- Revision
- 199097
- Author
- [email protected]
- Date
- 2016-04-06 02:27:22 -0700 (Wed, 06 Apr 2016)
Log Message
ComposedTreeIterator may crash when first child of shadow root is a comment node
https://bugs.webkit.org/show_bug.cgi?id=156281
Reviewed by Andreas Kling.
Source/WebCore:
It should not use plain firstChild() and assume it is Element or Text.
* dom/ComposedTreeIterator.cpp:
(WebCore::ComposedTreeIterator::Context::Context):
Add FirstChildTag to various iterator constructors to make clear that they search for the first child.
(WebCore::ComposedTreeIterator::ComposedTreeIterator):
(WebCore::ComposedTreeIterator::traverseShadowRoot):
Fix by using ElementAndTextDescendantIterator to find the first child.
* dom/ComposedTreeIterator.h:
(WebCore::ComposedTreeIterator::operator*):
(WebCore::ComposedTreeDescendantAdapter::ComposedTreeDescendantAdapter):
(WebCore::ComposedTreeDescendantAdapter::begin):
(WebCore::ComposedTreeDescendantAdapter::end):
(WebCore::ComposedTreeDescendantAdapter::at):
(WebCore::ComposedTreeChildAdapter::Iterator::Iterator):
* dom/ElementAndTextDescendantIterator.h:
(WebCore::ElementAndTextDescendantIterator::operator++):
(WebCore::ElementAndTextDescendantIterator::ElementAndTextDescendantIterator):
(WebCore::ElementAndTextDescendantIteratorAdapter::begin):
(WebCore::ElementAndTextDescendantIteratorAdapter::end):
LayoutTests:
* fast/shadow-dom/composed-tree-shadow-subtree-expected.txt:
* fast/shadow-dom/composed-tree-shadow-subtree.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (199096 => 199097)
--- trunk/LayoutTests/ChangeLog 2016-04-06 06:10:32 UTC (rev 199096)
+++ trunk/LayoutTests/ChangeLog 2016-04-06 09:27:22 UTC (rev 199097)
@@ -1,3 +1,13 @@
+2016-04-06 Antti Koivisto <[email protected]>
+
+ ComposedTreeIterator may crash when first child of shadow root is a comment node
+ https://bugs.webkit.org/show_bug.cgi?id=156281
+
+ Reviewed by Andreas Kling.
+
+ * fast/shadow-dom/composed-tree-shadow-subtree-expected.txt:
+ * fast/shadow-dom/composed-tree-shadow-subtree.html:
+
2016-04-05 Chris Dumez <[email protected]>
MessageEvent.source window is incorrect once window has been reified
Modified: trunk/LayoutTests/fast/shadow-dom/composed-tree-shadow-subtree-expected.txt (199096 => 199097)
--- trunk/LayoutTests/fast/shadow-dom/composed-tree-shadow-subtree-expected.txt 2016-04-06 06:10:32 UTC (rev 199096)
+++ trunk/LayoutTests/fast/shadow-dom/composed-tree-shadow-subtree-expected.txt 2016-04-06 09:27:22 UTC (rev 199097)
@@ -1,16 +1,21 @@
-Test 1
+Test 1.1
div (shadow root)
Shadow host subtree
-Test 2
+Test 1.2
div (shadow root)
Shadow host subtree
-Test 3
+Test 1.3
div (shadow root)
+
+Shadow host subtree
+
+Test 2.1
+ div (shadow root)
slot
div
@@ -21,7 +26,7 @@
Slot subtree
div
-Test 4
+Test 2.2
div (shadow root)
slot
#text
@@ -33,3 +38,51 @@
Slot subtree
#text
+Test 2.3
+ div (shadow root)
+ slot
+ #text
+
+Shadow host subtree
+ slot
+ #text
+
+Slot subtree
+ #text
+
+Test 3.1
+ div (shadow root)
+ slot
+ div
+
+Shadow host subtree
+ slot
+ div
+
+Slot subtree
+ div
+
+Test 3.2
+ div (shadow root)
+ slot
+ #text
+
+Shadow host subtree
+ slot
+ #text
+
+Slot subtree
+ #text
+
+Test 3.3
+ div (shadow root)
+ slot
+ #text
+
+Shadow host subtree
+ slot
+ #text
+
+Slot subtree
+ #text
+
Modified: trunk/LayoutTests/fast/shadow-dom/composed-tree-shadow-subtree.html (199096 => 199097)
--- trunk/LayoutTests/fast/shadow-dom/composed-tree-shadow-subtree.html 2016-04-06 06:10:32 UTC (rev 199096)
+++ trunk/LayoutTests/fast/shadow-dom/composed-tree-shadow-subtree.html 2016-04-06 09:27:22 UTC (rev 199097)
@@ -6,12 +6,20 @@
<template id=shadow1></template>
<template id=shadow2><slot><div></div></slot></template>
+<template id=shadow3><!--comment--><slot><div></div></slot></template>
-<template test=1><div shadow=shadow1></div></template>
-<template test=2><div shadow=shadow1>text</div></template>
