Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124129 => 124130)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-31 00:53:20 UTC (rev 124129)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-31 00:58:19 UTC (rev 124130)
@@ -1,5 +1,19 @@
2012-07-30 Lucas Forschler <[email protected]>
+ Merge 122082
+
+ 2012-07-05 MORITA Hajime <[email protected]>
+
+ Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
+ https://bugs.webkit.org/show_bug.cgi?id=90480
+
+ Reviewed by Kent Tamura.
+
+ * fast/dom/shadow/insertion-point-list-menu-crash-expected.txt: Added.
+ * fast/dom/shadow/insertion-point-list-menu-crash.html: Added.
+
+2012-07-30 Lucas Forschler <[email protected]>
+
Merge 121912
2012-07-05 Nate Chapin <[email protected]>
Copied: branches/safari-536.26-branch/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt (from rev 122082, trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt) (0 => 124130)
--- branches/safari-536.26-branch/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash-expected.txt 2012-07-31 00:58:19 UTC (rev 124130)
@@ -0,0 +1,2 @@
+PASS unless crash
+
Copied: branches/safari-536.26-branch/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html (from rev 122082, trunk/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html) (0 => 124130)
--- branches/safari-536.26-branch/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/dom/shadow/insertion-point-list-menu-crash.html 2012-07-31 00:58:19 UTC (rev 124130)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+jsTestIsAsync = true;
+function boom() {
+ var div = document.createElement('div');
+
+ var older = new WebKitShadowRoot(div);
+ older.appendChild(document.createElement('div'));
+ document.documentElement.appendChild(div);
+
+ var younger = new WebKitShadowRoot(div);
+ var select = document.createElement('select');
+ var shadow = document.createElement('shadow');
+ select.appendChild(shadow);
+ younger.appendChild(select);
+
+ testPassed("unless crash");
+ finishJSTest();
+}
+window._onload_ = boom;
+</script>
+</body>
+</html>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124129 => 124130)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-31 00:53:20 UTC (rev 124129)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-31 00:58:19 UTC (rev 124130)
@@ -1,5 +1,45 @@
2012-07-30 Lucas Forschler <[email protected]>
+ Merge 122082
+
+ 2012-07-05 MORITA Hajime <[email protected]>
+
+ Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
+ https://bugs.webkit.org/show_bug.cgi?id=90480
+
+ Reviewed by Kent Tamura.
+
+ If <select> has any insertion point, the attachment phase
+ unpextedly creates a renderer for distributed node and added to
+ the renderer of the <select>, which breaks an assumption and
+ results the crash.
+
+ This change tighten the childShouldCreateRenderer() to forbid
+ child renderers even from distributed nodes.
+
+ There is an exception as always: ValidationMessage can create a
+ ShadowRoot to <select>, which generates usually-forbidden child
+ renderers. This change introduces HTMLFormControlElement::validationMessageContains()
+ to let these renderers in.
