mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2026-06-29 04:30:24 +00:00
efa9388adc
Problem: Holding form.elements while the form is detached + dropped hit a use-after-free: the form is GC’ed while the collection’s still live. Cause: HTMLCollection (and LiveNodeList too) was storing its filter as an AK::Function — which the garbage collector doesn’t visit. When a filter lambda captures a GC object (e.g. the form in form.elements) that object has no GC edge keeping it alive. So it can be collected while the collection using it’s still reachable — leaving a dangling pointer. Fix: HTMLCollection and LiveNodeList are GC cells with their own visit_edges. So, visit the filter’s (and sort’s) capture range there: conservatively mark any GC object a captured lambda holds — to ensure it’s kept alive as long as the collection’s reachable. Fixes https://github.com/LadybirdBrowser/ladybird/issues/9948
97 lines
2.8 KiB
C++
97 lines
2.8 KiB
C++
/*
|
|
* Copyright (c) 2021, Luke Wilde <lukew@serenityos.org>
|
|
* Copyright (c) 2022, Andreas Kling <andreas@ladybird.org>
|
|
*
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
|
*/
|
|
|
|
#include <LibGC/Heap.h>
|
|
#include <LibJS/Runtime/Error.h>
|
|
#include <LibWeb/DOM/LiveNodeList.h>
|
|
#include <LibWeb/DOM/Node.h>
|
|
|
|
namespace Web::DOM {
|
|
|
|
GC_DEFINE_ALLOCATOR(LiveNodeList);
|
|
|
|
GC::Ref<NodeList> LiveNodeList::create(JS::Realm& realm, Node const& root, Scope scope, Function<bool(Node const&)> filter)
|
|
{
|
|
return realm.create<LiveNodeList>(realm, root, scope, move(filter));
|
|
}
|
|
|
|
LiveNodeList::LiveNodeList(JS::Realm& realm, Node const& root, Scope scope, Function<bool(Node const&)> filter)
|
|
: NodeList(realm)
|
|
, m_root(root)
|
|
, m_filter(move(filter))
|
|
, m_scope(scope)
|
|
{
|
|
}
|
|
|
|
LiveNodeList::~LiveNodeList() = default;
|
|
|
|
void LiveNodeList::visit_edges(Cell::Visitor& visitor)
|
|
{
|
|
Base::visit_edges(visitor);
|
|
visitor.visit(m_root);
|
|
visitor.visit_possible_values(m_filter.raw_capture_range());
|
|
}
|
|
|
|
GC::RootVector<Node*> LiveNodeList::collection() const
|
|
{
|
|
GC::RootVector<Node*> nodes;
|
|
if (m_scope == Scope::Descendants) {
|
|
m_root->for_each_in_subtree([&](auto& node) {
|
|
if (m_filter(node))
|
|
nodes.append(const_cast<Node*>(&node));
|
|
return TraversalDecision::Continue;
|
|
});
|
|
} else {
|
|
m_root->for_each_child([&](auto& node) {
|
|
if (m_filter(node))
|
|
nodes.append(const_cast<Node*>(&node));
|
|
return IterationDecision::Continue;
|
|
});
|
|
}
|
|
return nodes;
|
|
}
|
|
|
|
Node* LiveNodeList::first_matching(Function<bool(Node const&)> const& filter) const
|
|
{
|
|
Node* matched_node = nullptr;
|
|
if (m_scope == Scope::Descendants) {
|
|
m_root->for_each_in_subtree([&](auto& node) {
|
|
if (m_filter(node) && filter(node)) {
|
|
matched_node = const_cast<Node*>(&node);
|
|
return TraversalDecision::Break;
|
|
}
|
|
return TraversalDecision::Continue;
|
|
});
|
|
} else {
|
|
m_root->for_each_child([&](auto& node) {
|
|
if (m_filter(node) && filter(node)) {
|
|
matched_node = const_cast<Node*>(&node);
|
|
return IterationDecision::Break;
|
|
}
|
|
return IterationDecision::Continue;
|
|
});
|
|
}
|
|
return matched_node;
|
|
}
|
|
|
|
// https://dom.spec.whatwg.org/#dom-nodelist-length
|
|
u32 LiveNodeList::length() const
|
|
{
|
|
return collection().size();
|
|
}
|
|
|
|
// https://dom.spec.whatwg.org/#dom-nodelist-item
|
|
Node const* LiveNodeList::item(u32 index) const
|
|
{
|
|
// The item(index) method must return the indexth node in the collection. If there is no indexth node in the collection, then the method must return null.
|
|
auto nodes = collection();
|
|
if (index >= nodes.size())
|
|
return nullptr;
|
|
return nodes[index];
|
|
}
|
|
|
|
}
|