[webkit-changes] [223405] releases/WebKitGTK/webkit-2.18

Mon, 16 Oct 2017 06:41:13 -0700

Title: [223405] releases/WebKitGTK/webkit-2.18
Revision
223405
Author
[email protected]
Date
2017-10-16 06:40:52 -0700 (Mon, 16 Oct 2017)

Log Message

Merge r222474 - Crash in WebCore::TreeScope::documentScope
https://bugs.webkit.org/show_bug.cgi?id=176159

Reviewed by Ryosuke Niwa.

Source/WebCore:

When all children are replaced with a new node in ContainerNode::replaceAllChildren,
the treescope of the new node should be set after the call to willRemoveChildren,
since this call can fire events, and execute JS code, which might change the treescope
of the container node.

Test: fast/dom/crash-moving-subtree-between-documents.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::replaceAllChildren):

LayoutTests:

* fast/dom/crash-moving-subtree-between-documents-expected.txt: Added.
* fast/dom/crash-moving-subtree-between-documents.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog (223404 => 223405)


--- releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog	2017-10-16 13:34:17 UTC (rev 223404)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog	2017-10-16 13:40:52 UTC (rev 223405)
@@ -1,3 +1,13 @@
+2017-09-25  Per Arne Vollan  <[email protected]>
+
+        Crash in WebCore::TreeScope::documentScope
+        https://bugs.webkit.org/show_bug.cgi?id=176159
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/dom/crash-moving-subtree-between-documents-expected.txt: Added.
+        * fast/dom/crash-moving-subtree-between-documents.html: Added.
+
 2017-09-25  Manuel Rego Casasnovas  <[email protected]>
 
         [css-grid] fit-content() tracks shouldn't stretch

Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/crash-moving-subtree-between-documents-expected.txt (0 => 223405)


--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/crash-moving-subtree-between-documents-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/crash-moving-subtree-between-documents-expected.txt	2017-10-16 13:40:52 UTC (rev 223405)
@@ -0,0 +1,2 @@
+This test passes if it does not assert or crash. 
+

Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/crash-moving-subtree-between-documents.html (0 => 223405)


--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/crash-moving-subtree-between-documents.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/crash-moving-subtree-between-documents.html	2017-10-16 13:40:52 UTC (rev 223405)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+function go()
+{
+    var v = document.getElementById("v");
+    o.defaultValue = "x";
+    a.appendChild(v);
+}
+function eventhandler2()
+{
+    var d = document.implementation.createHTMLDocument("doc");
+    var s = d.createElement("script");
+    s.prepend(v);
+}
+function eventhandler1()
+{
+    v.appendChild(o);
+    o.addEventListener("DOMNodeRemoved", eventhandler2);
+}
+</script>
+<body _onload_=go()>
+This test passes if it does not assert or crash.
+<a id="a"></a>
+<output id="o">foo</output>
+<video id="v"></video>
+<svg>
+<text _onload_="eventhandler1()" />
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog (223404 => 223405)


--- releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog	2017-10-16 13:34:17 UTC (rev 223404)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog	2017-10-16 13:40:52 UTC (rev 223405)
@@ -1,3 +1,20 @@
+2017-09-25  Per Arne Vollan  <[email protected]>
+
+        Crash in WebCore::TreeScope::documentScope
+        https://bugs.webkit.org/show_bug.cgi?id=176159
+
+        Reviewed by Ryosuke Niwa.
+
+        When all children are replaced with a new node in ContainerNode::replaceAllChildren,
+        the treescope of the new node should be set after the call to willRemoveChildren,
+        since this call can fire events, and execute JS code, which might change the treescope
+        of the container node.
+
+        Test: fast/dom/crash-moving-subtree-between-documents.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::replaceAllChildren):
+
 2017-09-25  Alex Christensen  <[email protected]>
 
         Separate form submission from PolicyChecker infrastructure

Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/ContainerNode.cpp (223404 => 223405)


--- releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/ContainerNode.cpp	2017-10-16 13:34:17 UTC (rev 223404)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/ContainerNode.cpp	2017-10-16 13:40:52 UTC (rev 223405)
@@ -640,12 +640,10 @@
     Ref<ContainerNode> protectedThis(*this);
     ChildListMutationScope mutation(*this);
 
-    // If node is not null, adopt node into parent's node document.
+    willRemoveChildren(*this);
+
     node->setTreeScopeRecursively(treeScope());
 
-    // Remove all parent's children, in tree order.
-    willRemoveChildren(*this);
-
     {
         WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
         {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to