[webkit-changes] [236214] branches/safari-606-branch

Wed, 19 Sep 2018 12:15:00 -0700

Title: [236214] branches/safari-606-branch
Revision
236214
Author
[email protected]
Date
2018-09-19 12:13:32 -0700 (Wed, 19 Sep 2018)

Log Message

Cherry-pick r235956. rdar://problem/44576825

    imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion
    https://bugs.webkit.org/show_bug.cgi?id=189493

    Reviewed by Alex Christensen.

    Source/WebCore:

    The debug assertion was caused by RefPtr in FormAssociatedElement::formOwnerRemovedFromTree introduced
    by r224390 and r223644 ref'ing ShadowRoot while calling removeDetachedChildren inside ~ShadowRoot.
    When a form (or any other) element has more than one ref inside removeDetachedChildren,
    addChildNodesToDeletionQueue calls notifyChildNodeRemoved in the tree oreder.

    However, when a form associated element of this form element appears later in the tree order,
    FormAssociatedElement::formOwnerRemovedFromTree can traverse up ancestors including the ShadowRoot.

    Fixed the bug by using raw pointers instead. Luckily, there is no DOM mutations or other non-trivial
    operations happening in this function so this should be safe.

    Test: imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html

    * html/FormAssociatedElement.cpp:
    (WebCore::FormAssociatedElement::formOwnerRemovedFromTree): Fixed the bug.

    LayoutTests:

    Unskip the test now that it doesn't hit a debug assertion.

    * TestExpectations:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235956 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-606-branch/LayoutTests/ChangeLog (236213 => 236214)


--- branches/safari-606-branch/LayoutTests/ChangeLog	2018-09-19 18:54:32 UTC (rev 236213)
+++ branches/safari-606-branch/LayoutTests/ChangeLog	2018-09-19 19:13:32 UTC (rev 236214)
@@ -1,3 +1,49 @@
+2018-09-19  Kocsen Chung  <[email protected]>
+
+        Cherry-pick r235956. rdar://problem/44576825
+
+    imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion
+    https://bugs.webkit.org/show_bug.cgi?id=189493
+    
+    Reviewed by Alex Christensen.
+    
+    Source/WebCore:
+    
+    The debug assertion was caused by RefPtr in FormAssociatedElement::formOwnerRemovedFromTree introduced
+    by r224390 and r223644 ref'ing ShadowRoot while calling removeDetachedChildren inside ~ShadowRoot.
+    When a form (or any other) element has more than one ref inside removeDetachedChildren,
+    addChildNodesToDeletionQueue calls notifyChildNodeRemoved in the tree oreder.
+    
+    However, when a form associated element of this form element appears later in the tree order,
+    FormAssociatedElement::formOwnerRemovedFromTree can traverse up ancestors including the ShadowRoot.
+    
+    Fixed the bug by using raw pointers instead. Luckily, there is no DOM mutations or other non-trivial
+    operations happening in this function so this should be safe.
+    
+    Test: imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html
+    
+    * html/FormAssociatedElement.cpp:
+    (WebCore::FormAssociatedElement::formOwnerRemovedFromTree): Fixed the bug.
+    
+    LayoutTests:
+    
+    Unskip the test now that it doesn't hit a debug assertion.
+    
+    * TestExpectations:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235956 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-09-11  Ryosuke Niwa  <[email protected]>
+
+            imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion
+            https://bugs.webkit.org/show_bug.cgi?id=189493
+
+            Reviewed by Alex Christensen.
+
+            Unskip the test now that it doesn't hit a debug assertion.
+
+            * TestExpectations:
+
 2018-09-18  Ryan Haddad  <[email protected]>
 
         Unreviewed test gardening, rebaseline http/tests/ssl/applepay/ApplePayButton.html.

Modified: branches/safari-606-branch/LayoutTests/TestExpectations (236213 => 236214)


--- branches/safari-606-branch/LayoutTests/TestExpectations	2018-09-19 18:54:32 UTC (rev 236213)
+++ branches/safari-606-branch/LayoutTests/TestExpectations	2018-09-19 19:13:32 UTC (rev 236214)
@@ -2206,3 +2206,19 @@
 webkit.org/b/187183 http/tests/security/pasteboard-file-url.html [ Skip ]
 
 [ Debug ] fast/multicol/crash-in-vertical-writing-mode.html [ Skip ]
+
+webkit.org/b/187762 http/tests/websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party.html [ Failure ]
+webkit.org/b/187762 http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior.html [ Failure ]
+
+webkit.org/b/187269 [ Debug ] imported/w3c/web-platform-tests/FileAPI/reading-data-section/filereader_abort.html [ Skip ]
+
+webkit.org/b/185308 legacy-animation-engine/animations/combo-transform-translate+scale.html [ Pass Failure ]
+
+fast/gradients/conic-repeating.html [ Skip ]
+fast/gradients/conic.html [ Skip ]
+fast/gradients/conic-off-center.html [ Skip ]
+fast/gradients/conic-center-outside-box.html [ Skip ]
+fast/gradients/conic-extended-stops.html [ Skip ]
+fast/gradients/conic-from-angle.html [ Skip ]
+
+webkit.org/b/187773 http/tests/webAPIStatistics [ Skip ]

Modified: branches/safari-606-branch/Source/WebCore/ChangeLog (236213 => 236214)


--- branches/safari-606-branch/Source/WebCore/ChangeLog	2018-09-19 18:54:32 UTC (rev 236213)
+++ branches/safari-606-branch/Source/WebCore/ChangeLog	2018-09-19 19:13:32 UTC (rev 236214)
@@ -1,3 +1,61 @@
+2018-09-19  Kocsen Chung  <[email protected]>
+
+        Cherry-pick r235956. rdar://problem/44576825
+
+    imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion
+    https://bugs.webkit.org/show_bug.cgi?id=189493
+    
+    Reviewed by Alex Christensen.
+    
+    Source/WebCore:
+    
+    The debug assertion was caused by RefPtr in FormAssociatedElement::formOwnerRemovedFromTree introduced
+    by r224390 and r223644 ref'ing ShadowRoot while calling removeDetachedChildren inside ~ShadowRoot.
+    When a form (or any other) element has more than one ref inside removeDetachedChildren,
+    addChildNodesToDeletionQueue calls notifyChildNodeRemoved in the tree oreder.
+    
+    However, when a form associated element of this form element appears later in the tree order,
+    FormAssociatedElement::formOwnerRemovedFromTree can traverse up ancestors including the ShadowRoot.
+    
+    Fixed the bug by using raw pointers instead. Luckily, there is no DOM mutations or other non-trivial
+    operations happening in this function so this should be safe.
+    
+    Test: imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html
+    
+    * html/FormAssociatedElement.cpp:
+    (WebCore::FormAssociatedElement::formOwnerRemovedFromTree): Fixed the bug.
+    
+    LayoutTests:
+    
+    Unskip the test now that it doesn't hit a debug assertion.
+    
+    * TestExpectations:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235956 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-09-11  Ryosuke Niwa  <[email protected]>
+
+            imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion
+            https://bugs.webkit.org/show_bug.cgi?id=189493
+
+            Reviewed by Alex Christensen.
+
+            The debug assertion was caused by RefPtr in FormAssociatedElement::formOwnerRemovedFromTree introduced
+            by r224390 and r223644 ref'ing ShadowRoot while calling removeDetachedChildren inside ~ShadowRoot.
+            When a form (or any other) element has more than one ref inside removeDetachedChildren,
+            addChildNodesToDeletionQueue calls notifyChildNodeRemoved in the tree oreder.
+
+            However, when a form associated element of this form element appears later in the tree order,
+            FormAssociatedElement::formOwnerRemovedFromTree can traverse up ancestors including the ShadowRoot.
+
+            Fixed the bug by using raw pointers instead. Luckily, there is no DOM mutations or other non-trivial
+            operations happening in this function so this should be safe.
+
+            Test: imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html
+
+            * html/FormAssociatedElement.cpp:
+            (WebCore::FormAssociatedElement::formOwnerRemovedFromTree): Fixed the bug.
+
 2018-09-06  Babak Shafiei  <[email protected]>
 
         Cherry-pick r235754. rdar://problem/44210305

Modified: branches/safari-606-branch/Source/WebCore/html/FormAssociatedElement.cpp (236213 => 236214)


--- branches/safari-606-branch/Source/WebCore/html/FormAssociatedElement.cpp	2018-09-19 18:54:32 UTC (rev 236213)
+++ branches/safari-606-branch/Source/WebCore/html/FormAssociatedElement.cpp	2018-09-19 19:13:32 UTC (rev 236214)
@@ -122,8 +122,9 @@
 void FormAssociatedElement::formOwnerRemovedFromTree(const Node& formRoot)
 {
     ASSERT(m_form);
-    RefPtr<Node> rootNode = &asHTMLElement();
-    for (auto ancestor = makeRefPtr(asHTMLElement().parentNode()); ancestor; ancestor = ancestor->parentNode()) {
+    // Can't use RefPtr here beacuse this function might be called inside ~ShadowRoot via addChildNodesToDeletionQueue. See webkit.org/b/189493.
+    Node* rootNode = &asHTMLElement();
+    for (auto* ancestor = asHTMLElement().parentNode(); ancestor; ancestor = ancestor->parentNode()) {
         if (ancestor == m_form) {
             // Form is our ancestor so we don't need to reset our owner, we also no longer
             // need an id observer since we are no longer connected.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to