Skip to site navigation (Press enter)

[webkit-changes] [119790] trunk

morrita Thu, 07 Jun 2012 20:13:41 -0700

Title: [119790] trunk

Revision: 119790
Author: [email protected]
Date: 2012-06-07 20:13:24 -0700 (Thu, 07 Jun 2012)

Log Message

A style in an older shadow subtree causes assert when composing with <shadow>
https://bugs.webkit.org/show_bug.cgi?id=88299


Reviewed by Dimitri Glazkov.

Source/WebCore:

InsertionPoint::attach() assumes its distributed content not being attach()-ed.
But this assumption can break. This change added a guard for that.
This can happen for shadow boundaries in general. But ShadowRoot already handles that case.

Test: fast/dom/shadow/insertion-point-shadow-crash.html

* html/shadow/InsertionPoint.cpp:
(WebCore::InsertionPoint::attach):

LayoutTests:

* fast/dom/shadow/insertion-point-shadow-crash-expected.txt: Added.
* fast/dom/shadow/insertion-point-shadow-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/shadow/InsertionPoint.cpp

Added Paths

trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash-expected.txt
trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (119789 => 119790)


--- trunk/LayoutTests/ChangeLog	2012-06-08 03:06:23 UTC (rev 119789)
+++ trunk/LayoutTests/ChangeLog	2012-06-08 03:13:24 UTC (rev 119790)
@@ -1,3 +1,13 @@
+2012-06-07  MORITA Hajime  <[email protected]>
+
+        A style in an older shadow subtree causes assert when composing with <shadow>
+        https://bugs.webkit.org/show_bug.cgi?id=88299
+
+        Reviewed by Dimitri Glazkov.
+
+        * fast/dom/shadow/insertion-point-shadow-crash-expected.txt: Added.
+        * fast/dom/shadow/insertion-point-shadow-crash.html: Added.
+
 2012-06-07  Joshua Lock  <[email protected]>
 
         [EFL][DRT] Normalize file:///tmp/LayoutTests in LayoutTestController::pathToLocalResource()

Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash-expected.txt (0 => 119790)


--- trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash-expected.txt	2012-06-08 03:13:24 UTC (rev 119790)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash.html (0 => 119790)


--- trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-shadow-crash.html	2012-06-08 03:13:24 UTC (rev 119790)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+function runTests()
+{
+    if (window.layoutTestController)
+        window.layoutTestController.dumpAsText();
+    var div = document.createElement("div");
+    document.body.appendChild(div);
+
+    shadow1 = new WebKitShadowRoot(div);
+    shadow1.innerHTML = "<style>div { color: red; }</style><div>HELLO</div>";
+
+    shadow2 = new WebKitShadowRoot(div);
+    shadow2.innerHTML = "<div><shadow></shadow></div>";
+    document.body.offsetLeft;
+    document.body.innerHTML = "PASS";
+}
+</script>
+</head>
+<body _onload_="runTests()">
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (119789 => 119790)


--- trunk/Source/WebCore/ChangeLog	2012-06-08 03:06:23 UTC (rev 119789)
+++ trunk/Source/WebCore/ChangeLog	2012-06-08 03:13:24 UTC (rev 119790)
@@ -1,3 +1,19 @@
+2012-06-07  MORITA Hajime  <[email protected]>
+
+        A style in an older shadow subtree causes assert when composing with <shadow>
+        https://bugs.webkit.org/show_bug.cgi?id=88299
+
+        Reviewed by Dimitri Glazkov.
+
+        InsertionPoint::attach() assumes its distributed content not being attach()-ed.
+        But this assumption can break. This change added a guard for that.
+        This can happen for shadow boundaries in general. But ShadowRoot already handles that case.
+
+        Test: fast/dom/shadow/insertion-point-shadow-crash.html
+
+        * html/shadow/InsertionPoint.cpp:
+        (WebCore::InsertionPoint::attach):
+
 2012-06-07  Max Feil  <[email protected]>
 
         [BlackBerry] Show correct fullscreen button image (media controls)

Modified: trunk/Source/WebCore/html/shadow/InsertionPoint.cpp (119789 => 119790)


--- trunk/Source/WebCore/html/shadow/InsertionPoint.cpp	2012-06-08 03:06:23 UTC (rev 119789)
+++ trunk/Source/WebCore/html/shadow/InsertionPoint.cpp	2012-06-08 03:13:24 UTC (rev 119790)
@@ -49,8 +49,11 @@
 {
     if (ShadowRoot* root = shadowRoot())
         root->owner()->ensureDistribution();
-    for (size_t i = 0; i < m_distribution.size(); ++i)
-        m_distribution.at(i)->attach();
+    for (size_t i = 0; i < m_distribution.size(); ++i) {
+        if (!m_distribution.at(i)->attached())
+            m_distribution.at(i)->attach();
+    }
+
     HTMLElement::attach();
 }
 
@@ -60,6 +63,7 @@
         root->owner()->ensureDistribution();
     for (size_t i = 0; i < m_distribution.size(); ++i)
         m_distribution.at(i)->detach();
+
     HTMLElement::detach();
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes