Skip to site navigation (Press enter)

[webkit-changes] [222514] branches/safari-604-branch

jmarcell Tue, 26 Sep 2017 12:14:50 -0700

Title: [222514] branches/safari-604-branch

Revision: 222514
Author: [email protected]
Date: 2017-09-26 12:14:08 -0700 (Tue, 26 Sep 2017)

Log Message

Cherry-pick r222474. rdar://problem/34646376


Modified Paths

branches/safari-604-branch/LayoutTests/ChangeLog
branches/safari-604-branch/Source/WebCore/ChangeLog
branches/safari-604-branch/Source/WebCore/dom/ContainerNode.cpp


Added Paths

branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents-expected.txt
branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents.html

Diff

Modified: branches/safari-604-branch/LayoutTests/ChangeLog (222513 => 222514)


--- branches/safari-604-branch/LayoutTests/ChangeLog	2017-09-26 19:14:04 UTC (rev 222513)
+++ branches/safari-604-branch/LayoutTests/ChangeLog	2017-09-26 19:14:08 UTC (rev 222514)
@@ -1,3 +1,17 @@
+2017-09-26  Jason Marcell  <[email protected]>
+
+        Cherry-pick r222474. rdar://problem/34646376
+
+    2017-09-25  Per Arne Vollan  <[email protected]>
+
+            Crash in WebCore::TreeScope::documentScope
+            https://bugs.webkit.org/show_bug.cgi?id=176159
+
+            Reviewed by Ryosuke Niwa.
+
+            * fast/dom/crash-moving-subtree-between-documents-expected.txt: Added.
+            * fast/dom/crash-moving-subtree-between-documents.html: Added.
+
 2017-09-25  Jason Marcell  <[email protected]>
 
         Cherry-pick r222304. rdar://problem/34646370

Added: branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents-expected.txt (0 => 222514)


--- branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents-expected.txt	                        (rev 0)
+++ branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents-expected.txt	2017-09-26 19:14:08 UTC (rev 222514)
@@ -0,0 +1,2 @@
+This test passes if it does not assert or crash. 
+

Added: branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents.html (0 => 222514)


--- branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents.html	                        (rev 0)
+++ branches/safari-604-branch/LayoutTests/fast/dom/crash-moving-subtree-between-documents.html	2017-09-26 19:14:08 UTC (rev 222514)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+function go()
+{
+    var v = document.getElementById("v");
+    o.defaultValue = "x";
+    a.appendChild(v);
+}
+function eventhandler2()
+{
+    var d = document.implementation.createHTMLDocument("doc");
+    var s = d.createElement("script");
+    s.prepend(v);
+}
+function eventhandler1()
+{
+    v.appendChild(o);
+    o.addEventListener("DOMNodeRemoved", eventhandler2);
+}
+</script>
+<body _onload_=go()>
+This test passes if it does not assert or crash.
+<a id="a"></a>
+<output id="o">foo</output>
+<video id="v"></video>
+<svg>
+<text _onload_="eventhandler1()" />
+</body>
+</html>

Modified: branches/safari-604-branch/Source/WebCore/ChangeLog (222513 => 222514)


--- branches/safari-604-branch/Source/WebCore/ChangeLog	2017-09-26 19:14:04 UTC (rev 222513)
+++ branches/safari-604-branch/Source/WebCore/ChangeLog	2017-09-26 19:14:08 UTC (rev 222514)
@@ -1,3 +1,24 @@
+2017-09-26  Jason Marcell  <[email protected]>
+
+        Cherry-pick r222474. rdar://problem/34646376
+
+    2017-09-25  Per Arne Vollan  <[email protected]>
+
+            Crash in WebCore::TreeScope::documentScope
+            https://bugs.webkit.org/show_bug.cgi?id=176159
+
+            Reviewed by Ryosuke Niwa.
+
+            When all children are replaced with a new node in ContainerNode::replaceAllChildren,
+            the treescope of the new node should be set after the call to willRemoveChildren,
+            since this call can fire events, and execute JS code, which might change the treescope
+            of the container node.
+
+            Test: fast/dom/crash-moving-subtree-between-documents.html
+
+            * dom/ContainerNode.cpp:
+            (WebCore::ContainerNode::replaceAllChildren):
+
 2017-09-25  Jason Marcell  <[email protected]>
 
         Cherry-pick r222304. rdar://problem/34646370

Modified: branches/safari-604-branch/Source/WebCore/dom/ContainerNode.cpp (222513 => 222514)


--- branches/safari-604-branch/Source/WebCore/dom/ContainerNode.cpp	2017-09-26 19:14:04 UTC (rev 222513)
+++ branches/safari-604-branch/Source/WebCore/dom/ContainerNode.cpp	2017-09-26 19:14:08 UTC (rev 222514)
@@ -640,12 +640,10 @@
     Ref<ContainerNode> protectedThis(*this);
     ChildListMutationScope mutation(*this);
 
-    // If node is not null, adopt node into parent's node document.
+    willRemoveChildren(*this);
+
     node->setTreeScopeRecursively(treeScope());
 
-    // Remove all parent's children, in tree order.
-    willRemoveChildren(*this);
-
     {
         WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
         {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes