Title: [277377] branches/safari-611-branch
- Revision
- 277377
- Author
- [email protected]
- Date
- 2021-05-12 10:54:07 -0700 (Wed, 12 May 2021)
Log Message
Cherry-pick r277373. rdar://problem/77916543
Source/WebCore:
REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree
in Element::insertedIntoAncestor
https://bugs.webkit.org/show_bug.cgi?id=225684
Reviewed by Darin Adler.
The release assertion failure was caused by RenderTreeUpdater::tearDownRenderers end up traversing the parts of the DOM
for which Element::insertedIntoAncestor had not been called yet. Since HTMLSlotElement::insertedIntoAncestor is where
SlotAssignment::Slot is updated for a newly inserted slot, SlotAssignment::Slot may not contain this slot element.
Fixed the bug by returning early in SlotAssignment::assignedNodesForSlot when this condition holds, which is when
the shadow root is connected to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.
Test: fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html
* dom/SlotAssignment.cpp:
(WebCore::SlotAssignment::assignedNodesForSlot):
LayoutTests:
REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor
https://bugs.webkit.org/show_bug.cgi?id=225684
Reviewed by Darin Adler.
Added a regression test.
* fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash-expected.txt: Added.
* fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277373 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-611-branch/LayoutTests/ChangeLog (277376 => 277377)
--- branches/safari-611-branch/LayoutTests/ChangeLog 2021-05-12 17:52:38 UTC (rev 277376)
+++ branches/safari-611-branch/LayoutTests/ChangeLog 2021-05-12 17:54:07 UTC (rev 277377)
@@ -1,3 +1,52 @@
+2021-05-12 Russell Epstein <[email protected]>
+
+ Cherry-pick r277373. rdar://problem/77916543
+
+ Source/WebCore:
+ REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree
+ in Element::insertedIntoAncestor
+ https://bugs.webkit.org/show_bug.cgi?id=225684
+
+ Reviewed by Darin Adler.
+
+ The release assertion failure was caused by RenderTreeUpdater::tearDownRenderers end up traversing the parts of the DOM
+ for which Element::insertedIntoAncestor had not been called yet. Since HTMLSlotElement::insertedIntoAncestor is where
+ SlotAssignment::Slot is updated for a newly inserted slot, SlotAssignment::Slot may not contain this slot element.
+
+ Fixed the bug by returning early in SlotAssignment::assignedNodesForSlot when this condition holds, which is when
+ the shadow root is connected to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.
+
+ Test: fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html
+
+ * dom/SlotAssignment.cpp:
+ (WebCore::SlotAssignment::assignedNodesForSlot):
+
+ LayoutTests:
+ REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor
+ https://bugs.webkit.org/show_bug.cgi?id=225684
+
+ Reviewed by Darin Adler.
+
+ Added a regression test.
+
+ * fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash-expected.txt: Added.
+ * fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277373 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-05-12 Ryosuke Niwa <[email protected]>
+
+ REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor
+ https://bugs.webkit.org/show_bug.cgi?id=225684
+
+ Reviewed by Darin Adler.
+
+ Added a regression test.
+
+ * fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash-expected.txt: Added.
+ * fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html: Added.
+
2021-05-07 Russell Epstein <[email protected]>
Cherry-pick r276739. rdar://problem/77581103
Added: branches/safari-611-branch/LayoutTests/fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash-expected.txt (0 => 277377)
--- branches/safari-611-branch/LayoutTests/fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash-expected.txt (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash-expected.txt 2021-05-12 17:54:07 UTC (rev 277377)
@@ -0,0 +1,3 @@
+This tests if WebKit does not crash or hit any assertions.
