fix correctness of ElementDescendantIterator::operator--(). The last element in the m_ancestorSiblingStack stack is nullptr. However, if our parent does not have a sibling, m_current->nextSibling() == m_ancestorSiblingStack.last() would be true and we would end up removing the nullptr element from m_ancestorSiblingStack. We would crash on a follow-up call to operator--() because m_ancestorSiblingStack.last() would do an out-of-bound access, given that m_ancestorSiblingStack is empty. Test: fast/dom/collection-backward-traversal-crash.html * dom/ElementDescendantIterator.h: (WebCore::ElementDescendantIterator::operator--): LayoutTests: Add regression test that reproduced the crash. * fast/dom/collection-backward-traversal-crash-expected.txt: Added. * fast/dom/collection-backward-traversal-crash.html: Added. Canonical link: https://commits.webkit.org/174828@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199693 268f45cc-cd09-0410-ab3c-d52691b4dbfc
- Loading branch information
Showing with 66 additions and 1 deletion.