-<template test=3><div shadow=shadow2></div></template>
-<template test=4><div shadow=shadow2>text</div></template>
+<template test=1.1><div shadow=shadow1></div></template>
+<template test=1.2><div shadow=shadow1>text</div></template>
+<template test=1.3><div shadow=shadow1><!--comment-->text</div></template>
+<template test=2.1><div shadow=shadow2></div></template>
+<template test=2.2><div shadow=shadow2>text</div></template>
+<template test=2.3><div shadow=shadow2><!--comment-->text</div></template>
+
+<template test=3.1><div shadow=shadow3></div></template>
+<template test=3.2><div shadow=shadow3>text</div></template>
+<template test=3.3><div shadow=shadow3><!--comment-->text</div></template>
+
<body>
<pre id=console></pre>
<script>
Modified: trunk/Source/WebCore/ChangeLog (199096 => 199097)
--- trunk/Source/WebCore/ChangeLog 2016-04-06 06:10:32 UTC (rev 199096)
+++ trunk/Source/WebCore/ChangeLog 2016-04-06 09:27:22 UTC (rev 199097)
@@ -1,3 +1,35 @@
+2016-04-06 Antti Koivisto <[email protected]>
+
+ ComposedTreeIterator may crash when first child of shadow root is a comment node
+ https://bugs.webkit.org/show_bug.cgi?id=156281
+
+ Reviewed by Andreas Kling.
+
+ It should not use plain firstChild() and assume it is Element or Text.
+
+ * dom/ComposedTreeIterator.cpp:
+ (WebCore::ComposedTreeIterator::Context::Context):
+
+ Add FirstChildTag to various iterator constructors to make clear that they search for the first child.
+
+ (WebCore::ComposedTreeIterator::ComposedTreeIterator):
+ (WebCore::ComposedTreeIterator::traverseShadowRoot):
+
+ Fix by using ElementAndTextDescendantIterator to find the first child.
+
+ * dom/ComposedTreeIterator.h:
+ (WebCore::ComposedTreeIterator::operator*):
+ (WebCore::ComposedTreeDescendantAdapter::ComposedTreeDescendantAdapter):
+ (WebCore::ComposedTreeDescendantAdapter::begin):
+ (WebCore::ComposedTreeDescendantAdapter::end):
+ (WebCore::ComposedTreeDescendantAdapter::at):
+ (WebCore::ComposedTreeChildAdapter::Iterator::Iterator):
+ * dom/ElementAndTextDescendantIterator.h:
+ (WebCore::ElementAndTextDescendantIterator::operator++):
+ (WebCore::ElementAndTextDescendantIterator::ElementAndTextDescendantIterator):
+ (WebCore::ElementAndTextDescendantIteratorAdapter::begin):
+ (WebCore::ElementAndTextDescendantIteratorAdapter::end):
+
2016-04-05 Chris Dumez <[email protected]>
Add support for [EnabledAtRuntime] operations on DOMWindow
Modified: trunk/Source/WebCore/dom/ComposedTreeIterator.cpp (199096 => 199097)
--- trunk/Source/WebCore/dom/ComposedTreeIterator.cpp 2016-04-06 06:10:32 UTC (rev 199096)
+++ trunk/Source/WebCore/dom/ComposedTreeIterator.cpp 2016-04-06 09:27:22 UTC (rev 199097)
@@ -35,8 +35,8 @@
{
}
-ComposedTreeIterator::Context::Context(ContainerNode& root)
- : iterator(root)
+ComposedTreeIterator::Context::Context(ContainerNode& root, FirstChildTag)
+ : iterator(root, ElementAndTextDescendantIterator::FirstChild)
{
}
@@ -54,7 +54,7 @@
}
#endif
-ComposedTreeIterator::ComposedTreeIterator(ContainerNode& root)
+ComposedTreeIterator::ComposedTreeIterator(ContainerNode& root, FirstChildTag)
{
ASSERT(!is<ShadowRoot>(root));
@@ -68,12 +68,12 @@
}
#endif
if (auto* shadowRoot = root.shadowRoot()) {
- auto* firstChild = shadowRoot->firstChild();
+ ElementAndTextDescendantIterator firstChild(*shadowRoot, ElementAndTextDescendantIterator::FirstChild);
initializeContextStack(root, firstChild ? *firstChild : root);
return;
}
- m_contextStack.uncheckedAppend(Context(root));
+ m_contextStack.uncheckedAppend(Context(root, FirstChild));
}
ComposedTreeIterator::ComposedTreeIterator(ContainerNode& root, Node& current)
@@ -148,7 +148,7 @@
void ComposedTreeIterator::traverseShadowRoot(ShadowRoot& shadowRoot)
{
- Context shadowContext(shadowRoot);
+ Context shadowContext(shadowRoot, FirstChild);
if (!shadowContext.iterator) {
// Empty shadow root.
traverseNextSkippingChildren();
Modified: trunk/Source/WebCore/dom/ComposedTreeIterator.h (199096 => 199097)
--- trunk/Source/WebCore/dom/ComposedTreeIterator.h 2016-04-06 06:10:32 UTC (rev 199096)
+++ trunk/Source/WebCore/dom/ComposedTreeIterator.h 2016-04-06 09:27:22 UTC (rev 199097)
@@ -36,7 +36,8 @@
class ComposedTreeIterator {
public:
ComposedTreeIterator();
- ComposedTreeIterator(ContainerNode& root);
+ enum FirstChildTag { FirstChild };
+ ComposedTreeIterator(ContainerNode& root, FirstChildTag);
ComposedTreeIterator(ContainerNode& root, Node& current);
Node& operator*() { return current(); }
@@ -68,7 +69,7 @@
struct Context {
Context();
- explicit Context(ContainerNode& root);
+ Context(ContainerNode& root, FirstChildTag);
Context(ContainerNode& root, Node& node);
#if ENABLE(SHADOW_DOM) || ENABLE(DETAILS_ELEMENT)
@@ -156,7 +157,7 @@
: m_parent(parent)
{ }
- ComposedTreeIterator begin() { return ComposedTreeIterator(m_parent); }
+ ComposedTreeIterator begin() { return ComposedTreeIterator(m_parent, ComposedTreeIterator::FirstChild); }
ComposedTreeIterator end() { return { }; }
ComposedTreeIterator at(const Node& child) { return ComposedTreeIterator(m_parent, const_cast<Node&>(child)); }
@@ -170,7 +171,7 @@
public:
Iterator() = default;
explicit Iterator(ContainerNode& root)
- : ComposedTreeIterator(root)
+ : ComposedTreeIterator(root, ComposedTreeIterator::FirstChild)
{ }
Iterator(ContainerNode& root, Node& current)
: ComposedTreeIterator(root, current)
Modified: trunk/Source/WebCore/dom/ElementAndTextDescendantIterator.h (199096 => 199097)
--- trunk/Source/WebCore/dom/ElementAndTextDescendantIterator.h 2016-04-06 06:10:32 UTC (rev 199096)
+++ trunk/Source/WebCore/dom/ElementAndTextDescendantIterator.h 2016-04-06 09:27:22 UTC (rev 199097)
@@ -36,7 +36,8 @@
class ElementAndTextDescendantIterator {
public:
ElementAndTextDescendantIterator();
- explicit ElementAndTextDescendantIterator(ContainerNode& root);
+ enum FirstChildTag { FirstChild };
+ ElementAndTextDescendantIterator(ContainerNode& root, FirstChildTag);
ElementAndTextDescendantIterator(ContainerNode& root, Node* current);
ElementAndTextDescendantIterator& operator++() { return traverseNext(); }
@@ -101,7 +102,7 @@
{
}
-inline ElementAndTextDescendantIterator::ElementAndTextDescendantIterator(ContainerNode& root)
+inline ElementAndTextDescendantIterator::ElementAndTextDescendantIterator(ContainerNode& root, FirstChildTag)
: m_current(firstChild(root))
#if !ASSERT_DISABLED
, m_assertions(m_current)
@@ -301,7 +302,7 @@
inline ElementAndTextDescendantIterator ElementAndTextDescendantIteratorAdapter::begin()
{
- return ElementAndTextDescendantIterator(m_root);
+ return ElementAndTextDescendantIterator(m_root, ElementAndTextDescendantIterator::FirstChild);
}
inline ElementAndTextDescendantIterator ElementAndTextDescendantIteratorAdapter::end()
