[webkit-changes] [90094] trunk

[morrita]

Title: [90094] trunk

Revision

90094

Author

morr...@google.com

Date

2011-06-30 00:43:39 -0700 (Thu, 30 Jun 2011)

Log Message

2011-06-30  MORITA Hajime  <morr...@google.com>

        Reviewed by Dimitri Glazkov.

        Crash if ShadowRoot has a text node.
        https://bugs.webkit.org/show_bug.cgi?id=63607

        * fast/dom/shadow/shadow-root-text-child-expected.txt: Added.
        * fast/dom/shadow/shadow-root-text-child.html: Added.
2011-06-30  MORITA Hajime  <morr...@google.com>

        Reviewed by Dimitri Glazkov.

        Crash if ShadowRoot has a text node.
        https://bugs.webkit.org/show_bug.cgi?id=63607

        Node::styleForRenderer() for Text node wasn't shadow-aware.
        This change allow styleForRenderer() to know its visual parent by
        passing NodeRenderingContext.

        Changes other than NodeRenderingContext and Element is just a
        follow up for change above.

        * dom/Element.cpp: use NodeRenderingContext to resolve parent node.
        (WebCore::Element::recalcStyle):
        * dom/Node.cpp:
        (WebCore::Node::styleForRenderer): Added NodeRenderingContext as a parameter.
        * dom/Node.h:
        * dom/NodeRenderingContext.cpp:
        (WebCore::NodeRendererFactory::createRendererAndStyle):
        * html/HTMLOptGroupElement.cpp:
        (WebCore::HTMLOptGroupElement::attach):
        * html/HTMLOptionElement.cpp:
        (WebCore::HTMLOptionElement::attach):
        * html/HTMLTitleElement.cpp:
        (WebCore::HTMLTitleElement::textWithDirection):
        * html/shadow/TextControlInnerElements.cpp:
        (WebCore::TextControlInnerElement::styleForRenderer):
        (WebCore::TextControlInnerTextElement::styleForRenderer):
        * html/shadow/TextControlInnerElements.h:

        Test: fast/dom/shadow/shadow-root-text-child.html

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/Element.cpp
• trunk/Source/WebCore/dom/Node.cpp
• trunk/Source/WebCore/dom/Node.h
• trunk/Source/WebCore/dom/NodeRenderingContext.cpp
• trunk/Source/WebCore/html/HTMLOptGroupElement.cpp
• trunk/Source/WebCore/html/HTMLOptionElement.cpp
• trunk/Source/WebCore/html/HTMLTitleElement.cpp
• trunk/Source/WebCore/html/shadow/TextControlInnerElements.cpp
• trunk/Source/WebCore/html/shadow/TextControlInnerElements.h

Added Paths

• trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child-expected.txt
• trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child.html

Diff

Modified: trunk/LayoutTests/ChangeLog (90093 => 90094)

--- trunk/LayoutTests/ChangeLog	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/LayoutTests/ChangeLog	2011-06-30 07:43:39 UTC (rev 90094)
@@ -1,3 +1,13 @@
+2011-06-30  MORITA Hajime  <morr...@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        Crash if ShadowRoot has a text node.
+        https://bugs.webkit.org/show_bug.cgi?id=63607
+
+        * fast/dom/shadow/shadow-root-text-child-expected.txt: Added.
+        * fast/dom/shadow/shadow-root-text-child.html: Added.
+
 2011-06-30  Kent Tamura  <tk...@chromium.org>
 
         [GTK][Mac][Win] Update expectation files for r90089.

Added: trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child-expected.txt (0 => 90094)

--- trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child-expected.txt	2011-06-30 07:43:39 UTC (rev 90094)
@@ -0,0 +1 @@
+PASS unless crash

Added: trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child.html (0 => 90094)

--- trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/shadow-root-text-child.html	2011-06-30 07:43:39 UTC (rev 90094)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+function testShouldNotCrash()
+{
+    if (!window.layoutTestController)
+        return;
+    window.layoutTestController.dumpAsText();
+    var root = document.createElement("div");
+    var shadow = internals.ensureShadowRoot(root);
+    var shadowBuilder = document.createElement("div");
+    shadowBuilder.innerHTML = "<div></div>x";
+    while (shadowBuilder.firstChild)
+        shadow.appendChild(shadowBuilder.firstChild);
+    document.body.appendChild(root);
+    document.body.offsetLeft;
+    document.body.innerHTML = "PASS unless crash";
+}
+</script>
+</head>
+<body _onload_="testShouldNotCrash()">
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (90093 => 90094)

--- trunk/Source/WebCore/ChangeLog	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/ChangeLog	2011-06-30 07:43:39 UTC (rev 90094)
@@ -1,3 +1,37 @@
+2011-06-30  MORITA Hajime  <morr...@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        Crash if ShadowRoot has a text node.
+        https://bugs.webkit.org/show_bug.cgi?id=63607
+        
+        Node::styleForRenderer() for Text node wasn't shadow-aware.
+        This change allow styleForRenderer() to know its visual parent by
+        passing NodeRenderingContext.
+        
+        Changes other than NodeRenderingContext and Element is just a
+        follow up for change above.
+
+        * dom/Element.cpp: use NodeRenderingContext to resolve parent node.
+        (WebCore::Element::recalcStyle):
+        * dom/Node.cpp:
+        (WebCore::Node::styleForRenderer): Added NodeRenderingContext as a parameter.
+        * dom/Node.h:
+        * dom/NodeRenderingContext.cpp:
+        (WebCore::NodeRendererFactory::createRendererAndStyle):
+        * html/HTMLOptGroupElement.cpp:
+        (WebCore::HTMLOptGroupElement::attach):
+        * html/HTMLOptionElement.cpp:
+        (WebCore::HTMLOptionElement::attach):
+        * html/HTMLTitleElement.cpp:
+        (WebCore::HTMLTitleElement::textWithDirection):
+        * html/shadow/TextControlInnerElements.cpp:
+        (WebCore::TextControlInnerElement::styleForRenderer):
+        (WebCore::TextControlInnerTextElement::styleForRenderer):
+        * html/shadow/TextControlInnerElements.h:
+
+        Test: fast/dom/shadow/shadow-root-text-child.html
+        
 2011-06-30  Piroska András  <piroska.and...@stud.u-szeged.hu>
 
         Reviewed by Dirk Schulze.

Modified: trunk/Source/WebCore/dom/Element.cpp (90093 => 90094)

--- trunk/Source/WebCore/dom/Element.cpp	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/dom/Element.cpp	2011-06-30 07:43:39 UTC (rev 90094)
@@ -50,6 +50,7 @@
 #include "InspectorInstrumentation.h"
 #include "NodeList.h"
 #include "NodeRenderStyle.h"
+#include "NodeRenderingContext.h"
 #include "Page.h"
 #include "RenderLayer.h"
 #include "RenderView.h"
@@ -1105,7 +1106,7 @@
             rareData()->resetComputedStyle();
     }
     if (hasParentStyle && (change >= Inherit || needsStyleRecalc())) {
-        RefPtr<RenderStyle> newStyle = styleForRenderer();
+        RefPtr<RenderStyle> newStyle = styleForRenderer(NodeRenderingContext(this, 0));
         StyleChange ch = diff(currentStyle.get(), newStyle.get());
         if (ch == Detach || !currentStyle) {
             // FIXME: The style gets computed twice by calling attach. We could do better if we passed the style along.

Modified: trunk/Source/WebCore/dom/Node.cpp (90093 => 90094)

--- trunk/Source/WebCore/dom/Node.cpp	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/dom/Node.cpp	2011-06-30 07:43:39 UTC (rev 90094)
@@ -1449,7 +1449,7 @@
     NodeRendererFactory(this).createRendererIfNeeded();
 }
 
-PassRefPtr<RenderStyle> Node::styleForRenderer()
+PassRefPtr<RenderStyle> Node::styleForRenderer(const NodeRenderingContext& context)
 {
     if (isElementNode()) {
         bool allowSharing = true;
@@ -1459,7 +1459,9 @@
 #endif
         return document()->styleSelector()->styleForElement(static_cast<Element*>(this), 0, allowSharing);
     }
-    return parentNode() && parentNode()->renderer() ? parentNode()->renderer()->style() : 0;
+    if (RenderObject* renderer = context.parentRenderer())
+        return renderer->style();
+    return 0;
 }
 
 bool Node::rendererIsNeeded(const NodeRenderingContext& context)

Modified: trunk/Source/WebCore/dom/Node.h (90093 => 90094)

--- trunk/Source/WebCore/dom/Node.h	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/dom/Node.h	2011-06-30 07:43:39 UTC (rev 90094)
@@ -455,7 +455,7 @@
 
     virtual void willRemove();
     void createRendererIfNeeded();
-    virtual PassRefPtr<RenderStyle> styleForRenderer();
+    virtual PassRefPtr<RenderStyle> styleForRenderer(const NodeRenderingContext&);
     virtual bool rendererIsNeeded(const NodeRenderingContext&);
     virtual bool childShouldCreateRenderer(Node*) const { return true; }
     virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);

Modified: trunk/Source/WebCore/dom/NodeRenderingContext.cpp (90093 => 90094)

--- trunk/Source/WebCore/dom/NodeRenderingContext.cpp	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/dom/NodeRenderingContext.cpp	2011-06-30 07:43:39 UTC (rev 90094)
@@ -232,7 +232,7 @@
     if (!m_context.shouldCreateRenderer())
         return 0;
 
-    m_context.setStyle(node->styleForRenderer());
+    m_context.setStyle(node->styleForRenderer(m_context));
     if (!node->rendererIsNeeded(m_context))
         return 0;
 

Modified: trunk/Source/WebCore/html/HTMLOptGroupElement.cpp (90093 => 90094)

