Title: [217957] trunk
- Revision
- 217957
- Author
- [email protected]
- Date
- 2017-06-08 19:09:39 -0700 (Thu, 08 Jun 2017)
Log Message
The tree scope of an Attr node inside a shadow tree does not updated upon detach.
https://bugs.webkit.org/show_bug.cgi?id=173122
Reviewed by Chris Dumez.
Source/WebCore:
The crash was caused by the tree scope of an Attr detached from an element inside a shadow root
not getting updated.
Test: fast/dom/detaching-attr-node-in-shadow-tree-crash.html
* dom/Attr.cpp:
(WebCore::Attr::~Attr): Added assertions.
(WebCore::Attr::detachFromElementWithValue): Fixed the bug by adopting Attr to Document.
(WebCore::Attr::attachToElement): Moved the adoptIfNeeded call here from attachAttributeNodeIfNeeded.
* dom/Element.cpp:
(WebCore::Element::attachAttributeNodeIfNeeded):
LayoutTests:
Added a regression test which hits the newly added assertion.
* fast/dom/detaching-attr-node-in-shadow-tree-crash-expected.txt: Added.
* fast/dom/detaching-attr-node-in-shadow-tree-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (217956 => 217957)
--- trunk/LayoutTests/ChangeLog 2017-06-09 00:46:38 UTC (rev 217956)
+++ trunk/LayoutTests/ChangeLog 2017-06-09 02:09:39 UTC (rev 217957)
@@ -1,3 +1,15 @@
+2017-06-08 Ryosuke Niwa <[email protected]>
+
+ The tree scope of an Attr node inside a shadow tree does not updated upon detach.
+ https://bugs.webkit.org/show_bug.cgi?id=173122
+
+ Reviewed by Chris Dumez.
+
+ Added a regression test which hits the newly added assertion.
+
+ * fast/dom/detaching-attr-node-in-shadow-tree-crash-expected.txt: Added.
+ * fast/dom/detaching-attr-node-in-shadow-tree-crash.html: Added.
+
2017-06-08 Myles C. Maxfield <[email protected]>
[Cocoa] Expand system-ui to include every item in the Core Text cascade list
Added: trunk/LayoutTests/fast/dom/detaching-attr-node-in-shadow-tree-crash-expected.txt (0 => 217957)
--- trunk/LayoutTests/fast/dom/detaching-attr-node-in-shadow-tree-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/detaching-attr-node-in-shadow-tree-crash-expected.txt 2017-06-09 02:09:39 UTC (rev 217957)
@@ -0,0 +1 @@
+This tests removing a Attr node inside a shadow tree. WebKit should not hit any assertions. PASS
Added: trunk/LayoutTests/fast/dom/detaching-attr-node-in-shadow-tree-crash.html (0 => 217957)
--- trunk/LayoutTests/fast/dom/detaching-attr-node-in-shadow-tree-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/detaching-attr-node-in-shadow-tree-crash.html 2017-06-09 02:09:39 UTC (rev 217957)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<body>
+This tests removing a Attr node inside a shadow tree. WebKit should not hit any assertions.
+<script>
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function createAttrInShadowTree()
+{
+ const host = document.createElement('div');
+ document.body.appendChild(host);
+ const shadowRoot = host.attachShadow({mode: 'closed'});
+ shadowRoot.innerHTML = '<span title="foo"></span>';
+ const span = shadowRoot.firstChild;
+ const attr = span.attributes[0];
+ span.removeAttribute('title');
+ span.setAttribute('lang', 'en');
+ host.remove();
+ return attr;
+}
+
+(function () { const attr = createAttrInShadowTree(); })();
+if (window.GCController)
+ GCController.collect();
+
+document.write('PASS');
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (217956 => 217957)
--- trunk/Source/WebCore/ChangeLog 2017-06-09 00:46:38 UTC (rev 217956)
+++ trunk/Source/WebCore/ChangeLog 2017-06-09 02:09:39 UTC (rev 217957)
@@ -1,3 +1,22 @@
+2017-06-08 Ryosuke Niwa <[email protected]>
+
+ The tree scope of an Attr node inside a shadow tree does not updated upon detach.
+ https://bugs.webkit.org/show_bug.cgi?id=173122
+
+ Reviewed by Chris Dumez.
+
+ The crash was caused by the tree scope of an Attr detached from an element inside a shadow root
+ not getting updated.
+
+ Test: fast/dom/detaching-attr-node-in-shadow-tree-crash.html
+
+ * dom/Attr.cpp:
+ (WebCore::Attr::~Attr): Added assertions.
+ (WebCore::Attr::detachFromElementWithValue): Fixed the bug by adopting Attr to Document.
+ (WebCore::Attr::attachToElement): Moved the adoptIfNeeded call here from attachAttributeNodeIfNeeded.
+ * dom/Element.cpp:
+ (WebCore::Element::attachAttributeNodeIfNeeded):
+
2017-06-08 Myles C. Maxfield <[email protected]>
[Cocoa] Expand system-ui to include every item in the Core Text cascade list
Modified: trunk/Source/WebCore/dom/Attr.cpp (217956 => 217957)
--- trunk/Source/WebCore/dom/Attr.cpp 2017-06-09 00:46:38 UTC (rev 217956)
+++ trunk/Source/WebCore/dom/Attr.cpp 2017-06-09 02:09:39 UTC (rev 217957)
@@ -65,6 +65,8 @@
Attr::~Attr()
{
+ ASSERT_WITH_SECURITY_IMPLICATION(!isInShadowTree());
+ ASSERT_WITH_SECURITY_IMPLICATION(treeScope().rootNode().isDocumentNode());
}
ExceptionOr<void> Attr::setPrefix(const AtomicString& prefix)
@@ -133,6 +135,7 @@
ASSERT(m_standaloneValue.isNull());
m_standaloneValue = value;
m_element = nullptr;
+ document().adoptIfNeeded(*this);
}
void Attr::attachToElement(Element& element)
@@ -140,6 +143,7 @@
ASSERT(!m_element);
m_element = &element;
m_standaloneValue = nullAtom;
+ element.treeScope().adoptIfNeeded(*this);
}
}
Modified: trunk/Source/WebCore/dom/Element.cpp (217956 => 217957)
--- trunk/Source/WebCore/dom/Element.cpp 2017-06-09 00:46:38 UTC (rev 217956)
+++ trunk/Source/WebCore/dom/Element.cpp 2017-06-09 02:09:39 UTC (rev 217957)
@@ -2128,7 +2128,6 @@
NoEventDispatchAssertion assertNoEventDispatch;
attrNode.attachToElement(*this);
- treeScope().adoptIfNeeded(attrNode);
ensureAttrNodeListForElement(*this).append(&attrNode);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
