[webkit-changes] [201736] trunk

[rniwa]

Title: [201736] trunk

Revision

201736

Author

rn...@webkit.org

Date

2016-06-06 19:40:10 -0700 (Mon, 06 Jun 2016)

Log Message

Crash inside moveOutOfAllShadowRoots
https://bugs.webkit.org/show_bug.cgi?id=158378

Reviewed by Antti Koivisto.

Source/WebCore:

The bug was caused by InShadowTreeFlag not being cleared when a shadow host or its ancestor was removed
due to addChildNodesToDeletionQueue not invoking notifyChildNodeRemoved when a node was in a shadow tree
but not in a document.

Fixed the bug by invoking notifyChildNodeRemoved when the removed node is either in a shadow tree
or it's in a shadow tree. Also fixed a bug in VTTCue::~VTTCue that it was trying to remove the display
tree even when the owner document was being destroyed. This results in various assertions to be hit.

Test: fast/shadow-dom/shadow-host-removal-crash.html

* dom/ContainerNodeAlgorithms.cpp:
(WebCore::addChildNodesToDeletionQueue):
* html/track/VTTCue.cpp:
(WebCore::VTTCue::~VTTCue):

LayoutTests:

Added a regression test that reproduced the crash reliably at least on my machine.

* fast/shadow-dom/shadow-host-removal-crash-expected.txt: Added.
* fast/shadow-dom/shadow-host-removal-crash.html: Added.
* platform/ios-simulator/TestExpectations:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/platform/ios-simulator/TestExpectations
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/ContainerNodeAlgorithms.cpp
• trunk/Source/WebCore/html/track/VTTCue.cpp

Added Paths

• trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash-expected.txt
• trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (201735 => 201736)

--- trunk/LayoutTests/ChangeLog	2016-06-07 02:35:39 UTC (rev 201735)
+++ trunk/LayoutTests/ChangeLog	2016-06-07 02:40:10 UTC (rev 201736)
@@ -1,3 +1,16 @@
+2016-06-03  Ryosuke Niwa  <rn...@webkit.org>
+
+        Crash inside moveOutOfAllShadowRoots
+        https://bugs.webkit.org/show_bug.cgi?id=158378
+
+        Reviewed by Antti Koivisto.
+
+        Added a regression test that reproduced the crash reliably at least on my machine.
+
+        * fast/shadow-dom/shadow-host-removal-crash-expected.txt: Added.
+        * fast/shadow-dom/shadow-host-removal-crash.html: Added.
+        * platform/ios-simulator/TestExpectations:
+
 2016-06-06  Chris Dumez  <cdu...@apple.com>
 
         Implement EventListenerOptions argument to addEventListener

Added: trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash-expected.txt (0 => 201736)

--- trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash-expected.txt	2016-06-07 02:40:10 UTC (rev 201736)
@@ -0,0 +1,4 @@
+This tests removing a shadow host while EventHandler holds onto its shadow descendent. WebKit should not hit an assertion or crash. This test requires window.eventSender to run.
+
+foo
+bar

Added: trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash.html (0 => 201736)

--- trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-host-removal-crash.html	2016-06-07 02:40:10 UTC (rev 201736)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<body _onload_="runTest();">
+<p>This tests removing a shadow host while EventHandler holds onto its shadow descendent.
+WebKit should not hit an assertion or crash. This test requires window.eventSender to run.</p>
+<div id="log"></div>
+<div id="container"><input><div><span>text</span></div></div>
+<script>
+
+function clickCenter(element) {
+    eventSender.mouseMoveTo(element.offsetLeft + element.offsetWidth / 2, element.offsetTop + element.offsetHeight / 2);
+    eventSender.mouseDown();
+}
+
+function runTest() {
+    testRunner.dumpAsText();
+
+    var container = document.querySelector('#container');
+
+    clickCenter(document.querySelector('#container span'));
+
+    document.getElementById('log').innerHTML = 'foo';
+    eventSender.mouseDown();
+    container.innerHTML = 'bar';
+
+    clickCenter(container);
+}
+
+</script>
+</body>
+</html>

