Jelle Raaijmakers dd6d17d60d LibWeb: Don't crash accessing stale nested navigable paintable ...

The scroll state collection loop in
record_display_list_and_scroll_state() called paintable() on hosted
documents, which asserts layout is up to date. This crashes when a
nested document has stale layout but a cached display list, e.g. a
render-blocked iframe whose DOM was modified by document.open().
Since scroll offsets are independent of layout freshness, use
unsafe_paintable() to skip the assertion.

2026-03-24 12:47:02 +01:00

990 B

Raw Blame History

View Raw