[webkit-changes] [90378] trunk

Mon, 04 Jul 2011 18:11:54 -0700

Title: [90378] trunk
Revision
90378
Author
[email protected]
Date
2011-07-04 18:11:41 -0700 (Mon, 04 Jul 2011)

Log Message

2011-07-04  MORITA Hajime  <[email protected]>

        Accessing ShadowRoot.nodeList causes an assertion failure.
        http://webkit.org/b/63798

        Reviewed by Dimitri Glazkov.

        * fast/dom/shadow/shadow-root-node-list-expected.txt: Added.
        * fast/dom/shadow/shadow-root-node-list.html: Added.
2011-07-04  MORITA Hajime  <[email protected]>

        Accessing ShadowRoot.nodeList causes an assertion failure.
        http://webkit.org/b/63798

        The TreeScope destructor did clear the reference to TreeScope,
        then the Node destructor accessing treeScope(), which results
        an inconsistent state during the NodeList cache cleanup.

        This change clears NodeList cache during the TreeScope destructor.
        The Node destructor no longer does problematic NodeList cache
        manipulation.

        Test: fast/dom/shadow/shadow-root-node-list.html

        Reviewed by Dimitri Glazkov.

        * dom/Node.cpp:
        (WebCore::Node::~Node):
        (WebCore::Node::clearRareData):
        * dom/Node.h:
        * dom/TreeScope.cpp:
        (WebCore::TreeScope::~TreeScope):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (90377 => 90378)


--- trunk/LayoutTests/ChangeLog	2011-07-04 20:29:05 UTC (rev 90377)
+++ trunk/LayoutTests/ChangeLog	2011-07-05 01:11:41 UTC (rev 90378)
@@ -1,3 +1,13 @@
+2011-07-04  MORITA Hajime  <[email protected]>
+
+        Accessing ShadowRoot.nodeList causes an assertion failure.
+        http://webkit.org/b/63798
+        
+        Reviewed by Dimitri Glazkov.
+        
+        * fast/dom/shadow/shadow-root-node-list-expected.txt: Added.
+        * fast/dom/shadow/shadow-root-node-list.html: Added.
+
 2011-07-04  Stephen White  <[email protected]>
 
         Unreviewed; chromium test expectations change.

Added: trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list-expected.txt (0 => 90378)


--- trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list-expected.txt	2011-07-05 01:11:41 UTC (rev 90378)
@@ -0,0 +1 @@
+PASS unless crash
Property changes on: trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list.html (0 => 90378)


--- trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list.html	2011-07-05 01:11:41 UTC (rev 90378)
@@ -0,0 +1,22 @@
+<html>
+<head>
+<script>
+function testShouldNotCrash()
+{
+    if (!window.layoutTestController)
+        return;
+    window.layoutTestController.dumpAsText();
+
+    var host = document.createElement("blockquote");
+    var shadow = internals.ensureShadowRoot(host);
+    var children = shadow.childNodes;
+    document.body.appendChild(host);
+
+    document.body.offsetLeft;
+    document.body.innerHTML = "PASS unless crash";
+}
+</script>
+</head>
+<body _onload_="testShouldNotCrash()">
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/dom/shadow/shadow-root-node-list.html
___________________________________________________________________

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (90377 => 90378)


--- trunk/Source/WebCore/ChangeLog	2011-07-04 20:29:05 UTC (rev 90377)
+++ trunk/Source/WebCore/ChangeLog	2011-07-05 01:11:41 UTC (rev 90378)
@@ -1,3 +1,27 @@
+2011-07-04  MORITA Hajime  <[email protected]>
+
+        Accessing ShadowRoot.nodeList causes an assertion failure.
+        http://webkit.org/b/63798
+        
+        The TreeScope destructor did clear the reference to TreeScope, 
+        then the Node destructor accessing treeScope(), which results 
+        an inconsistent state during the NodeList cache cleanup.
+
+        This change clears NodeList cache during the TreeScope destructor.
+        The Node destructor no longer does problematic NodeList cache
+        manipulation.
+
+        Test: fast/dom/shadow/shadow-root-node-list.html
+
+        Reviewed by Dimitri Glazkov.
+        
+        * dom/Node.cpp:
+        (WebCore::Node::~Node):
+        (WebCore::Node::clearRareData):
+        * dom/Node.h:
+        * dom/TreeScope.cpp:
+        (WebCore::TreeScope::~TreeScope):
+
 2011-07-04  Vsevolod Vlasov  <[email protected]>
 
         ResourceLoadNotifier::dispatchWillSendRequest should not compare StringImpl directly

Modified: trunk/Source/WebCore/dom/Node.cpp (90377 => 90378)


--- trunk/Source/WebCore/dom/Node.cpp	2011-07-04 20:29:05 UTC (rev 90377)
+++ trunk/Source/WebCore/dom/Node.cpp	2011-07-05 01:11:41 UTC (rev 90378)
@@ -388,18 +388,9 @@
     liveNodeSet.remove(this);
 #endif
 
-    if (!hasRareData())
-        ASSERT(!NodeRareData::rareDataMap().contains(this));
-    else {
-        if (treeScope() && rareData()->nodeLists())
-            treeScope()->removeNodeListCache();
-        
-        NodeRareData::NodeRareDataMap& dataMap = NodeRareData::rareDataMap();
-        NodeRareData::NodeRareDataMap::iterator it = dataMap.find(this);
-        ASSERT(it != dataMap.end());
-        delete it->second;
-        dataMap.remove(it);
-    }
+    ASSERT(hasRareData() == NodeRareData::rareDataMap().contains(this));
+    if (hasRareData())
+        clearRareData();
 
     if (renderer())
         detach();
@@ -546,6 +537,20 @@
     return new NodeRareData;
 }
 
+void Node::clearRareData()
+{
+    ASSERT(hasRareData());
+    if (treeScope() && rareData()->nodeLists())
+        treeScope()->removeNodeListCache();
+
+    NodeRareData::NodeRareDataMap& dataMap = NodeRareData::rareDataMap();
+    NodeRareData::NodeRareDataMap::iterator it = dataMap.find(this);
+    ASSERT(it != dataMap.end());
+    delete it->second;
+    dataMap.remove(it);
+    clearFlag(HasRareDataFlag);
+}
+
 Element* Node::shadowHost() const
 {
     return toElement(getFlag(IsShadowRootFlag) ? parent() : 0);

Modified: trunk/Source/WebCore/dom/Node.h (90377 => 90378)


--- trunk/Source/WebCore/dom/Node.h	2011-07-04 20:29:05 UTC (rev 90377)
+++ trunk/Source/WebCore/dom/Node.h	2011-07-05 01:11:41 UTC (rev 90378)
@@ -650,6 +650,7 @@
 
     NodeRareData* rareData() const;
     NodeRareData* ensureRareData();
+    void clearRareData();
 
 private:
     // Do not use this method to change the document of a node until after the node has been

Modified: trunk/Source/WebCore/dom/TreeScope.cpp (90377 => 90378)


--- trunk/Source/WebCore/dom/TreeScope.cpp	2011-07-04 20:29:05 UTC (rev 90377)
+++ trunk/Source/WebCore/dom/TreeScope.cpp	2011-07-05 01:11:41 UTC (rev 90378)
@@ -46,7 +46,7 @@
 TreeScope::~TreeScope()
 {
     if (hasRareData())
-        rareData()->setTreeScope(0);
+        clearRareData();
 }
 
 void TreeScope::destroyTreeScopeData()

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to