+
+ Test: fast/dom/shadow/insertion-point-list-menu-crash.html
+
+ * html/HTMLFormControlElement.cpp:
+ (WebCore::HTMLFormControlElement::validationMessageContains):
+ (WebCore):
+ * html/HTMLFormControlElement.h:
+ (HTMLFormControlElement):
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::childShouldCreateRenderer):
+ * html/ValidationMessage.cpp:
+ (WebCore::ValidationMessage::contains):
+ (WebCore):
+ * html/ValidationMessage.h:
+ (WebCore):
+ (ValidationMessage):
+
+2012-07-30 Lucas Forschler <[email protected]>
+
Merge 121912
2012-07-05 Nate Chapin <[email protected]>
Modified: branches/safari-536.26-branch/Source/WebCore/html/HTMLFormControlElement.cpp (124129 => 124130)
--- branches/safari-536.26-branch/Source/WebCore/html/HTMLFormControlElement.cpp 2012-07-31 00:53:20 UTC (rev 124129)
+++ branches/safari-536.26-branch/Source/WebCore/html/HTMLFormControlElement.cpp 2012-07-31 00:58:19 UTC (rev 124130)
@@ -487,6 +487,11 @@
validity()->setCustomErrorMessage(error);
}
+bool HTMLFormControlElement::validationMessageShadowTreeContains(Node* node) const
+{
+ return m_validationMessage && m_validationMessage->shadowTreeContains(node);
+}
+
void HTMLFormControlElement::dispatchBlurEvent(PassRefPtr<Node> newFocusedNode)
{
HTMLElement::dispatchBlurEvent(newFocusedNode);
Modified: branches/safari-536.26-branch/Source/WebCore/html/HTMLFormControlElement.h (124129 => 124130)
--- branches/safari-536.26-branch/Source/WebCore/html/HTMLFormControlElement.h 2012-07-31 00:53:20 UTC (rev 124129)
+++ branches/safari-536.26-branch/Source/WebCore/html/HTMLFormControlElement.h 2012-07-31 00:58:19 UTC (rev 124130)
@@ -137,6 +137,8 @@
void setNeedsWillValidateCheck();
virtual bool recalcWillValidate() const;
+ bool validationMessageShadowTreeContains(Node*) const;
+
private:
virtual void refFormAssociatedElement() { ref(); }
virtual void derefFormAssociatedElement() { deref(); }
Modified: branches/safari-536.26-branch/Source/WebCore/html/HTMLSelectElement.cpp (124129 => 124130)
--- branches/safari-536.26-branch/Source/WebCore/html/HTMLSelectElement.cpp 2012-07-31 00:53:20 UTC (rev 124129)
+++ branches/safari-536.26-branch/Source/WebCore/html/HTMLSelectElement.cpp 2012-07-31 00:58:19 UTC (rev 124130)
@@ -331,7 +331,11 @@
bool HTMLSelectElement::childShouldCreateRenderer(const NodeRenderingContext& childContext) const
{
- return childContext.isOnUpperEncapsulationBoundary() && HTMLFormControlElementWithState::childShouldCreateRenderer(childContext);
+ if (!HTMLFormControlElementWithState::childShouldCreateRenderer(childContext))
+ return false;
+ if (!usesMenuList())
+ return true;
+ return validationMessageShadowTreeContains(childContext.node());
}
HTMLCollection* HTMLSelectElement::selectedOptions()
Modified: branches/safari-536.26-branch/Source/WebCore/html/ValidationMessage.cpp (124129 => 124130)
--- branches/safari-536.26-branch/Source/WebCore/html/ValidationMessage.cpp 2012-07-31 00:53:20 UTC (rev 124129)
+++ branches/safari-536.26-branch/Source/WebCore/html/ValidationMessage.cpp 2012-07-31 00:58:19 UTC (rev 124130)
@@ -180,6 +180,13 @@
m_timer->startOneShot(0);
}
+bool ValidationMessage::shadowTreeContains(Node* node) const
+{
+ if (!m_bubble)
+ return false;
+ return m_bubble->treeScope() == node->treeScope();
+}
+
void ValidationMessage::deleteBubbleTree(Timer<ValidationMessage>*)
{
if (m_bubble) {
Modified: branches/safari-536.26-branch/Source/WebCore/html/ValidationMessage.h (124129 => 124130)
--- branches/safari-536.26-branch/Source/WebCore/html/ValidationMessage.h 2012-07-31 00:53:20 UTC (rev 124129)
+++ branches/safari-536.26-branch/Source/WebCore/html/ValidationMessage.h 2012-07-31 00:58:19 UTC (rev 124130)
@@ -41,6 +41,7 @@
class FormAssociatedElement;
class HTMLElement;
+class Node;
class ValidationMessage {
WTF_MAKE_NONCOPYABLE(ValidationMessage);
@@ -50,6 +51,7 @@
String message() const { return m_message; }
void setMessage(const String&);
void requestToHideMessage();
+ bool shadowTreeContains(Node*) const;
private:
ValidationMessage(FormAssociatedElement*);