--- trunk/Source/WebCore/html/HTMLOptGroupElement.cpp	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/html/HTMLOptGroupElement.cpp	2011-06-30 07:43:39 UTC (rev 90094)
@@ -31,6 +31,7 @@
 #include "HTMLSelectElement.h"
 #include "RenderMenuList.h"
 #include "NodeRenderStyle.h"
+#include "NodeRenderingContext.h"
 #include <wtf/StdLibExtras.h>
 
 namespace WebCore {
@@ -89,7 +90,7 @@
 void HTMLOptGroupElement::attach()
 {
     if (parentNode()->renderStyle())
-        setRenderStyle(styleForRenderer());
+        setRenderStyle(styleForRenderer(NodeRenderingContext(this, 0)));
     HTMLFormControlElement::attach();
 }
 

Modified: trunk/Source/WebCore/html/HTMLOptionElement.cpp (90093 => 90094)

--- trunk/Source/WebCore/html/HTMLOptionElement.cpp	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/html/HTMLOptionElement.cpp	2011-06-30 07:43:39 UTC (rev 90094)
@@ -33,6 +33,7 @@
 #include "HTMLNames.h"
 #include "HTMLSelectElement.h"
 #include "NodeRenderStyle.h"
+#include "NodeRenderingContext.h"
 #include "RenderMenuList.h"
 #include "Text.h"
 #include <wtf/StdLibExtras.h>
@@ -81,7 +82,7 @@
 void HTMLOptionElement::attach()
 {
     if (parentNode()->renderStyle())
-        setRenderStyle(styleForRenderer());
+        setRenderStyle(styleForRenderer(NodeRenderingContext(this, 0)));
     HTMLFormControlElement::attach();
 }
 

Modified: trunk/Source/WebCore/html/HTMLTitleElement.cpp (90093 => 90094)

--- trunk/Source/WebCore/html/HTMLTitleElement.cpp	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/html/HTMLTitleElement.cpp	2011-06-30 07:43:39 UTC (rev 90094)
@@ -25,6 +25,7 @@
 
 #include "Document.h"
 #include "HTMLNames.h"
+#include "NodeRenderingContext.h"
 #include "RenderStyle.h"
 #include "Text.h"
 
@@ -80,7 +81,7 @@
     TextDirection direction = LTR;
     if (RenderStyle* style = computedStyle())
         direction = style->direction();
-    else if (RefPtr<RenderStyle> style = styleForRenderer())
+    else if (RefPtr<RenderStyle> style = styleForRenderer(NodeRenderingContext(this, 0)))
         direction = style->direction();
     return StringWithDirection(text(), direction);
 }

Modified: trunk/Source/WebCore/html/shadow/TextControlInnerElements.cpp (90093 => 90094)

--- trunk/Source/WebCore/html/shadow/TextControlInnerElements.cpp	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/html/shadow/TextControlInnerElements.cpp	2011-06-30 07:43:39 UTC (rev 90094)
@@ -58,7 +58,7 @@
     return adoptRef(new TextControlInnerElement(document));
 }
 
-PassRefPtr<RenderStyle> TextControlInnerElement::styleForRenderer()
+PassRefPtr<RenderStyle> TextControlInnerElement::styleForRenderer(const NodeRenderingContext&)
 {
     RenderTextControlSingleLine* parentRenderer = toRenderTextControlSingleLine(shadowAncestorNode()->renderer());
     return parentRenderer->createInnerBlockStyle(parentRenderer->style());
@@ -104,7 +104,7 @@
     return new (arena) RenderTextControlInnerBlock(this, multiLine);
 }
 
-PassRefPtr<RenderStyle> TextControlInnerTextElement::styleForRenderer()
+PassRefPtr<RenderStyle> TextControlInnerTextElement::styleForRenderer(const NodeRenderingContext&)
 {
     RenderTextControl* parentRenderer = toRenderTextControl(shadowAncestorNode()->renderer());
     return parentRenderer->createInnerTextStyle(parentRenderer->style());

Modified: trunk/Source/WebCore/html/shadow/TextControlInnerElements.h (90093 => 90094)

--- trunk/Source/WebCore/html/shadow/TextControlInnerElements.h	2011-06-30 07:42:09 UTC (rev 90093)
+++ trunk/Source/WebCore/html/shadow/TextControlInnerElements.h	2011-06-30 07:43:39 UTC (rev 90094)
@@ -42,7 +42,7 @@
 
 protected:
     TextControlInnerElement(Document*);
-    virtual PassRefPtr<RenderStyle> styleForRenderer();
+    virtual PassRefPtr<RenderStyle> styleForRenderer(const NodeRenderingContext&);
 
 private:
     virtual bool isMouseFocusable() const { return false; }
@@ -57,7 +57,7 @@
 private:
     TextControlInnerTextElement(Document*);
     virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
-    virtual PassRefPtr<RenderStyle> styleForRenderer();
+    virtual PassRefPtr<RenderStyle> styleForRenderer(const NodeRenderingContext&);
     virtual bool isMouseFocusable() const { return false; }
 };
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes