Diff
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (215009 => 215010)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 09:58:18 UTC (rev 215009)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 10:04:21 UTC (rev 215010)
@@ -1,3 +1,19 @@
+2017-02-09 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in render tree after dynamically mutating the slot value
+ https://bugs.webkit.org/show_bug.cgi?id=167502
+
+ Reviewed by Antti Koivisto.
+
+ Added regression tests for the crash, and one for assigning non-empty slot value to a child
+ of a summary element. The slot attribute should always be ignored since the fact summary
+ element has its own shadow tree is an implementation detail that should never be exposed.
+
+ * fast/html/details-summary-slot-expected.html: Added.
+ * fast/html/details-summary-slot.html: Added.
+ * fast/shadow-dom/shadow-slot-attribute-change-crash-expected.txt: Added.
+ * fast/shadow-dom/shadow-slot-attribute-change-crash.html: Added.
+
2017-02-09 Antti Koivisto <an...@apple.com>
Details element doesn't work correctly when mutating content between closing and opening
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/html/details-summary-slot-expected.html (0 => 215010)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/html/details-summary-slot-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/html/details-summary-slot-expected.html 2017-04-06 10:04:21 UTC (rev 215010)
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests sets slot on a child of summary element inside a details element. It should have no effect.</p>
+<details><summary><div>PASS</div></summary></details>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/html/details-summary-slot.html (0 => 215010)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/html/details-summary-slot.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/html/details-summary-slot.html 2017-04-06 10:04:21 UTC (rev 215010)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests sets slot on a child of summary element inside a details element. It should have no effect.</p>
+<details><summary><div>PASS</div></summary></details>
+<script>
+document.querySelector('div').slot = 'foo';
+</script>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/shadow-dom/shadow-slot-attribute-change-crash-expected.txt (0 => 215010)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/shadow-dom/shadow-slot-attribute-change-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/shadow-dom/shadow-slot-attribute-change-crash-expected.txt 2017-04-06 10:04:21 UTC (rev 215010)
@@ -0,0 +1,3 @@
+This tests dynamically mutating the slot value. WebKit should not crash.
+
+PASS - WebKit did not crash
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/shadow-dom/shadow-slot-attribute-change-crash.html (0 => 215010)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/shadow-dom/shadow-slot-attribute-change-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/shadow-dom/shadow-slot-attribute-change-crash.html 2017-04-06 10:04:21 UTC (rev 215010)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests dynamically mutating the slot value. WebKit should not crash.</p>
+<outer-host style="display: block; -webkit-column-count: 2;"><inner-host style="display: block;"><div id="mutateThis">?<section style="column-span: all;"></section></div></inner-host></outer-host>
+<script>
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+let outerHost = document.querySelector('outer-host');
+outerHost.attachShadow({mode: 'closed'}).innerHTML = '<slot></slot>';
+
+let innerHost = document.querySelector('inner-host').attachShadow({mode: 'closed'});
+innerHost.innerHTML = '<slot></slot>';
+
+outerHost.getBoundingClientRect();
+mutateThis.slot = "f";
+outerHost.getBoundingClientRect();
+mutateThis.innerText = "";
+
+document.write('PASS - WebKit did not crash');
+
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (215009 => 215010)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 09:58:18 UTC (rev 215009)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 10:04:21 UTC (rev 215010)
@@ -1,3 +1,23 @@
+2017-02-09 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in render tree after dynamically mutating the slot value
+ https://bugs.webkit.org/show_bug.cgi?id=167502
+
+ Reviewed by Antti Koivisto.
+
+ The crash was caused by attributeChanged not destructing the render tree after an assigned element had been
+ removed from its slot. Since the style resolver can no longer find this element in the flat tree, we need to
+ delete its render object as if the element had been removed from the DOM tree.
+
+ Tests: fast/html/details-summary-slot.html
+ fast/shadow-dom/shadow-slot-attribute-change-crash.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::attributeChanged):
+ * html/HTMLSummaryElement.cpp:
+ (WebCore::SummarySlotElement): Added. Always use the default slot regardless of the slot attribute's value.
+ (WebCore::HTMLSummaryElement::create): Use SummarySlotElement
+
2017-02-09 Antti Koivisto <an...@apple.com>
Details element doesn't work correctly when mutating content between closing and opening
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Element.cpp (215009 => 215010)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Element.cpp 2017-04-06 09:58:18 UTC (rev 215009)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Element.cpp 2017-04-06 10:04:21 UTC (rev 215010)
@@ -1285,7 +1285,7 @@
else if (name == HTMLNames::slotAttr) {
if (auto* parent = parentElement()) {
if (auto* shadowRoot = parent->shadowRoot())
- shadowRoot->hostChildElementDidChangeSlotAttribute(oldValue, newValue);
+ shadowRoot->hostChildElementDidChangeSlotAttribute(*this, oldValue, newValue);
}
}
}
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/ShadowRoot.h (215009 => 215010)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/ShadowRoot.h 2017-04-06 09:58:18 UTC (rev 215009)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/ShadowRoot.h 2017-04-06 10:04:21 UTC (rev 215010)
@@ -91,7 +91,7 @@
void didRemoveAllChildrenOfShadowHost();
void didChangeDefaultSlot();
void hostChildElementDidChange(const Element&);
- void hostChildElementDidChangeSlotAttribute(const AtomicString& oldValue, const AtomicString& newValue);
+ void hostChildElementDidChangeSlotAttribute(Element&, const AtomicString& oldValue, const AtomicString& newValue);
void innerSlotDidChange(const AtomicString&);
const Vector<Node*>* assignedNodesForSlot(const HTMLSlotElement&);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/SlotAssignment.h (215009 => 215010)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/SlotAssignment.h 2017-04-06 09:58:18 UTC (rev 215009)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/SlotAssignment.h 2017-04-06 10:04:21 UTC (rev 215010)
@@ -27,6 +27,7 @@
#define SlotAssignment_h
+#include "RenderTreeUpdater.h"
#include "ShadowRoot.h"
#include <wtf/HashMap.h>
#include <wtf/HashSet.h>
@@ -116,12 +117,13 @@
m_slotAssignment->hostChildElementDidChange(childElement, *this);
}
-inline void ShadowRoot::hostChildElementDidChangeSlotAttribute(const AtomicString& oldValue, const AtomicString& newValue)
+inline void ShadowRoot::hostChildElementDidChangeSlotAttribute(Element& element, const AtomicString& oldValue, const AtomicString& newValue)
{
- if (m_slotAssignment) {
- m_slotAssignment->didChangeSlot(oldValue, SlotAssignment::ChangeType::DirectChild, *this);
- m_slotAssignment->didChangeSlot(newValue, SlotAssignment::ChangeType::DirectChild, *this);
- }
+ if (!m_slotAssignment)
+ return;
+ m_slotAssignment->didChangeSlot(oldValue, SlotAssignment::ChangeType::DirectChild, *this);
+ m_slotAssignment->didChangeSlot(newValue, SlotAssignment::ChangeType::DirectChild, *this);
+ RenderTreeUpdater::tearDownRenderers(element);
}
inline void ShadowRoot::innerSlotDidChange(const AtomicString& name)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLSummaryElement.cpp (215009 => 215010)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLSummaryElement.cpp 2017-04-06 09:58:18 UTC (rev 215009)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLSummaryElement.cpp 2017-04-06 10:04:21 UTC (rev 215010)
@@ -32,15 +32,26 @@
#include "PlatformMouseEvent.h"
#include "RenderBlockFlow.h"
#include "ShadowRoot.h"
+#include "SlotAssignment.h"
namespace WebCore {
using namespace HTMLNames;
+class SummarySlotElement final : public SlotAssignment {
+private:
+ void hostChildElementDidChange(const Element&, ShadowRoot& shadowRoot) override
+ {
+ didChangeSlot(SlotAssignment::defaultSlotName(), SlotAssignment::ChangeType::DirectChild, shadowRoot);
+ }
+
+ const AtomicString& slotNameForHostChild(const Node&) const override { return SlotAssignment::defaultSlotName(); }
+};
+
Ref<HTMLSummaryElement> HTMLSummaryElement::create(const QualifiedName& tagName, Document& document)
{
Ref<HTMLSummaryElement> summary = adoptRef(*new HTMLSummaryElement(tagName, document));
- summary->addShadowRoot(ShadowRoot::create(document, ShadowRoot::Mode::UserAgent));
+ summary->addShadowRoot(ShadowRoot::create(document, std::make_unique<SummarySlotElement>()));
return summary;
}