Modified: trunk/LayoutTests/platform/ios-simulator/TestExpectations (201735 => 201736)

--- trunk/LayoutTests/platform/ios-simulator/TestExpectations	2016-06-07 02:35:39 UTC (rev 201735)
+++ trunk/LayoutTests/platform/ios-simulator/TestExpectations	2016-06-07 02:40:10 UTC (rev 201736)
@@ -275,6 +275,7 @@
 
 # This test relies on EventSender.keydown(), which is not supported on iOS
 webkit.org/b/155233 fast/events/max-tabindex-focus.html [ Skip ]
+fast/shadow-dom/shadow-host-removal-crash.html [ Skip ]
 
 # The file-wrapper part of <attachment> is not yet working on iOS
 fast/attachment/attachment-type-attribute.html [ Skip ]

Modified: trunk/Source/WebCore/ChangeLog (201735 => 201736)

--- trunk/Source/WebCore/ChangeLog	2016-06-07 02:35:39 UTC (rev 201735)
+++ trunk/Source/WebCore/ChangeLog	2016-06-07 02:40:10 UTC (rev 201736)
@@ -1,3 +1,25 @@
+2016-06-03  Ryosuke Niwa  <rn...@webkit.org>
+
+        Crash inside moveOutOfAllShadowRoots
+        https://bugs.webkit.org/show_bug.cgi?id=158378
+
+        Reviewed by Antti Koivisto.
+
+        The bug was caused by InShadowTreeFlag not being cleared when a shadow host or its ancestor was removed
+        due to addChildNodesToDeletionQueue not invoking notifyChildNodeRemoved when a node was in a shadow tree
+        but not in a document.
+
+        Fixed the bug by invoking notifyChildNodeRemoved when the removed node is either in a shadow tree
+        or it's in a shadow tree. Also fixed a bug in VTTCue::~VTTCue that it was trying to remove the display
+        tree even when the owner document was being destroyed. This results in various assertions to be hit.
+
+        Test: fast/shadow-dom/shadow-host-removal-crash.html
+
+        * dom/ContainerNodeAlgorithms.cpp:
+        (WebCore::addChildNodesToDeletionQueue):
+        * html/track/VTTCue.cpp:
+        (WebCore::VTTCue::~VTTCue):
+
 2016-06-06  Chris Dumez  <cdu...@apple.com>
 
         Implement EventListenerOptions argument to addEventListener

Modified: trunk/Source/WebCore/dom/ContainerNodeAlgorithms.cpp (201735 => 201736)

--- trunk/Source/WebCore/dom/ContainerNodeAlgorithms.cpp	2016-06-07 02:35:39 UTC (rev 201735)
+++ trunk/Source/WebCore/dom/ContainerNodeAlgorithms.cpp	2016-06-07 02:40:10 UTC (rev 201736)
@@ -188,7 +188,7 @@
             Ref<Node> protect(*node); // removedFromDocument may remove remove all references to this node.
             if (Document* containerDocument = container.ownerDocument())
                 containerDocument->adoptIfNeeded(node);
-            if (node->inDocument())
+            if (node->isInTreeScope())
                 notifyChildNodeRemoved(container, *node);
         }
     }

Modified: trunk/Source/WebCore/html/track/VTTCue.cpp (201735 => 201736)

--- trunk/Source/WebCore/html/track/VTTCue.cpp	2016-06-07 02:35:39 UTC (rev 201735)
+++ trunk/Source/WebCore/html/track/VTTCue.cpp	2016-06-07 02:40:10 UTC (rev 201736)
@@ -268,10 +268,9 @@
 
 VTTCue::~VTTCue()
 {
-    if (!hasDisplayTree())
-        return;
-
-    displayTreeInternal()->remove(ASSERT_NO_EXCEPTION);
+    // FIXME: We should set m_cue in VTTCueBox to nullptr instead.
+    if (m_displayTree && m_displayTree->document().refCount())
+        m_displayTree->remove(ASSERT_NO_EXCEPTION);
 }
 
 void VTTCue::initialize(ScriptExecutionContext& context)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes