Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-07-22 14:53:49 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix double borrow panic in Node.childNodes (#36889)

Browse source 
`ensure_rare_data` returns a RefMut that extends the borrow of
Node.rare_data. This can lead to a panic in any method that triggers a
GC while this borrow is outstanding, such as Node.childNodes.

Testing: Manual testing on the testcase from the issue. It is impossible
to create a deterministic WPT crash test that is fast enough and can be
counted upon to continue working in the future.
Fixes: #36868

Signed-off-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
Josh Matthews 2025-05-07 00:35:26 -04:00 committed by GitHub
parent ba8f923201
commit a18c6e2c78
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 9 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

14
components/script/dom/node.rs
View file

@ -3110,11 +3110,15 @@ impl NodeMethods<crate::DomTypeHolder> for Node {
/// <https://dom.spec.whatwg.org/#dom-node-childnodes>
fn ChildNodes(&self, can_gc: CanGc) -> DomRoot<NodeList> {
self.ensure_rare_data().child_list.or_init(|| {
let doc = self.owner_doc();
let window = doc.window();
NodeList::new_child_list(window, self, can_gc)
})
if let Some(list) = self.ensure_rare_data().child_list.get() {
return list;
}
let doc = self.owner_doc();
let window = doc.window();
let list = NodeList::new_child_list(window, self, can_gc);
self.ensure_rare_data().child_list.set(Some(&list));
list
}
/// <https://dom.spec.whatwg.org/#dom-node-firstchild>