Cherry-pick 258098@main (d030f86).

Cherry-pick 252432.689@safari-7614-branch (706a069). rdar://103520049 Correctly teardown children for elements with NULL renderer which have display contents changed. rdar://problem/99616850 Reviewed by Antti Koivisto. - When an element has display-contents:true, we don't created a renderer for it, but its children may still have rendenders which point to nodes in the DOM. When certain nodes in the DOM are torn down, these renderers were holding stale references, which caused use-after-free issues. The patch fixes the issue by correcting the teardown logic for such nodes. * Source/WebCore/dom/ContainerNode.cpp: (WebCore::destroyRenderTreeIfNeeded): Canonical link: https://commits.webkit.org/252432.689@safari-7614-branch Canonical link: https://commits.webkit.org/258098@main
WebKit · Dec 20, 2022 · a780b0c · a780b0c
1 parent 39ea793
commit a780b0c
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/Source/WebCore/dom/ContainerNode.cpp b/Source/WebCore/dom/ContainerNode.cpp
@@ -313,11 +313,15 @@ void ContainerNode::removeDetachedChildren()
     removeDetachedChildrenInContainer(*this);
 }
 
+static inline bool mayHaveDisplayContents(Element *element)
+{
+    return element && (element->hasDisplayContents() || element->displayContentsChanged());
+}
+
 static inline void destroyRenderTreeIfNeeded(Node& child)
 {
     auto childAsElement = dynamicDowncast<Element>(child);
-    auto hasDisplayContents = childAsElement && childAsElement->hasDisplayContents();
-    if (!child.renderer() && !hasDisplayContents)
+    if (!child.renderer() && !mayHaveDisplayContents(childAsElement))
         return;
     if (childAsElement)
         RenderTreeUpdater::tearDownRenderers(*childAsElement);