[BugFix] Avoid UAF when resolving unified pipeline target node

- Store the unified pixel pipeline target as an element id instead of a raw Element pointer in PipelineOptions.
- Resolve the element lazily from the node manager and abort safely when the target node has already been removed, which prevents use-after-free during style resolution.
- Reset the cached target node id after resolve requests are cleared and keep the pipeline context unit test aligned with the new behavior.

Author: nhsprite

core/public/pipeline_option.h

@@ -7,6 +7,7 @@
 
 #include <sys/types.h>
 
+#include <cstdint>
 #include <sstream>
 #include <string>
 #include <thread>
@@ -75,6 +76,7 @@ struct PipelineOptions {
   static const int32_t kRecycleTemplateBundle = 0x01 << 2;
   static const int32_t kProcessLayoutWithoutUIFlush = 0x01 << 3;
   static const int32_t kRenderForRecreateEngine = 0x01 << 4;
+  static constexpr int32_t kInvalidTargetNodeId = 0;
 
   // TODO(kechenglong): impl ToLepusValue here.
   // Default constructor that generates a unique PipelineID
@@ -179,7 +181,7 @@ struct PipelineOptions {
   bool resolve_requested{false};
   bool layout_requested{false};
   bool flush_ui_requested{false};
-  Element* target_node{nullptr};
+  int32_t target_node{kInvalidTargetNodeId};
   // Whether the current template has been reloaded.
   bool reload{false};
   const PipelineVersion* version{nullptr};

core/renderer/dom/element_manager.cc

@@ -698,7 +698,8 @@ void ElementManager::OnFinishUpdateProps(
   // redundant logic here.
   if (options->enable_unified_pixel_pipeline) {
     options->resolve_requested = true;
-    options->target_node = target_node;
+    options->target_node = target_node ? target_node->impl_id()
+                                       : PipelineOptions::kInvalidTargetNodeId;
   } else {
     OnPatchFinish(options, target_node);
   }
@@ -1364,9 +1365,17 @@ void ElementManager::OnPatchFinish(std::shared_ptr<PipelineOptions> &option,
 }
 
 void ElementManager::ResolveStyle(std::shared_ptr<PipelineOptions> &option,
-                                  Element *element) {
-  if (element == nullptr) {
+                                  int32_t target_node) {
+  Element *element = nullptr;
+  if (target_node == PipelineOptions::kInvalidTargetNodeId) {
     element = static_cast<Element *>(root());
+  } else {
+    element = node_manager()->Get(target_node);
+    if (element == nullptr) {
+      LOGE("ElementManager::ResolveStyle failed since target node is gone, id:"
+           << target_node);
+      return;
+    }
   }
   if (!element) {
     LOGE("ElementManager::OnPatchFinish failed since element is nullptr.");

core/renderer/dom/element_manager.h

@@ -981,8 +981,9 @@ class ElementManager : public ElementContextDelegate,
    * Used By RunPixelPipeline Process.
    *
    */
-  void ResolveStyle(std::shared_ptr<PipelineOptions> &option,
-                    Element *root = nullptr);
+  void ResolveStyle(
+      std::shared_ptr<PipelineOptions> &option,
+      int32_t target_node = PipelineOptions::kInvalidTargetNodeId);
 
   /**
    * Generate ID for element

core/renderer/dom/fiber/fiber_element.cc

@@ -3322,7 +3322,7 @@ void FiberElement::SetNativeProps(
     // redundant logic here.
     if (pipeline_options->enable_unified_pixel_pipeline) {
       pipeline_options->resolve_requested = true;
-      pipeline_options->target_node = this;
+      pipeline_options->target_node = impl_id();
     } else {
       element_manager()->OnPatchFinish(pipeline_options, this);
     }
@@ -3709,7 +3709,7 @@ void FiberElement::UpdateCSSVariable(
   // redundant logic here.
   if (pipeline_option->enable_unified_pixel_pipeline) {
     pipeline_option->resolve_requested = true;
-    pipeline_option->target_node = this;
+    pipeline_option->target_node = impl_id();
   } else {
     element_manager()->OnPatchFinish(pipeline_option, this);
   }

core/renderer/pipeline/pipeline_context.cc

@@ -116,7 +116,7 @@ void PipelineContext::ResetResolveRequested() {
     return;
   }
   options_->resolve_requested = false;
-  options_->target_node = nullptr;
+  options_->target_node = PipelineOptions::kInvalidTargetNodeId;
 }
 
 void PipelineContext::ResetLayoutRequested() {

core/renderer/pipeline/pipeline_context_unittest.cc

@@ -71,8 +71,10 @@ TEST_F(PipelineContextTest, TestPipelineContextResolve) {
   EXPECT_FALSE(context->IsResolveRequested());
   context->RequestResolve();
   EXPECT_TRUE(context->IsResolveRequested());
+  options_->target_node = 42;
   context->ResetResolveRequested();
   EXPECT_FALSE(context->IsResolveRequested());
+  EXPECT_EQ(options_->target_node, PipelineOptions::kInvalidTargetNodeId);
 }
 
 TEST_F(PipelineContextTest, TestPipelineContextLayout) {

core/runtime/lepus/bindings/renderer_functions.cc

@@ -5149,7 +5149,8 @@ RENDERER_FUNCTION_CC(FiberFlushElementTree) {
   // redundant logic here.
   if (current_option->enable_unified_pixel_pipeline) {
     current_option->resolve_requested = true;
-    current_option->target_node = element;
+    current_option->target_node =
+        element ? element->impl_id() : PipelineOptions::kInvalidTargetNodeId;
     current_option->need_trigger_data_updated_ = trigger_data_updated;
   } else {
     self->page_proxy()->element_manager()->OnPatchFinish(current_option,