[webkit-changes] [239905] trunk

Sun, 13 Jan 2019 05:16:15 -0800

Title: [239905] trunk
Revision
239905
Author
[email protected]
Date
2019-01-13 05:15:11 -0800 (Sun, 13 Jan 2019)

Log Message

Release assert with <img usemap> in shadow tree
https://bugs.webkit.org/show_bug.cgi?id=193378

Reviewed by Ryosuke Niwa.

Source/WebCore:

When a shadow host that has <img usemap> in the shadow tree is removed from the document, we try
to remove the map from the scope of the host.

* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::parseAttribute):
(WebCore::HTMLImageElement::insertedIntoAncestor):
(WebCore::HTMLImageElement::removedFromAncestor):

Tree scope changes are relevant, not the connection to the document.

LayoutTests:

* fast/shadow-dom/image-map-tree-scope.html:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (239904 => 239905)


--- trunk/LayoutTests/ChangeLog	2019-01-13 05:54:06 UTC (rev 239904)
+++ trunk/LayoutTests/ChangeLog	2019-01-13 13:15:11 UTC (rev 239905)
@@ -1,3 +1,12 @@
+2019-01-13  Antti Koivisto  <[email protected]>
+
+        Release assert with <img usemap> in shadow tree
+        https://bugs.webkit.org/show_bug.cgi?id=193378
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/shadow-dom/image-map-tree-scope.html:
+
 2019-01-12  Timothy Hatcher  <[email protected]>
 
         Have prefers-color-scheme: light always match on macOS versions before Mojave.

Modified: trunk/LayoutTests/fast/shadow-dom/image-map-tree-scope-expected.txt (239904 => 239905)


--- trunk/LayoutTests/fast/shadow-dom/image-map-tree-scope-expected.txt	2019-01-13 05:54:06 UTC (rev 239904)
+++ trunk/LayoutTests/fast/shadow-dom/image-map-tree-scope-expected.txt	2019-01-13 13:15:11 UTC (rev 239905)
@@ -1 +1 @@
-This test passes if it doesn't crash.
+This test passes if it doesn't crash.

Modified: trunk/LayoutTests/fast/shadow-dom/image-map-tree-scope.html (239904 => 239905)


--- trunk/LayoutTests/fast/shadow-dom/image-map-tree-scope.html	2019-01-13 05:54:06 UTC (rev 239904)
+++ trunk/LayoutTests/fast/shadow-dom/image-map-tree-scope.html	2019-01-13 13:15:11 UTC (rev 239905)
@@ -6,7 +6,7 @@
 
 function test() {
     var shadow = host.attachShadow({mode: "open"});
-    shadow.innerHTML = '<map name="bar">';
+    shadow.innerHTML = '<map name="bar"></map><img usemap=""
     host.remove();
 }
 </script>
@@ -14,6 +14,7 @@
 <body _onload_="test()">
 This test passes if it doesn't crash.
 <map id="map" name="foo"></map>
+<img usemap=""
 <div id="host"></div>
 </body>
 </html>

Modified: trunk/Source/WebCore/ChangeLog (239904 => 239905)


--- trunk/Source/WebCore/ChangeLog	2019-01-13 05:54:06 UTC (rev 239904)
+++ trunk/Source/WebCore/ChangeLog	2019-01-13 13:15:11 UTC (rev 239905)
@@ -1,3 +1,20 @@
+2019-01-13  Antti Koivisto  <[email protected]>
+
+        Release assert with <img usemap> in shadow tree
+        https://bugs.webkit.org/show_bug.cgi?id=193378
+
+        Reviewed by Ryosuke Niwa.
+
+        When a shadow host that has <img usemap> in the shadow tree is removed from the document, we try
+        to remove the map from the scope of the host.
+
+        * html/HTMLImageElement.cpp:
+        (WebCore::HTMLImageElement::parseAttribute):
+        (WebCore::HTMLImageElement::insertedIntoAncestor):
+        (WebCore::HTMLImageElement::removedFromAncestor):
+
+        Tree scope changes are relevant, not the connection to the document.
+
 2019-01-12  Timothy Hatcher  <[email protected]>
 
         Have prefers-color-scheme: light always match on macOS versions before Mojave.

Modified: trunk/Source/WebCore/html/HTMLImageElement.cpp (239904 => 239905)


--- trunk/Source/WebCore/html/HTMLImageElement.cpp	2019-01-13 05:54:06 UTC (rev 239904)
+++ trunk/Source/WebCore/html/HTMLImageElement.cpp	2019-01-13 13:15:11 UTC (rev 239905)
@@ -227,12 +227,12 @@
     } else if (name == srcAttr || name == srcsetAttr || name == sizesAttr)
         selectImageSource();
     else if (name == usemapAttr) {
-        if (isConnected() && !m_parsedUsemap.isNull())
+        if (isInTreeScope() && !m_parsedUsemap.isNull())
             treeScope().removeImageElementByUsemap(*m_parsedUsemap.impl(), *this);
 
         m_parsedUsemap = parseHTMLHashNameReference(value);
 
-        if (isConnected() && !m_parsedUsemap.isNull())
+        if (isInTreeScope() && !m_parsedUsemap.isNull())
             treeScope().addImageElementByUsemap(*m_parsedUsemap.impl(), *this);
     } else if (name == compositeAttr) {
         // FIXME: images don't support blend modes in their compositing attribute.
@@ -356,7 +356,7 @@
     if (insertionType.connectedToDocument && hasEditableImageAttribute())
         insertNotificationRequest = InsertedIntoAncestorResult::NeedsPostInsertionCallback;
 
-    if (insertionType.connectedToDocument && !m_parsedUsemap.isNull())
+    if (insertionType.treeScopeChanged && !m_parsedUsemap.isNull())
         treeScope().addImageElementByUsemap(*m_parsedUsemap.impl(), *this);
 
     if (is<HTMLPictureElement>(parentNode())) {
@@ -383,7 +383,7 @@
     if (m_form)
         m_form->removeImgElement(this);
 
-    if (removalType.disconnectedFromDocument && !m_parsedUsemap.isNull())
+    if (removalType.treeScopeChanged && !m_parsedUsemap.isNull())
         oldParentOfRemovedTree.treeScope().removeImageElementByUsemap(*m_parsedUsemap.impl(), *this);
 
     if (is<HTMLPictureElement>(parentNode()))

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to