REGRESSION(305794@main): Unconditional CheckedPtr crash when loading any Reddit post with VoiceOver active#59243
Merged
webkit-commit-queue merged 1 commit intoWebKit:mainfrom Feb 25, 2026
Conversation
twilco
requested review from
AndresGonzalezApple,
fleizach,
hoffmanjoshua and
minorninth
as code owners
Collaborator
|
EWS run on current version of this PR (hash e95970b) Details |
🛠 mac-apple
fleizach
approved these changes
Feb 24, 2026
…any Reddit post with VoiceOver active https://bugs.webkit.org/show_bug.cgi?id=308467 rdar://170985963 Reviewed by Chris Fleizach. Narrow the scope of the CheckedPtr<RenderStyle> in AccessibilityNodeObject::textUnderElement (added in 305794@main)so it does not live across the child iteration loop. Previously, a CheckedPtr to the element's RenderStyle was captured at the top of the function and held until return. During child iteration, getOrCreate for a sibling slot element can trigger computedStyle() -> resolveComputedStyle(), which walks the ancestor chain and re-resolves the parent's m_computedStyle. This destroys the old RenderStyle that the CheckedPtr still references, resulting in a crash (EXC_GUARD from CheckedPtr accessing a scribbled-over object). This happens specifically for display:none shadow hosts with slot children, where a shadow-scoped stylesheet update sets IsComputedStyleInvalidFlag on the host and slots. The flag is never cleared by the style tree resolver because display:none subtrees without renderers are not visited during resolveStyle, and updateLayoutIgnorePendingStylesheets considers style clean despite the flag persisting on non-rendered elements. * LayoutTests/accessibility/shadow-host-style-invalidation-during-text-under-element-crash-expected.txt: Added. * LayoutTests/accessibility/shadow-host-style-invalidation-during-text-under-element-crash.html: Added. * Source/WebCore/accessibility/AccessibilityNodeObject.cpp: (WebCore::AccessibilityNodeObject::textUnderElement const): Canonical link: https://commits.webkit.org/308173@main
webkit-commit-queue
force-pushed
the
eng/REGRESSION-305794-main-Unconditional-CheckedPtr-crash-when-loading-any-Reddit-post-with-VoiceOver-active
branch
from
e95970b to
54845b1
Compare
Collaborator
|
Committed 308173@main (54845b1): https://commits.webkit.org/308173@main Reviewed commits have been landed. Closing PR #59243 and removing active labels. |
webkit-commit-queue
removed
the
merge-queue
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
54845b1
e95970b