[webkit-changes] [208967] trunk

Tue, 22 Nov 2016 12:14:13 -0800

Title: [208967] trunk
Revision
208967
Author
[email protected]
Date
2016-11-22 12:13:38 -0800 (Tue, 22 Nov 2016)

Log Message

CrashTracer: [USER] com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::ExtensionStyleSheets::pageUserSheet + 14
https://bugs.webkit.org/show_bug.cgi?id=165030

Reviewed by Darin Adler.

Source/WebCore:

We failed to reset the style scope when an element was moved to a different document. This could lead to having dangling
document pointers in style scope and style resolver.

Test: fast/shadow-dom/shadow-host-move-to-different-document.html

* dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::didMoveToNewDocument):

    Reset style scope.

* dom/ShadowRoot.h:
* style/StyleScope.cpp:
(WebCore::Style::Scope::resolver):

    Some more assertions.

* style/StyleScope.h:
(WebCore::Style::Scope::document):

LayoutTests:

* fast/shadow-dom/shadow-host-move-to-different-document-expected.html: Added.
* fast/shadow-dom/shadow-host-move-to-different-document.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (208966 => 208967)


--- trunk/LayoutTests/ChangeLog	2016-11-22 19:16:55 UTC (rev 208966)
+++ trunk/LayoutTests/ChangeLog	2016-11-22 20:13:38 UTC (rev 208967)
@@ -1,3 +1,13 @@
+2016-11-22  Antti Koivisto  <[email protected]>
+
+        CrashTracer: [USER] com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::ExtensionStyleSheets::pageUserSheet + 14
+        https://bugs.webkit.org/show_bug.cgi?id=165030
+
+        Reviewed by Darin Adler.
+
+        * fast/shadow-dom/shadow-host-move-to-different-document-expected.html: Added.
+        * fast/shadow-dom/shadow-host-move-to-different-document.html: Added.
+
 2016-11-20  Megan Gardner  <[email protected]>
 
         Add iOS text selection tests - long press clear and multi line selection tests

Added: trunk/LayoutTests/fast/shadow-dom/shadow-host-move-to-different-document-expected.html (0 => 208967)


--- trunk/LayoutTests/fast/shadow-dom/shadow-host-move-to-different-document-expected.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-host-move-to-different-document-expected.html	2016-11-22 20:13:38 UTC (rev 208967)
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>Test passes if you see a single 100px by 100px green box below.</p>
+    <div style="width: 100px; height: 100px; background: green;"></div>
+</body>
+</html>

Added: trunk/LayoutTests/fast/shadow-dom/shadow-host-move-to-different-document.html (0 => 208967)


--- trunk/LayoutTests/fast/shadow-dom/shadow-host-move-to-different-document.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-host-move-to-different-document.html	2016-11-22 20:13:38 UTC (rev 208967)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<style>
+div { color: green; }
+</style>
+<p>Test passes if you see a single 100px by 100px green box below.</p>
+<iframe></iframe>
+<script>
+const frameDocument = document.querySelector('iframe').contentDocument;
+frameDocument.body.innerHTML = `<div></div>`;
+const host = frameDocument.querySelector('div');
+host.attachShadow({mode:'closed'}).innerHTML = `
+    <style>
+    :host {
+        color: red;
+        background: green;
+        width: 100px;
+        height: 100px;
+    }
+    </style>
+    <span>Test moving a host to a different document.</span>
+`;
+host.offsetWidth;
+document.adoptNode(host);
+document.body.appendChild(host);
+document.body.removeChild(document.querySelector('iframe'));
+if (window.GCController)
+    GCController.collect();
+</script>

Modified: trunk/Source/WebCore/ChangeLog (208966 => 208967)


--- trunk/Source/WebCore/ChangeLog	2016-11-22 19:16:55 UTC (rev 208966)
+++ trunk/Source/WebCore/ChangeLog	2016-11-22 20:13:38 UTC (rev 208967)
@@ -1,3 +1,29 @@
+2016-11-22  Antti Koivisto  <[email protected]>
+
+        CrashTracer: [USER] com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::ExtensionStyleSheets::pageUserSheet + 14
+        https://bugs.webkit.org/show_bug.cgi?id=165030
+
+        Reviewed by Darin Adler.
+
+        We failed to reset the style scope when an element was moved to a different document. This could lead to having dangling
+        document pointers in style scope and style resolver.
+
+        Test: fast/shadow-dom/shadow-host-move-to-different-document.html
+
+        * dom/ShadowRoot.cpp:
+        (WebCore::ShadowRoot::didMoveToNewDocument):
+
+            Reset style scope.
+
+        * dom/ShadowRoot.h:
+        * style/StyleScope.cpp:
+        (WebCore::Style::Scope::resolver):
+
+            Some more assertions.
+
+        * style/StyleScope.h:
+        (WebCore::Style::Scope::document):
+
 2016-11-22  Darin Adler  <[email protected]>
 
         Make normal case fast in the input element limitString function

Modified: trunk/Source/WebCore/dom/ShadowRoot.cpp (208966 => 208967)


--- trunk/Source/WebCore/dom/ShadowRoot.cpp	2016-11-22 19:16:55 UTC (rev 208966)
+++ trunk/Source/WebCore/dom/ShadowRoot.cpp	2016-11-22 20:13:38 UTC (rev 208967)
@@ -102,6 +102,17 @@
         document().didRemoveInDocumentShadowRoot(*this);
 }
 
+void ShadowRoot::didMoveToNewDocument(Document& oldDocument)
+{
+    ASSERT(&document() != &oldDocument);
+    ASSERT(&m_styleScope->document() == &oldDocument);
+
+    // Style scopes are document specific.
+    m_styleScope = std::make_unique<Style::Scope>(*this);
+
+    DocumentFragment::didMoveToNewDocument(oldDocument);
+}
+
 Style::Scope& ShadowRoot::styleScope()
 {
     return *m_styleScope;

Modified: trunk/Source/WebCore/dom/ShadowRoot.h (208966 => 208967)


--- trunk/Source/WebCore/dom/ShadowRoot.h	2016-11-22 19:16:55 UTC (rev 208966)
+++ trunk/Source/WebCore/dom/ShadowRoot.h	2016-11-22 20:13:38 UTC (rev 208967)
@@ -96,6 +96,7 @@
 
     Node::InsertionNotificationRequest insertedInto(ContainerNode& insertionPoint) override;
     void removedFrom(ContainerNode& insertionPoint) override;
+    void didMoveToNewDocument(Document& oldDocument) override;
 
     bool m_resetStyleInheritance { false };
     ShadowRootMode m_type { ShadowRootMode::UserAgent };

Modified: trunk/Source/WebCore/style/StyleScope.cpp (208966 => 208967)


--- trunk/Source/WebCore/style/StyleScope.cpp	2016-11-22 19:16:55 UTC (rev 208966)
+++ trunk/Source/WebCore/style/StyleScope.cpp	2016-11-22 20:13:38 UTC (rev 208967)
@@ -96,6 +96,8 @@
         m_resolver = std::make_unique<StyleResolver>(m_document);
         m_resolver->appendAuthorStyleSheets(m_activeStyleSheets);
     }
+    ASSERT(!m_shadowRoot || &m_document == &m_shadowRoot->document());
+    ASSERT(&m_resolver->document() == &m_document);
     return *m_resolver;
 }

Modified: trunk/Source/WebCore/style/StyleScope.h (208966 => 208967)


--- trunk/Source/WebCore/style/StyleScope.h	2016-11-22 19:16:55 UTC (rev 208966)
+++ trunk/Source/WebCore/style/StyleScope.h	2016-11-22 20:13:38 UTC (rev 208967)
@@ -99,6 +99,8 @@
     StyleResolver* resolverIfExists();
     void clearResolver();
 
+    const Document& document() const { return m_document; }
+
     static Scope& forNode(Node&);
 
 private:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to