Diff
Modified: branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog (186748 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-13 06:11:46 UTC (rev 186749)
@@ -1,5 +1,28 @@
2015-07-12 David Kilzer <ddkil...@apple.com>
+ Merge r185769. rdar://problem/21727217
+
+ 2015-06-19 Andy Estes <aes...@apple.com>
+
+ Various assertion failures occur when executing script in the midst of DOM insertion
+ https://bugs.webkit.org/show_bug.cgi?id=132482
+
+ Reviewed by Darin Adler.
+
+ Wrote named-map-removed-while-inserting-parent-crash.html by reducing the test case attached to bug 132482.
+ The remaining tests were taken from blink r132482.
+
+ * fast/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
+ * fast/dom/element-removed-while-inserting-parent-crash.html: Added.
+ * fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt: Added.
+ * fast/dom/named-map-removed-while-inserting-parent-crash.html: Added.
+ * fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt: Added.
+ * fast/forms/form-control-removed-while-inserting-parent-crash.html: Added.
+ * svg/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
+ * svg/dom/element-removed-while-inserting-parent-crash.html: Added.
+
+2015-07-12 David Kilzer <ddkil...@apple.com>
+
Merge r186474. rdar://problem/21716537
2015-07-07 Zalan Bujtas <za...@apple.com>
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash-expected.txt (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash-expected.txt 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1 @@
+PASS
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash.html (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash.html 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var element = document.createElement();
+
+var script = document.createElement('script');
+script.textContent = 'document.currentScript.nextSibling.remove()';
+
+var container = document.createElement('div');
+container.appendChild(script);
+container.appendChild(element);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1 @@
+PASS
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash.html (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash.html 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+<!-- Ensures that TreeScope::m_imageMapsByName is created -->
+<map name></map>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var map = document.createElement('map');
+map.name = 'map';
+
+var script = document.createElement('script');
+script.textContent = 'document.currentScript.parentNode.remove()';
+
+var container = document.createElement('div');
+container.appendChild(script);
+container.appendChild(map);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1 @@
+PASS
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash.html (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash.html 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var input = document.createElement('input');
+
+var script = document.createElement('script');
+script.textContent = 'document.currentScript.parentNode.remove()';
+
+var container = document.createElement('div');
+container.appendChild(script);
+container.appendChild(input);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Added: branches/safari-600.1.4.17-branch/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash-expected.txt (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash-expected.txt 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1 @@
+PASS
Added: branches/safari-600.1.4.17-branch/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash.html (0 => 186749)
--- branches/safari-600.1.4.17-branch/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash.html 2015-07-13 06:11:46 UTC (rev 186749)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var element = document.createElementNS('http://www.w3.org/2000/svg');
+
+var script = document.createElementNS('http://www.w3.org/2000/svg', 'script');
+script.id = 'script';
+script.textContent = 'document.getElementById(\'script\').nextSibling.remove()'; // document.currentScript doesn't work for SVGScriptElement.
+
+var container = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+container.appendChild(script);
+container.appendChild(element);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog (186748 => 186749)
--- branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-13 06:11:46 UTC (rev 186749)
@@ -1,5 +1,48 @@
2015-07-12 David Kilzer <ddkil...@apple.com>
+ Merge r185769. rdar://problem/21727217
+
+ 2015-06-19 Andy Estes <aes...@apple.com>
+
+ Various assertion failures occur when executing script in the midst of DOM insertion
+ https://bugs.webkit.org/show_bug.cgi?id=132482
+
+ Reviewed by Darin Adler.
+
+ Prior to this change, when an element containing a <script> child was inserted into a document, the script was
+ executed in ScriptElement::insertedInto(). That script can access nodes that follow it in the newly-inserted
+ hierarchy but are not yet fully inserted, leading to at least the following problems:
+
+ - The script could remove a node that is not yet marked as in the document.
+ - The script could remove a named <map> that has yet to be added to TreeScope::m_imageMapsByName.
+ - The script could remove a form control that has yet to be added to FormController::m_formElementsWithState.
+
+ These scenarios all result in assertion failures. This change ensures that each node in the newly-inserted
+ hierarchy is fully inserted before executing any scripts.
+
+ Tests: fast/dom/element-removed-while-inserting-parent-crash.html
+ fast/dom/named-map-removed-while-inserting-parent-crash.html
+ fast/forms/form-control-removed-while-inserting-parent-crash.html
+ svg/dom/element-removed-while-inserting-parent-crash.html
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::shouldNotifySubtreeInsertions): Renamed from insertedInto().
+ Returned true in the case where insertedInto() would've called prepareScript().
+ (WebCore::ScriptElement::didNotifySubtreeInsertions): Called prepareScript().
+ (WebCore::ScriptElement::insertedInto): Renamed to shouldNotifySubtreeInsertions().
+ * dom/ScriptElement.h:
+ * html/HTMLScriptElement.cpp:
+ (WebCore::HTMLScriptElement::insertedInto): If shouldNotifySubtreeInsertions() is true, returned InsertionShouldCallDidNotifySubtreeInsertions.
+ Otherwise, returned InsertionDone.
+ (WebCore::HTMLScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().
+ * html/HTMLScriptElement.h:
+ * svg/SVGScriptElement.cpp:
+ (WebCore::SVGScriptElement::insertedInto): Did the same as HTMLScriptElement::insertedInto().
+ (WebCore::SVGScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().
+ * svg/SVGScriptElement.h:
+
+2015-07-12 David Kilzer <ddkil...@apple.com>
+
Merge r186474. rdar://problem/21716537
2015-07-07 Zalan Bujtas <za...@apple.com>
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/ScriptElement.cpp (186748 => 186749)
--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/ScriptElement.cpp 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/ScriptElement.cpp 2015-07-13 06:11:46 UTC (rev 186749)
@@ -79,12 +79,17 @@
stopLoadRequest();
}
-void ScriptElement::insertedInto(ContainerNode& insertionPoint)
+bool ScriptElement::shouldNotifySubtreeInsertions(ContainerNode& insertionPoint)
{
- if (insertionPoint.inDocument() && !m_parserInserted)
- prepareScript(); // FIXME: Provide a real starting line number here.
+ return insertionPoint.inDocument() && !m_parserInserted;
}
+void ScriptElement::didNotifySubtreeInsertions(ContainerNode*)
+{
+ ASSERT(!m_parserInserted);
+ prepareScript(); // FIXME: Provide a real starting line number here.
+}
+
void ScriptElement::childrenChanged()
{
if (!m_parserInserted && m_element.inDocument())
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/ScriptElement.h (186748 => 186749)
--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/ScriptElement.h 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/ScriptElement.h 2015-07-13 06:11:46 UTC (rev 186749)
@@ -69,7 +69,8 @@
bool forceAsync() const { return m_forceAsync; }
// Helper functions used by our parent classes.
- void insertedInto(ContainerNode&);
+ bool shouldNotifySubtreeInsertions(ContainerNode&);
+ void didNotifySubtreeInsertions(ContainerNode*);
void childrenChanged();
void handleSourceAttribute(const String& sourceUrl);
void handleAsyncAttribute();
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/html/HTMLScriptElement.cpp (186748 => 186749)
--- branches/safari-600.1.4.17-branch/Source/WebCore/html/HTMLScriptElement.cpp 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/html/HTMLScriptElement.cpp 2015-07-13 06:11:46 UTC (rev 186749)
@@ -73,10 +73,14 @@
Node::InsertionNotificationRequest HTMLScriptElement::insertedInto(ContainerNode& insertionPoint)
{
HTMLElement::insertedInto(insertionPoint);
- ScriptElement::insertedInto(insertionPoint);
- return InsertionDone;
+ return shouldNotifySubtreeInsertions(insertionPoint) ? InsertionShouldCallDidNotifySubtreeInsertions : InsertionDone;
}
+void HTMLScriptElement::didNotifySubtreeInsertions(ContainerNode* node)
+{
+ ScriptElement::didNotifySubtreeInsertions(node);
+}
+
void HTMLScriptElement::setText(const String &value)
{
Ref<HTMLScriptElement> protectFromMutationEvents(*this);
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/html/HTMLScriptElement.h (186748 => 186749)
--- branches/safari-600.1.4.17-branch/Source/WebCore/html/HTMLScriptElement.h 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/html/HTMLScriptElement.h 2015-07-13 06:11:46 UTC (rev 186749)
@@ -46,6 +46,7 @@
virtual void parseAttribute(const QualifiedName&, const AtomicString&) override;
virtual InsertionNotificationRequest insertedInto(ContainerNode&) override;
+ virtual void didNotifySubtreeInsertions(ContainerNode*) override;
virtual void childrenChanged(const ChildChange&) override;
virtual bool isURLAttribute(const Attribute&) const override;
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/svg/SVGScriptElement.cpp (186748 => 186749)
--- branches/safari-600.1.4.17-branch/Source/WebCore/svg/SVGScriptElement.cpp 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/svg/SVGScriptElement.cpp 2015-07-13 06:11:46 UTC (rev 186749)
@@ -117,12 +117,16 @@
Node::InsertionNotificationRequest SVGScriptElement::insertedInto(ContainerNode& rootParent)
{
SVGElement::insertedInto(rootParent);
- ScriptElement::insertedInto(rootParent);
if (rootParent.inDocument())
SVGExternalResourcesRequired::insertedIntoDocument(this);
- return InsertionDone;
+ return shouldNotifySubtreeInsertions(rootParent) ? InsertionShouldCallDidNotifySubtreeInsertions : InsertionDone;
}
+void SVGScriptElement::didNotifySubtreeInsertions(ContainerNode* node)
+{
+ ScriptElement::didNotifySubtreeInsertions(node);
+}
+
void SVGScriptElement::childrenChanged(const ChildChange& change)
{
SVGElement::childrenChanged(change);
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/svg/SVGScriptElement.h (186748 => 186749)
--- branches/safari-600.1.4.17-branch/Source/WebCore/svg/SVGScriptElement.h 2015-07-13 05:24:09 UTC (rev 186748)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/svg/SVGScriptElement.h 2015-07-13 06:11:46 UTC (rev 186749)
@@ -43,6 +43,7 @@
bool isSupportedAttribute(const QualifiedName&);
virtual void parseAttribute(const QualifiedName&, const AtomicString&) override;
virtual InsertionNotificationRequest insertedInto(ContainerNode&) override;
+ virtual void didNotifySubtreeInsertions(ContainerNode*) override;
virtual void childrenChanged(const ChildChange&) override;
virtual void svgAttributeChanged(const QualifiedName&) override;
