Title: [154320] trunk
- Revision
- 154320
- Author
- [email protected]
- Date
- 2013-08-20 03:13:00 -0700 (Tue, 20 Aug 2013)
Log Message
<https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
Source/WebCore:
Reviewed by Andreas Kling.
PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.
Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.
Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html
* dom/Element.cpp:
(WebCore::Element::insertedInto):
(WebCore::Element::removedFrom):
Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
When they are added normally during render tree attach these calls don't happen either.
LayoutTests:
Reviewed by Andreas Kling.
* fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt: Added.
* fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (154319 => 154320)
--- trunk/LayoutTests/ChangeLog 2013-08-20 09:00:03 UTC (rev 154319)
+++ trunk/LayoutTests/ChangeLog 2013-08-20 10:13:00 UTC (rev 154320)
@@ -1,3 +1,12 @@
+2013-08-20 Antti Koivisto <[email protected]>
+
+ <https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
+
+ Reviewed by Andreas Kling.
+
+ * fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt: Added.
+ * fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html: Added.
+
2013-08-20 Simon Pena <[email protected]>
<https://webkit.org/b/117584> [GTK][WK1] http/tests/loading/unfinished-load-back-to-cached-page-callbacks.html is failing
Added: trunk/LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt (0 => 154320)
--- trunk/LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt 2013-08-20 10:13:00 UTC (rev 154320)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html (0 => 154320)
--- trunk/LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html 2013-08-20 10:13:00 UTC (rev 154320)
@@ -0,0 +1,13 @@
+<script src=""
+<body>
+<script>
+ var style = document.createElement("style");
+ style.innerText = '#test:before { content: "before"; } #test:after { content: "after"; }';
+ var span = document.createElement("span");
+ span.id = "test";
+ var div = document.createElement("div");
+ div.appendChild(style);
+ div.appendChild(span);
+ document.body.appendChild(div);
+</script>
+<script src=""
Modified: trunk/Source/WebCore/ChangeLog (154319 => 154320)
--- trunk/Source/WebCore/ChangeLog 2013-08-20 09:00:03 UTC (rev 154319)
+++ trunk/Source/WebCore/ChangeLog 2013-08-20 10:13:00 UTC (rev 154320)
@@ -1,3 +1,25 @@
+2013-08-20 Antti Koivisto <[email protected]>
+
+ <https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
+
+ Reviewed by Andreas Kling.
+
+ PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.
+
+ Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
+ along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
+ that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
+ insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.
+
+ Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::insertedInto):
+ (WebCore::Element::removedFrom):
+
+ Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
+ When they are added normally during render tree attach these calls don't happen either.
+
2013-08-20 Ryosuke Niwa <[email protected]>
Windows build fix after r154314.
Modified: trunk/Source/WebCore/dom/Element.cpp (154319 => 154320)
--- trunk/Source/WebCore/dom/Element.cpp 2013-08-20 09:00:03 UTC (rev 154319)
+++ trunk/Source/WebCore/dom/Element.cpp 2013-08-20 10:13:00 UTC (rev 154320)
@@ -1284,12 +1284,6 @@
setContainsFullScreenElementOnAncestorsCrossingFrameBoundaries(true);
#endif
- if (Element* before = pseudoElement(BEFORE))
- before->insertedInto(insertionPoint);
-
- if (Element* after = pseudoElement(AFTER))
- after->insertedInto(insertionPoint);
-
if (!insertionPoint->isInTreeScope())
return InsertionDone;
@@ -1331,12 +1325,6 @@
bool wasInDocument = insertionPoint->document();
#endif
- if (Element* before = pseudoElement(BEFORE))
- before->removedFrom(insertionPoint);
-
- if (Element* after = pseudoElement(AFTER))
- after->removedFrom(insertionPoint);
-
#if ENABLE(DIALOG_ELEMENT)
document()->removeFromTopLayer(this);
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
