[webkit-changes] [260997] trunk

Fri, 01 May 2020 07:36:16 -0700

Title: [260997] trunk
Revision
260997
Author
[email protected]
Date
2020-05-01 07:35:12 -0700 (Fri, 01 May 2020)

Log Message

Specific dom node order of Shadow DOM (re)projection causes crash
https://bugs.webkit.org/show_bug.cgi?id=211159
<rdar://problem/62626920>

Reviewed by Zalan Bujtas.

Source/WebCore:

ComposedTreeIterator may traverse to nodes outside its root element if it is constructed
with a starting node that has no next sibling inside a slot.

This leads to miscomputing RenderTreePosition::nextSibling() and eventual nullptr crash in
RenderTreeBuilder when adding a renderer (due to beforeChild renderer being outside the parent renderer).

Test case by Elliott Marquez.

Test: fast/shadow-dom/composed-tree-iterator-escape.html

* dom/ComposedTreeIterator.cpp:
(WebCore::ComposedTreeIterator::Context::Context):

When findind the end iterator for a tree context we need to look for a sibling in ancestors if
the current node has no siblings.

LayoutTests:

* fast/shadow-dom/composed-tree-iterator-escape-expected.html: Added.
* fast/shadow-dom/composed-tree-iterator-escape.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (260996 => 260997)


--- trunk/LayoutTests/ChangeLog	2020-05-01 12:23:54 UTC (rev 260996)
+++ trunk/LayoutTests/ChangeLog	2020-05-01 14:35:12 UTC (rev 260997)
@@ -1,3 +1,14 @@
+2020-05-01  Antti Koivisto  <[email protected]>
+
+        Specific dom node order of Shadow DOM (re)projection causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=211159
+        <rdar://problem/62626920>
+
+        Reviewed by Zalan Bujtas.
+
+        * fast/shadow-dom/composed-tree-iterator-escape-expected.html: Added.
+        * fast/shadow-dom/composed-tree-iterator-escape.html: Added.
+ 
 2020-05-01  Alexey Shvayka  <[email protected]>
 
         [WebIDL] Interface prototype objects should define @@toStringTag

Added: trunk/LayoutTests/fast/shadow-dom/composed-tree-iterator-escape-expected.html (0 => 260997)


--- trunk/LayoutTests/fast/shadow-dom/composed-tree-iterator-escape-expected.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/composed-tree-iterator-escape-expected.html	2020-05-01 14:35:12 UTC (rev 260997)
@@ -0,0 +1,2 @@
+<div>named slot</div>
+<div>default</div>

Added: trunk/LayoutTests/fast/shadow-dom/composed-tree-iterator-escape.html (0 => 260997)


--- trunk/LayoutTests/fast/shadow-dom/composed-tree-iterator-escape.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/composed-tree-iterator-escape.html	2020-05-01 14:35:12 UTC (rev 260997)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<body>
+  <my-element-outer></my-element-outer>
+  <script>
+    class MyElementInner extends HTMLElement {
+      connectedCallback() {
+        const sr = this.attachShadow({mode: 'open'})
+        sr.innerHTML = `
+          <slot name="named"></slot>
+          <div>
+            <slot></slot>
+          </div>
+          `;
+      }
+    }
+
+    customElements.define('my-element-inner', MyElementInner);
+
+    class MyElementOuter extends HTMLElement {
+      connectedCallback() {
+        const sr = this.attachShadow({mode: 'open'})
+        sr.innerHTML = `
+          <my-element-inner>
+            <slot>default</slot>
+            <div slot="named">named slot<div>
+          </my-element-inner>
+        `;
+      }
+    }
+
+    customElements.define('my-element-outer', MyElementOuter);
+  </script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (260996 => 260997)


--- trunk/Source/WebCore/ChangeLog	2020-05-01 12:23:54 UTC (rev 260996)
+++ trunk/Source/WebCore/ChangeLog	2020-05-01 14:35:12 UTC (rev 260997)
@@ -1,3 +1,27 @@
+2020-05-01  Antti Koivisto  <[email protected]>
+
+        Specific dom node order of Shadow DOM (re)projection causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=211159
+        <rdar://problem/62626920>
+
+        Reviewed by Zalan Bujtas.
+
+        ComposedTreeIterator may traverse to nodes outside its root element if it is constructed
+        with a starting node that has no next sibling inside a slot.
+
+        This leads to miscomputing RenderTreePosition::nextSibling() and eventual nullptr crash in
+        RenderTreeBuilder when adding a renderer (due to beforeChild renderer being outside the parent renderer).
+
+        Test case by Elliott Marquez.
+
+        Test: fast/shadow-dom/composed-tree-iterator-escape.html
+
+        * dom/ComposedTreeIterator.cpp:
+        (WebCore::ComposedTreeIterator::Context::Context):
+
+        When findind the end iterator for a tree context we need to look for a sibling in ancestors if
+        the current node has no siblings.
+
 2020-05-01  Alexey Shvayka  <[email protected]>
 
         [WebIDL] Interface prototype objects should define @@toStringTag

Modified: trunk/Source/WebCore/dom/ComposedTreeIterator.cpp (260996 => 260997)


--- trunk/Source/WebCore/dom/ComposedTreeIterator.cpp	2020-05-01 12:23:54 UTC (rev 260996)
+++ trunk/Source/WebCore/dom/ComposedTreeIterator.cpp	2020-05-01 14:35:12 UTC (rev 260997)
@@ -49,7 +49,7 @@
     : iterator(root, &node)
     , end(iterator)
 {
-    end.traverseNextSibling();
+    end.traverseNextSkippingChildren();
 }
 
 ComposedTreeIterator::ComposedTreeIterator(ContainerNode& root, FirstChildTag)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to