[webkit-changes] [WebKit/WebKit] b32bca: [CSS JIT] :has() argument cache should iterate cac...

taher Fri, 22 May 2026 07:26:53 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b32bca67556c697c90b7802ec91499dcdd1cf79f
      
https://github.com/WebKit/WebKit/commit/b32bca67556c697c90b7802ec91499dcdd1cf79f
  Author: Taher Ali <[email protected]>
  Date:   2026-05-22 (Fri, 22 May 2026)


  Changed paths:
    A LayoutTests/fast/css/has-lang-jit-crash-expected.txt
    A LayoutTests/fast/css/has-lang-jit-crash.html
    M Source/WebCore/css/SelectorChecker.cpp

  Log Message:
  -----------
  [CSS JIT] :has() argument cache should iterate cached selector list to avoid 
stale pointers
https://bugs.webkit.org/show_bug.cgi?id=315197
rdar://177316822

Reviewed by Antti Koivisto.

The content-keyed compiledHasArgumentSelectorsMap stores a deep copy of each
CSSSelectorList, but matchHasPseudoClass was iterating the caller's original
selector list when compiling.

Iterate the cached selector list from the map's key instead.

* LayoutTests/fast/css/has-lang-jit-crash-expected.txt: Added.
* LayoutTests/fast/css/has-lang-jit-crash.html: Added.
* Source/WebCore/css/SelectorChecker.cpp:
(WebCore::SelectorChecker::matchHasPseudoClass const):

Canonical link: https://commits.webkit.org/313729@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

[webkit-changes] [WebKit/WebKit] b32bca: [CSS JIT] :has() argument cache should iterate cac...

Reply via email to