[webkit-changes] [214599] trunk

Wed, 29 Mar 2017 22:40:00 -0700

Title: [214599] trunk
Revision
214599
Author
rn...@webkit.org
Date
2017-03-29 22:38:59 -0700 (Wed, 29 Mar 2017)

Log Message

Disconnecting a HTMLObjectElement does not always unload its content document
https://bugs.webkit.org/show_bug.cgi?id=169606

Reviewed by Andy Estes.

Source/WebCore:

When removing a node, we first disconnect all subframes then update the focused element as we remove each child.
However, when the removed element is a focused object element with a content document, removeFocusedNodeOfSubtree
can update the style tree synchronously inside Document::setFocusedElement, and reload the document.

Avoid this by instantiating a SubframeLoadingDisabler on the parent of the focused element.

Test: fast/dom/removing-focused-object-element.html

* dom/Document.cpp:
(WebCore::Document::removeFocusedNodeOfSubtree):

LayoutTests:

Add a regression test.

* fast/dom/removing-focused-object-element-expected.txt: Added.
* fast/dom/removing-focused-object-element.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (214598 => 214599)


--- trunk/LayoutTests/ChangeLog	2017-03-30 05:02:30 UTC (rev 214598)
+++ trunk/LayoutTests/ChangeLog	2017-03-30 05:38:59 UTC (rev 214599)
@@ -1,3 +1,15 @@
+2017-03-29  Ryosuke Niwa  <rn...@webkit.org>
+
+        Disconnecting a HTMLObjectElement does not always unload its content document
+        https://bugs.webkit.org/show_bug.cgi?id=169606
+
+        Reviewed by Andy Estes.
+
+        Add a regression test.
+
+        * fast/dom/removing-focused-object-element-expected.txt: Added.
+        * fast/dom/removing-focused-object-element.html: Added.
+
 2017-03-29  Simon Fraser  <simon.fra...@apple.com>
 
         Add some tests that dump the touch event regions with various content configurations

Added: trunk/LayoutTests/fast/dom/removing-focused-object-element-expected.txt (0 => 214599)


--- trunk/LayoutTests/fast/dom/removing-focused-object-element-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/removing-focused-object-element-expected.txt	2017-03-30 05:38:59 UTC (rev 214599)
@@ -0,0 +1 @@
+This tests removing a focused object element. WebKit must not crash.

Added: trunk/LayoutTests/fast/dom/removing-focused-object-element.html (0 => 214599)


--- trunk/LayoutTests/fast/dom/removing-focused-object-element.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/removing-focused-object-element.html	2017-03-30 05:38:59 UTC (rev 214599)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function startTest()
+{
+    const target = document.getElementById('target');
+    const object = document.createElement('object');
+    document.getElementById('container').appendChild(object);
+    object.data = ""
+    object.focus();
+    object.appendChild(document.createElement('div'));
+    target.appendChild(object);
+
+    location.href = ''
+        + '<script>if (testRunner) testRunner.notifyDone();<\/script>';
+}
+</script>
+</head>
+<body _onload_="startTest()"><div id='container'><div id="target"></div></body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (214598 => 214599)


--- trunk/Source/WebCore/ChangeLog	2017-03-30 05:02:30 UTC (rev 214598)
+++ trunk/Source/WebCore/ChangeLog	2017-03-30 05:38:59 UTC (rev 214599)
@@ -1,3 +1,21 @@
+2017-03-29  Ryosuke Niwa  <rn...@webkit.org>
+
+        Disconnecting a HTMLObjectElement does not always unload its content document
+        https://bugs.webkit.org/show_bug.cgi?id=169606
+
+        Reviewed by Andy Estes.
+
+        When removing a node, we first disconnect all subframes then update the focused element as we remove each child.
+        However, when the removed element is a focused object element with a content document, removeFocusedNodeOfSubtree
+        can update the style tree synchronously inside Document::setFocusedElement, and reload the document.
+
+        Avoid this by instantiating a SubframeLoadingDisabler on the parent of the focused element.
+
+        Test: fast/dom/removing-focused-object-element.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::removeFocusedNodeOfSubtree):
+
 2017-03-29  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         Migrate to kCTFontCSSWidthAttribute

Modified: trunk/Source/WebCore/dom/Document.cpp (214598 => 214599)


--- trunk/Source/WebCore/dom/Document.cpp	2017-03-30 05:02:30 UTC (rev 214598)
+++ trunk/Source/WebCore/dom/Document.cpp	2017-03-30 05:38:59 UTC (rev 214599)
@@ -3496,6 +3496,9 @@
         return;
     
     if (isNodeInSubtree(*focusedElement, node, amongChildrenOnly)) {
+        // FIXME: We should avoid synchronously updating the style inside setFocusedElement.
+        // FIXME: Object elements should avoid loading a frame synchronously in a post style recalc callback.
+        SubframeLoadingDisabler disabler(is<ContainerNode>(node) ? &downcast<ContainerNode>(node) : nullptr);
         setFocusedElement(nullptr, FocusDirectionNone, FocusRemovalEventsMode::DoNotDispatch);
         // Set the focus navigation starting node to the previous focused element so that
         // we can fallback to the siblings or parent node for the next search.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to