Title: [199363] releases/WebKitGTK/webkit-2.12
- Revision
- 199363
- Author
- [email protected]
- Date
- 2016-04-12 09:32:57 -0700 (Tue, 12 Apr 2016)
Log Message
Merge r198090 - REGRESSION (r190840): crash inside details element's slotNameFunction
https://bugs.webkit.org/show_bug.cgi?id=155388
Reviewed by Antti Koivisto.
Source/WebCore:
The bug was caused by HTMLDetailsElement::isActiveSummary calling findAssignedSlot with a summary element
inside the shadow tree of the detials element. Fixed it by existing early when the summary element passed
to isActiveSummary is not a direct child of the details element.
Test: fast/html/details-summary-tabindex-crash.html
* dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::findAssignedSlot): Added an assertion for regression testing.
* dom/SlotAssignment.cpp:
(WebCore::SlotAssignment::findAssignedSlot): Removed the superfluous call to assignSlots added in r190840.
There is no need to update the slot assignments here (entires in m_slots are added or removed by
addSlotElementByName or removeSlotElementByName and assignSlots only updates assignedNodes in each SlotInfo
which is never used in this function or findFirstSlotElement.
* html/HTMLDetailsElement.cpp:
(WebCore::HTMLDetailsElement::isActiveSummary): Fixed the bug.
LayoutTests:
Added a regression test.
* fast/html/details-summary-tabindex-crash-expected.txt: Added.
* fast/html/details-summary-tabindex-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (199362 => 199363)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-04-12 16:30:50 UTC (rev 199362)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-04-12 16:32:57 UTC (rev 199363)
@@ -1,3 +1,15 @@
+2016-03-13 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r190840): crash inside details element's slotNameFunction
+ https://bugs.webkit.org/show_bug.cgi?id=155388
+
+ Reviewed by Antti Koivisto.
+
+ Added a regression test.
+
+ * fast/html/details-summary-tabindex-crash-expected.txt: Added.
+ * fast/html/details-summary-tabindex-crash.html: Added.
+
2016-03-13 Antti Koivisto <[email protected]>
ComposedTreeIterator fails to traverse slots if root is shadow host
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/html/details-summary-tabindex-crash-expected.txt (0 => 199363)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/html/details-summary-tabindex-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/html/details-summary-tabindex-crash-expected.txt 2016-04-12 16:32:57 UTC (rev 199363)
@@ -0,0 +1,4 @@
+This tests calling tabIndex on the summary element inside a details element. WebKit should not hit any assertions.
+
+summary content
+PASS
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/html/details-summary-tabindex-crash.html (0 => 199363)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/html/details-summary-tabindex-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/html/details-summary-tabindex-crash.html 2016-04-12 16:32:57 UTC (rev 199363)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests calling tabIndex on the summary element inside a details element. WebKit should not hit any assertions.</p>
+<details tabindex=0>
+<summary>summary content</summary>
+summary details
+</details>
+<script>
+
+if (window.internals) {
+ testRunner.dumpAsText();
+
+ var detailsShadow = internals.shadowRoot(document.querySelector('details'));
+ detailsShadow.querySelector('summary').tabIndex;
+
+ document.write('PASS');
+} else
+ document.write('FAIL - This test requires window.internals');
+
+
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (199362 => 199363)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-04-12 16:30:50 UTC (rev 199362)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-04-12 16:32:57 UTC (rev 199363)
@@ -1,3 +1,26 @@
+2016-03-13 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r190840): crash inside details element's slotNameFunction
+ https://bugs.webkit.org/show_bug.cgi?id=155388
+
+ Reviewed by Antti Koivisto.
+
+ The bug was caused by HTMLDetailsElement::isActiveSummary calling findAssignedSlot with a summary element
+ inside the shadow tree of the detials element. Fixed it by existing early when the summary element passed
+ to isActiveSummary is not a direct child of the details element.
+
+ Test: fast/html/details-summary-tabindex-crash.html
+
+ * dom/ShadowRoot.cpp:
+ (WebCore::ShadowRoot::findAssignedSlot): Added an assertion for regression testing.
+ * dom/SlotAssignment.cpp:
+ (WebCore::SlotAssignment::findAssignedSlot): Removed the superfluous call to assignSlots added in r190840.
+ There is no need to update the slot assignments here (entires in m_slots are added or removed by
+ addSlotElementByName or removeSlotElementByName and assignSlots only updates assignedNodes in each SlotInfo
+ which is never used in this function or findFirstSlotElement.
+ * html/HTMLDetailsElement.cpp:
+ (WebCore::HTMLDetailsElement::isActiveSummary): Fixed the bug.
+
2016-03-13 Antti Koivisto <[email protected]>
ComposedTreeIterator fails to traverse slots if root is shadow host
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/ShadowRoot.cpp (199362 => 199363)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/ShadowRoot.cpp 2016-04-12 16:30:50 UTC (rev 199362)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/ShadowRoot.cpp 2016-04-12 16:32:57 UTC (rev 199363)
@@ -182,6 +182,7 @@
HTMLSlotElement* ShadowRoot::findAssignedSlot(const Node& node)
{
+ ASSERT(node.parentNode() == host());
if (!m_slotAssignment)
return nullptr;
return m_slotAssignment->findAssignedSlot(node, *this);
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/SlotAssignment.cpp (199362 => 199363)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/SlotAssignment.cpp 2016-04-12 16:30:50 UTC (rev 199362)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/SlotAssignment.cpp 2016-04-12 16:32:57 UTC (rev 199363)
@@ -64,9 +64,6 @@
if (!is<Text>(node) && !is<Element>(node))
return nullptr;
- if (!m_slotAssignmentsIsValid)
- assignSlots(shadowRoot);
-
auto slotName = m_slotNameFunction(node);
if (!slotName)
return nullptr;
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLDetailsElement.cpp (199362 => 199363)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLDetailsElement.cpp 2016-04-12 16:30:50 UTC (rev 199362)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLDetailsElement.cpp 2016-04-12 16:32:57 UTC (rev 199363)
@@ -103,6 +103,9 @@
if (!m_summarySlot->assignedNodes())
return &summary == m_defaultSummary;
+ if (summary.parentNode() != this)
+ return false;
+
auto* slot = shadowRoot()->findAssignedSlot(summary);
if (!slot)
return false;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
