Title: [214810] releases/WebKitGTK/webkit-2.16
- Revision
- 214810
- Author
- carlo...@webkit.org
- Date
- 2017-04-03 10:12:27 -0700 (Mon, 03 Apr 2017)
Log Message
Merge r214599 - Disconnecting a HTMLObjectElement does not always unload its content document
https://bugs.webkit.org/show_bug.cgi?id=169606
Reviewed by Andy Estes.
Source/WebCore:
When removing a node, we first disconnect all subframes then update the focused element as we remove each child.
However, when the removed element is a focused object element with a content document, removeFocusedNodeOfSubtree
can update the style tree synchronously inside Document::setFocusedElement, and reload the document.
Avoid this by instantiating a SubframeLoadingDisabler on the parent of the focused element.
Test: fast/dom/removing-focused-object-element.html
* dom/Document.cpp:
(WebCore::Document::removeFocusedNodeOfSubtree):
LayoutTests:
Add a regression test.
* fast/dom/removing-focused-object-element-expected.txt: Added.
* fast/dom/removing-focused-object-element.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (214809 => 214810)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 17:10:14 UTC (rev 214809)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 17:12:27 UTC (rev 214810)
@@ -1,3 +1,15 @@
+2017-03-29 Ryosuke Niwa <rn...@webkit.org>
+
+ Disconnecting a HTMLObjectElement does not always unload its content document
+ https://bugs.webkit.org/show_bug.cgi?id=169606
+
+ Reviewed by Andy Estes.
+
+ Add a regression test.
+
+ * fast/dom/removing-focused-object-element-expected.txt: Added.
+ * fast/dom/removing-focused-object-element.html: Added.
+
2017-03-29 Zalan Bujtas <za...@apple.com>
RenderBlockFlow::addFloatsToNewParent should check if float is already added to the object list.
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/removing-focused-object-element-expected.txt (0 => 214810)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/removing-focused-object-element-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/removing-focused-object-element-expected.txt 2017-04-03 17:12:27 UTC (rev 214810)
@@ -0,0 +1 @@
+This tests removing a focused object element. WebKit must not crash.
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/removing-focused-object-element.html (0 => 214810)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/removing-focused-object-element.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/removing-focused-object-element.html 2017-04-03 17:12:27 UTC (rev 214810)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function startTest()
+{
+ const target = document.getElementById('target');
+ const object = document.createElement('object');
+ document.getElementById('container').appendChild(object);
+ object.data = ""
+ object.focus();
+ object.appendChild(document.createElement('div'));
+ target.appendChild(object);
+
+ location.href = ''
+ + '<script>if (testRunner) testRunner.notifyDone();<\/script>';
+}
+</script>
+</head>
+<body _onload_="startTest()"><div id='container'><div id="target"></div></body>
+</html>
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (214809 => 214810)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 17:10:14 UTC (rev 214809)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 17:12:27 UTC (rev 214810)
@@ -1,3 +1,21 @@
+2017-03-29 Ryosuke Niwa <rn...@webkit.org>
+
+ Disconnecting a HTMLObjectElement does not always unload its content document
+ https://bugs.webkit.org/show_bug.cgi?id=169606
+
+ Reviewed by Andy Estes.
+
+ When removing a node, we first disconnect all subframes then update the focused element as we remove each child.
+ However, when the removed element is a focused object element with a content document, removeFocusedNodeOfSubtree
+ can update the style tree synchronously inside Document::setFocusedElement, and reload the document.
+
+ Avoid this by instantiating a SubframeLoadingDisabler on the parent of the focused element.
+
+ Test: fast/dom/removing-focused-object-element.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::removeFocusedNodeOfSubtree):
+
2017-03-29 Zalan Bujtas <za...@apple.com>
RenderBlockFlow::addFloatsToNewParent should check if float is already added to the object list.
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.cpp (214809 => 214810)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.cpp 2017-04-03 17:10:14 UTC (rev 214809)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.cpp 2017-04-03 17:12:27 UTC (rev 214810)
@@ -3562,6 +3562,9 @@
return;
if (isNodeInSubtree(*focusedElement, node, amongChildrenOnly)) {
+ // FIXME: We should avoid synchronously updating the style inside setFocusedElement.
+ // FIXME: Object elements should avoid loading a frame synchronously in a post style recalc callback.
+ SubframeLoadingDisabler disabler(is<ContainerNode>(node) ? &downcast<ContainerNode>(node) : nullptr);
setFocusedElement(nullptr, FocusDirectionNone, FocusRemovalEventsMode::DoNotDispatch);
// Set the focus navigation starting node to the previous focused element so that
// we can fallback to the siblings or parent node for the next search.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
