[webkit-changes] [195727] trunk

Wed, 27 Jan 2016 20:43:26 -0800

Title: [195727] trunk
Revision
195727
Author
[email protected]
Date
2016-01-27 20:42:36 -0800 (Wed, 27 Jan 2016)

Log Message

REGRESSION(r190430): Assertion failure in Text::~Text()
https://bugs.webkit.org/show_bug.cgi?id=153577

Reviewed by Antti Koivisto.

Source/WebCore:

The bug was caused by destroyRenderTreeIfNeeded exiting early on all HTMLSlotElement as it lacks a render object.
Fixed it by explicitly avoiding the early return when child is a HTMLSlotElement.

Test: fast/shadow-dom/slot-removal-crash-2.html

* dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):

LayoutTests:

Added a regression test. The test hits an assertion in debug build without the fix.

* fast/shadow-dom/slot-removal-crash-2-expected.txt: Added.
* fast/shadow-dom/slot-removal-crash-2.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (195726 => 195727)


--- trunk/LayoutTests/ChangeLog	2016-01-28 03:33:27 UTC (rev 195726)
+++ trunk/LayoutTests/ChangeLog	2016-01-28 04:42:36 UTC (rev 195727)
@@ -1,3 +1,15 @@
+2016-01-27  Ryosuke Niwa  <[email protected]>
+
+        REGRESSION(r190430): Assertion failure in Text::~Text()
+        https://bugs.webkit.org/show_bug.cgi?id=153577
+
+        Reviewed by Antti Koivisto.
+
+        Added a regression test. The test hits an assertion in debug build without the fix.
+
+        * fast/shadow-dom/slot-removal-crash-2-expected.txt: Added.
+        * fast/shadow-dom/slot-removal-crash-2.html: Added.
+
 2016-01-27  Said Abou-Hallawa  <[email protected]>
 
         Garbage is displayed when root svg element has mix-blend-mode set

Added: trunk/LayoutTests/fast/shadow-dom/slot-removal-crash-2-expected.txt (0 => 195727)


--- trunk/LayoutTests/fast/shadow-dom/slot-removal-crash-2-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/slot-removal-crash-2-expected.txt	2016-01-28 04:42:36 UTC (rev 195727)
@@ -0,0 +1,5 @@
+Test that removing a slot element with text node does not result in an assertion failure.
+The test passes if WebKit does not hit an assertion.
+PASS.
+
+

Added: trunk/LayoutTests/fast/shadow-dom/slot-removal-crash-2.html (0 => 195727)


--- trunk/LayoutTests/fast/shadow-dom/slot-removal-crash-2.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/slot-removal-crash-2.html	2016-01-28 04:42:36 UTC (rev 195727)
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Test that removing a slot element with text node does not result in an assertion failure.<br>
+The test passes if WebKit does not hit an assertion.</p>
+<script>
+
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+
+var iframe = document.createElement('iframe');
+document.body.appendChild(iframe);
+
+var x;
+
+function runTest() {
+    var doc = iframe.contentDocument;
+
+    var host = doc.createElement('div');
+    var shadowRoot = host.attachShadow({mode: 'open'});
+    var slot = doc.createElement('slot');
+    slot.textContent = 'hello';
+    shadowRoot.appendChild(slot);
+    doc.body.appendChild(host);
+
+    setTimeout(function () {
+        x = slot.offsetTop;
+        shadowRoot.removeChild(slot);
+    }, 0);
+}
+
+runTest();
+
+setTimeout(function () {
+    iframe.src = '';
+    x = document.body.offsetTop;
+    if (window.GCController)
+        GCController.collect();
+
+    document.querySelector('p').innerHTML += '<br>PASS.';
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, 0);
+
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (195726 => 195727)


--- trunk/Source/WebCore/ChangeLog	2016-01-28 03:33:27 UTC (rev 195726)
+++ trunk/Source/WebCore/ChangeLog	2016-01-28 04:42:36 UTC (rev 195727)
@@ -1,3 +1,18 @@
+2016-01-27  Ryosuke Niwa  <[email protected]>
+
+        REGRESSION(r190430): Assertion failure in Text::~Text()
+        https://bugs.webkit.org/show_bug.cgi?id=153577
+
+        Reviewed by Antti Koivisto.
+
+        The bug was caused by destroyRenderTreeIfNeeded exiting early on all HTMLSlotElement as it lacks a render object.
+        Fixed it by explicitly avoiding the early return when child is a HTMLSlotElement.
+
+        Test: fast/shadow-dom/slot-removal-crash-2.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::destroyRenderTreeIfNeeded):
+
 2016-01-27  Said Abou-Hallawa  <[email protected]>
 
         Garbage is displayed when root svg element has mix-blend-mode set

Modified: trunk/Source/WebCore/dom/ContainerNode.cpp (195726 => 195727)


--- trunk/Source/WebCore/dom/ContainerNode.cpp	2016-01-28 03:33:27 UTC (rev 195726)
+++ trunk/Source/WebCore/dom/ContainerNode.cpp	2016-01-28 04:42:36 UTC (rev 195727)
@@ -35,6 +35,7 @@
 #include "GenericCachedHTMLCollection.h"
 #include "HTMLFormControlsCollection.h"
 #include "HTMLOptionsCollection.h"
+#include "HTMLSlotElement.h"
 #include "HTMLTableRowsCollection.h"
 #include "InlineTextBox.h"
 #include "JSLazyEventListener.h"
@@ -99,7 +100,7 @@
 static inline void destroyRenderTreeIfNeeded(Node& child)
 {
     // FIXME: Get rid of the named flow test.
-    if (!child.renderer() && !child.isNamedFlowContentNode())
+    if (!child.renderer() && !child.isNamedFlowContentNode() && !is<HTMLSlotElement>(child))
         return;
     if (is<Element>(child))
         Style::detachRenderTree(downcast<Element>(child));

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to