+
+PASS
Added: branches/safari-611-branch/LayoutTests/fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html (0 => 277377)
--- branches/safari-611-branch/LayoutTests/fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html 2021-05-12 17:54:07 UTC (rev 277377)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests if WebKit does not crash or hit any assertions.</p>
+<script>
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+const host = document.createElement('div');
+document.body.appendChild(host);
+const shadowRoot = host.attachShadow({mode: 'closed'});
+shadowRoot.innerHTML = '<div id="inner"><slot name="some-name"></slot></div>';
+
+const innerHost = shadowRoot.getElementById('inner');
+const innerShadowRoot = innerHost.attachShadow({mode: 'closed'});
+innerShadowRoot.appendChild(document.createElement('slot'));
+innerHost.getBoundingClientRect();
+
+shadowRoot.querySelector('slot').remove();
+const newChild = document.createElement('div');
+newChild.appendChild(document.createElement('slot'));
+innerHost.appendChild(newChild);
+
+document.write('<div>PASS</div>');
+
+</script>
+</body>
+</html>
Modified: branches/safari-611-branch/Source/WebCore/ChangeLog (277376 => 277377)
--- branches/safari-611-branch/Source/WebCore/ChangeLog 2021-05-12 17:52:38 UTC (rev 277376)
+++ branches/safari-611-branch/Source/WebCore/ChangeLog 2021-05-12 17:54:07 UTC (rev 277377)
@@ -1,3 +1,60 @@
+2021-05-12 Russell Epstein <[email protected]>
+
+ Cherry-pick r277373. rdar://problem/77916543
+
+ Source/WebCore:
+ REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree
+ in Element::insertedIntoAncestor
+ https://bugs.webkit.org/show_bug.cgi?id=225684
+
+ Reviewed by Darin Adler.
+
+ The release assertion failure was caused by RenderTreeUpdater::tearDownRenderers end up traversing the parts of the DOM
+ for which Element::insertedIntoAncestor had not been called yet. Since HTMLSlotElement::insertedIntoAncestor is where
+ SlotAssignment::Slot is updated for a newly inserted slot, SlotAssignment::Slot may not contain this slot element.
+
+ Fixed the bug by returning early in SlotAssignment::assignedNodesForSlot when this condition holds, which is when
+ the shadow root is connected to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.
+
+ Test: fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html
+
+ * dom/SlotAssignment.cpp:
+ (WebCore::SlotAssignment::assignedNodesForSlot):
+
+ LayoutTests:
+ REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor
+ https://bugs.webkit.org/show_bug.cgi?id=225684
+
+ Reviewed by Darin Adler.
+
+ Added a regression test.
+
+ * fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash-expected.txt: Added.
+ * fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277373 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-05-12 Ryosuke Niwa <[email protected]>
+
+ REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree
+ in Element::insertedIntoAncestor
+ https://bugs.webkit.org/show_bug.cgi?id=225684
+
+ Reviewed by Darin Adler.
+
+ The release assertion failure was caused by RenderTreeUpdater::tearDownRenderers end up traversing the parts of the DOM
+ for which Element::insertedIntoAncestor had not been called yet. Since HTMLSlotElement::insertedIntoAncestor is where
+ SlotAssignment::Slot is updated for a newly inserted slot, SlotAssignment::Slot may not contain this slot element.
+
+ Fixed the bug by returning early in SlotAssignment::assignedNodesForSlot when this condition holds, which is when
+ the shadow root is connected to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.
+
+ Test: fast/shadow-dom/insert-host-child-with-slot-renderer-teardown-crash.html
+
+ * dom/SlotAssignment.cpp:
+ (WebCore::SlotAssignment::assignedNodesForSlot):
+
2021-05-07 Russell Epstein <[email protected]>
Cherry-pick r276739. rdar://problem/77581103
Modified: branches/safari-611-branch/Source/WebCore/dom/SlotAssignment.cpp (277376 => 277377)
--- branches/safari-611-branch/Source/WebCore/dom/SlotAssignment.cpp 2021-05-12 17:52:38 UTC (rev 277376)
+++ branches/safari-611-branch/Source/WebCore/dom/SlotAssignment.cpp 2021-05-12 17:54:07 UTC (rev 277377)
@@ -332,6 +332,10 @@
ASSERT(slotElement.containingShadowRoot() == &shadowRoot);
const AtomString& slotName = slotNameFromAttributeValue(slotElement.attributeWithoutSynchronization(nameAttr));
auto* slot = m_slots.get(slotName);
+
+ bool hasNotCalledInsertedIntoAncestorOnSlot = shadowRoot.isConnected() && !slotElement.isConnected();
+ if (hasNotCalledInsertedIntoAncestorOnSlot)
+ return nullptr;
RELEASE_ASSERT(slot);
if (!m_slotAssignmentsIsValid)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
