Skip to site navigation (Press enter)

[webkit-changes] [213822] releases/WebKitGTK/webkit-2.16

carlosgc Mon, 13 Mar 2017 04:08:41 -0700

Title: [213822] releases/WebKitGTK/webkit-2.16

Revision: 213822
Author: [email protected]
Date: 2017-03-13 04:07:53 -0700 (Mon, 13 Mar 2017)

Log Message

Merge r213501 - Validate DOM after potentially destructive actions during parser insert operations
https://bugs.webkit.org/show_bug.cgi?id=169222
<rdar://problem/30689729>


Reviewed by Ryosuke Niwa.

Source/WebCore:

Do not perform an insert operation if the next child's parent is no longer
part of the tree. This can happen if _javascript_ runs during node removal
events and modifies the contents of the document.

This patch was inspired by a similar Blink change by Marius Mlynski:
<https://src.chromium.org/viewvc/blink?view=revision&revision=200690>

Tests: fast/parser/scriptexec-during-parserInsertBefore.html

* html/parser/HTMLConstructionSite.cpp:
(WebCore::executeReparentTask):
(WebCore::executeInsertAlreadyParsedChildTask):

LayoutTests:

This change merges a Blink test case from:
<https://src.chromium.org/viewvc/blink?view=revision&revision=200690>

* fast/parser/scriptexec-during-parserInsertBefore-expected.txt: Added.
* fast/parser/scriptexec-during-parserInsertBefore.html: Added.

Modified Paths

releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp

Added Paths

releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt
releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html

Diff

Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (213821 => 213822)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog	2017-03-13 11:04:04 UTC (rev 213821)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog	2017-03-13 11:07:53 UTC (rev 213822)
@@ -1,3 +1,17 @@
+2017-03-06  Brent Fulgham  <[email protected]>
+
+        Validate DOM after potentially destructive actions during parser insert operations
+        https://bugs.webkit.org/show_bug.cgi?id=169222
+        <rdar://problem/30689729>
+
+        Reviewed by Ryosuke Niwa.
+
+        This change merges a Blink test case from:
+        <https://src.chromium.org/viewvc/blink?view=revision&revision=200690>        
+
+        * fast/parser/scriptexec-during-parserInsertBefore-expected.txt: Added.
+        * fast/parser/scriptexec-during-parserInsertBefore.html: Added.
+
 2017-03-06  Alex Christensen  <[email protected]>
 
         Fix URLs relative to file URLs with paths beginning with Windows drive letters

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt (0 => 213822)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt	2017-03-13 11:07:53 UTC (rev 213822)
@@ -0,0 +1,11 @@
+Ensure that DOM is consistent after a specific child has been removed during reparenting.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS containerNode.firstChild is firstChild
+PASS nextChild.previousSibling is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html (0 => 213822)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html	2017-03-13 11:07:53 UTC (rev 213822)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src=""
+<body>
+<div><i></i><table><b><p><iframe></iframe><script>
+/*
+The adoption agency algorithm, step 10, will end up calling
+ContainerNode::parserInsertBefore with the following arguments:
+|this| == <div>
+|newChild| == <p>
+|nextChild| == <table>
+parserInsertBefore calls parserRemoveChild(newChild), which
+triggers the unload event in the contained iframe.
+*/
+var containerNode = document.querySelector("div");
+var firstChild = document.querySelector("i");
+var nextChild = document.querySelector("table");
+frames[0]._onunload_ = function() {
+    containerNode.removeChild(nextChild);
+}
+</script></b></p><!--This order is intentional to force reparenting--></table></div>
+<script>
+description("Ensure that DOM is consistent after a specific child has been removed during reparenting.")
+shouldBe("containerNode.firstChild", "firstChild");
+shouldBe("nextChild.previousSibling", "null");
+</script>
+</body>
\ No newline at end of file

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (213821 => 213822)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog	2017-03-13 11:04:04 UTC (rev 213821)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog	2017-03-13 11:07:53 UTC (rev 213822)
@@ -1,3 +1,24 @@
+2017-03-06  Brent Fulgham  <[email protected]>
+
+        Validate DOM after potentially destructive actions during parser insert operations
+        https://bugs.webkit.org/show_bug.cgi?id=169222
+        <rdar://problem/30689729>
+
+        Reviewed by Ryosuke Niwa.
+
+        Do not perform an insert operation if the next child's parent is no longer
+        part of the tree. This can happen if _javascript_ runs during node removal
+        events and modifies the contents of the document.
+
+        This patch was inspired by a similar Blink change by Marius Mlynski:
+        <https://src.chromium.org/viewvc/blink?view=revision&revision=200690>        
+
+        Tests: fast/parser/scriptexec-during-parserInsertBefore.html
+
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::executeReparentTask):
+        (WebCore::executeInsertAlreadyParsedChildTask):
+
 2017-03-06  Fujii Hironori  <[email protected]>
 
         [CMake] SN-DBS fails to build: Cannot open include file: 'WebCoreTestSupportPrefix.h'

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp (213821 => 213822)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2017-03-13 11:04:04 UTC (rev 213821)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2017-03-13 11:07:53 UTC (rev 213822)
@@ -127,6 +127,7 @@
 static inline void executeReparentTask(HTMLConstructionSiteTask& task)
 {
     ASSERT(task.operation == HTMLConstructionSiteTask::Reparent);
+    ASSERT(!task.nextChild);
 
     if (auto* parent = task.child->parentNode())
         parent->parserRemoveChild(*task.child);
@@ -147,6 +148,9 @@
     if (task.child->parentNode())
         return;
 
+    if (task.nextChild && task.nextChild->parentNode() != task.parent)
+        return;
+
     insert(task);
 }
 
@@ -153,6 +157,7 @@
 static inline void executeTakeAllChildrenAndReparentTask(HTMLConstructionSiteTask& task)
 {
     ASSERT(task.operation == HTMLConstructionSiteTask::TakeAllChildrenAndReparent);
+    ASSERT(!task.nextChild);
 
     auto* furthestBlock = task.oldParent();
     task.parent->takeAllChildrenFrom(furthestBlock);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes