[webkit-changes] [281700] trunk

Fri, 27 Aug 2021 10:14:11 -0700

Title: [281700] trunk
Revision
281700
Author
[email protected]
Date
2021-08-27 10:12:41 -0700 (Fri, 27 Aug 2021)

Log Message

REGRESSION (r276882): Shadow trees may use stale style information after inline stylesheet is mutated via CSSOM
https://bugs.webkit.org/show_bug.cgi?id=228917
rdar://81483998

Reviewed by Alan Bujtas.

Source/WebCore:

If a stylesheet in a shadow tree is mutated via CSSOM we fail to remove cached style resolver for the mutated sheet
and may end up with stale style.

Test: fast/shadow-dom/shadow-stylesheet-mutation.html

* style/StyleScope.cpp:
(WebCore::Style::Scope::unshareShadowTreeResolverBeforeMutation):

Remove an assert relevant to the previous call site only.

(WebCore::Style::Scope::scheduleUpdate):

Unshare shadow tree resolver immeditaly when stylesheet contents or interpretation changes.

LayoutTests:

Original reduction by Thomas Ladd.

* fast/shadow-dom/shadow-stylesheet-mutation-expected.html: Added.
* fast/shadow-dom/shadow-stylesheet-mutation.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (281699 => 281700)


--- trunk/LayoutTests/ChangeLog	2021-08-27 17:02:23 UTC (rev 281699)
+++ trunk/LayoutTests/ChangeLog	2021-08-27 17:12:41 UTC (rev 281700)
@@ -1,3 +1,16 @@
+2021-08-27  Antti Koivisto  <[email protected]>
+
+        REGRESSION (r276882): Shadow trees may use stale style information after inline stylesheet is mutated via CSSOM
+        https://bugs.webkit.org/show_bug.cgi?id=228917
+        rdar://81483998
+
+        Reviewed by Alan Bujtas.
+
+        Original reduction by Thomas Ladd.
+
+        * fast/shadow-dom/shadow-stylesheet-mutation-expected.html: Added.
+        * fast/shadow-dom/shadow-stylesheet-mutation.html: Added.
+
 2021-08-27  Chris Dumez  <[email protected]>
 
         REGRESSION (r281516): imported/w3c/web-platform-tests/IndexedDB/serialize-sharedarraybuffer-throws.https.html is failing

Added: trunk/LayoutTests/fast/shadow-dom/shadow-stylesheet-mutation-expected.html (0 => 281700)


--- trunk/LayoutTests/fast/shadow-dom/shadow-stylesheet-mutation-expected.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-stylesheet-mutation-expected.html	2021-08-27 17:12:41 UTC (rev 281700)
@@ -0,0 +1 @@
+<div style="color:green">This should be green</div>

Added: trunk/LayoutTests/fast/shadow-dom/shadow-stylesheet-mutation.html (0 => 281700)


--- trunk/LayoutTests/fast/shadow-dom/shadow-stylesheet-mutation.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-stylesheet-mutation.html	2021-08-27 17:12:41 UTC (rev 281700)
@@ -0,0 +1,9 @@
+<div id=host></div>
+<script>
+const shadow = host.attachShadow({ mode: "open" });
+shadow.innerHTML = `<style></style><div>This should be green</div>`;
+const style = shadow.querySelector("style");
+style.sheet.addRule("div", "color: red");
+host.offsetWidth;
+style.sheet.addRule("div", "color: green");
+</script>

Modified: trunk/Source/WebCore/ChangeLog (281699 => 281700)


--- trunk/Source/WebCore/ChangeLog	2021-08-27 17:02:23 UTC (rev 281699)
+++ trunk/Source/WebCore/ChangeLog	2021-08-27 17:12:41 UTC (rev 281700)
@@ -1,3 +1,25 @@
+2021-08-27  Antti Koivisto  <[email protected]>
+
+        REGRESSION (r276882): Shadow trees may use stale style information after inline stylesheet is mutated via CSSOM
+        https://bugs.webkit.org/show_bug.cgi?id=228917
+        rdar://81483998
+
+        Reviewed by Alan Bujtas.
+
+        If a stylesheet in a shadow tree is mutated via CSSOM we fail to remove cached style resolver for the mutated sheet
+        and may end up with stale style.
+
+        Test: fast/shadow-dom/shadow-stylesheet-mutation.html
+
+        * style/StyleScope.cpp:
+        (WebCore::Style::Scope::unshareShadowTreeResolverBeforeMutation):
+
+        Remove an assert relevant to the previous call site only.
+
+        (WebCore::Style::Scope::scheduleUpdate):
+
+        Unshare shadow tree resolver immeditaly when stylesheet contents or interpretation changes.
+
 2021-08-27  Emilio Cobos Álvarez  <[email protected]>
 
         Don't forget about the outer selector when matching ::slotted().

Modified: trunk/Source/WebCore/style/StyleScope.cpp (281699 => 281700)


--- trunk/Source/WebCore/style/StyleScope.cpp	2021-08-27 17:02:23 UTC (rev 281699)
+++ trunk/Source/WebCore/style/StyleScope.cpp	2021-08-27 17:12:41 UTC (rev 281700)
@@ -133,7 +133,6 @@
 void Scope::unshareShadowTreeResolverBeforeMutation()
 {
     ASSERT(m_shadowRoot);
-    ASSERT(!m_resolver->isSharedBetweenShadowTrees());
 
     documentScope().m_sharedShadowTreeResolvers.remove(makeResolverSharingKey());
 }
@@ -631,8 +630,10 @@
 {
     if (update == UpdateType::ContentsOrInterpretation) {
         // :host and ::slotted rules might go away.
-        if (m_shadowRoot)
+        if (m_shadowRoot) {
             Invalidator::invalidateHostAndSlottedStyleIfNeeded(*m_shadowRoot);
+            unshareShadowTreeResolverBeforeMutation();
+        }
         // FIXME: Animation code may trigger resource load in middle of style recalc and that can add a rule to a content extension stylesheet.
         //        Fix and remove isResolvingTreeStyle() test below, see https://bugs.webkit.org/show_bug.cgi?id=194335
         // FIXME: The m_isUpdatingStyleResolver test is here because extension stylesheets can get us here from Resolver::appendAuthorStyleSheets.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to