Skip to site navigation (Press enter)

[webkit-changes] [284969] trunk

commit-queue Wed, 27 Oct 2021 19:21:38 -0700

Title: [284969] trunk

Revision: 284969
Author: [email protected]
Date: 2021-10-27 19:20:47 -0700 (Wed, 27 Oct 2021)

Log Message

Assertions in findFirstSlotElement hit when removing two slots with the same name in a single shadow tree
https://bugs.webkit.org/show_bug.cgi?id=232409


Patch by Gabriel Nava Marino <[email protected]> on 2021-10-27
Reviewed by Ryosuke Niwa.

Source/WebCore:

When resolveSlotsAfterSlotMutation is called during removeAllChildrenWithScriptAssertion,
it can clear slot.element but not slot.elementCount, which is decremented for each
slot element in removeSlotElementByName. When multiple slots elements are removed in
removeAllChildrenWithScriptAssertion, this results in slot.element being null but
slot.elementCount not being zero in findFirstSlotElement called within destroyRenderTreeIfNeeded.

This patch removes assertions in findFirstSlotElement which wrongly asserted this condition to never happen.

Test: fast/shadow-dom/slot-removal-same-name.html

* dom/SlotAssignment.cpp:
(WebCore::SlotAssignment::findFirstSlotElement):

LayoutTests:

* fast/shadow-dom/slot-removal-same-name-expected.txt: Added.
* fast/shadow-dom/slot-removal-same-name.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/SlotAssignment.cpp

Added Paths

trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name-expected.txt
trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name.html

Diff

Modified: trunk/LayoutTests/ChangeLog (284968 => 284969)


--- trunk/LayoutTests/ChangeLog	2021-10-28 01:44:20 UTC (rev 284968)
+++ trunk/LayoutTests/ChangeLog	2021-10-28 02:20:47 UTC (rev 284969)
@@ -1,3 +1,13 @@
+2021-10-27  Gabriel Nava Marino  <[email protected]>
+
+        Assertions in findFirstSlotElement hit when removing two slots with the same name in a single shadow tree
+        https://bugs.webkit.org/show_bug.cgi?id=232409
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/shadow-dom/slot-removal-same-name-expected.txt: Added.
+        * fast/shadow-dom/slot-removal-same-name.html: Added.
+
 2021-10-27  Ayumi Kojima  <[email protected]>
 
         [ iOS ] imported/blink/compositing/video/video-controls-layer-creation-squashing.html is a flaky crash/timeout.

Added: trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name-expected.txt (0 => 284969)


--- trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name-expected.txt	2021-10-28 02:20:47 UTC (rev 284969)
@@ -0,0 +1 @@
+PASS if this doesn't crash

Added: trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name.html (0 => 284969)


--- trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/slot-removal-same-name.html	2021-10-28 02:20:47 UTC (rev 284969)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<script>
+  _onload_ = () => {
+    const shadowRoot = document.body.attachShadow({mode: 'open'});
+    shadowRoot.append(document.createElement('slot'));
+    shadowRoot.append(document.createElement('slot'));
+    document.body.getBoundingClientRect();
+    shadowRoot.replaceChildren();
+    document.write("PASS if this doesn't crash");
+    if (window.testRunner)
+        testRunner.dumpAsText();
+  };
+</script>
+<body></body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (284968 => 284969)


--- trunk/Source/WebCore/ChangeLog	2021-10-28 01:44:20 UTC (rev 284968)
+++ trunk/Source/WebCore/ChangeLog	2021-10-28 02:20:47 UTC (rev 284969)
@@ -1,3 +1,23 @@
+2021-10-27  Gabriel Nava Marino  <[email protected]>
+
+        Assertions in findFirstSlotElement hit when removing two slots with the same name in a single shadow tree
+        https://bugs.webkit.org/show_bug.cgi?id=232409
+
+        Reviewed by Ryosuke Niwa.
+
+        When resolveSlotsAfterSlotMutation is called during removeAllChildrenWithScriptAssertion,
+        it can clear slot.element but not slot.elementCount, which is decremented for each
+        slot element in removeSlotElementByName. When multiple slots elements are removed in
+        removeAllChildrenWithScriptAssertion, this results in slot.element being null but
+        slot.elementCount not being zero in findFirstSlotElement called within destroyRenderTreeIfNeeded.
+
+        This patch removes assertions in findFirstSlotElement which wrongly asserted this condition to never happen.
+
+        Test: fast/shadow-dom/slot-removal-same-name.html
+
+        * dom/SlotAssignment.cpp:
+        (WebCore::SlotAssignment::findFirstSlotElement):
+
 2021-10-27  Chris Dumez  <[email protected]>
 
         Disable relaxation of BroadcastChannel origin partitioning based on storage access

Modified: trunk/Source/WebCore/dom/SlotAssignment.cpp (284968 => 284969)


--- trunk/Source/WebCore/dom/SlotAssignment.cpp	2021-10-28 01:44:20 UTC (rev 284968)
+++ trunk/Source/WebCore/dom/SlotAssignment.cpp	2021-10-28 02:20:47 UTC (rev 284969)
@@ -343,10 +343,7 @@
 
 HTMLSlotElement* SlotAssignment::findFirstSlotElement(Slot& slot)
 {
-    RELEASE_ASSERT(!slot.shouldResolveSlotElement());
-
     ASSERT(!slot.element || m_slotElementsForConsistencyCheck.contains(slot.element.get()));
-    ASSERT(!!slot.element == !!slot.elementCount);
 
     return slot.element.get();
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes