[webkit-changes] [214599] trunk

[rniwa]

Title: [214599] trunk








Revision 214599
Author rn...@webkit.org
Date 2017-03-29 22:38:59 -0700 (Wed, 29 Mar 2017)


Log Message
Disconnecting a HTMLObjectElement does not always unload its content document
https://bugs.webkit.org/show_bug.cgi?id=169606

Reviewed by Andy Estes.

Source/WebCore:

When removing a node, we first disconnect all subframes then update the focused element as we remove each child.
However, when the removed element is a focused object element with a content document, removeFocusedNodeOfSubtree
can update the style tree synchronously inside Document::setFocusedElement, and reload the document.

Avoid this by instantiating a SubframeLoadingDisabler on the parent of the focused element.

Test: fast/dom/removing-focused-object-element.html

* dom/Document.cpp:
(WebCore::Document::removeFocusedNodeOfSubtree):

LayoutTests:

Add a regression test.

* fast/dom/removing-focused-object-element-expected.txt: Added.
* fast/dom/removing-focused-object-element.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Document.cpp


Added Paths

trunk/LayoutTests/fast/dom/removing-focused-object-element-expected.txt
trunk/LayoutTests/fast/dom/removing-focused-object-element.html




Diff

Modified: trunk/LayoutTests/ChangeLog (214598 => 214599)

--- trunk/LayoutTests/ChangeLog	2017-03-30 05:02:30 UTC (rev 214598)
+++ trunk/LayoutTests/ChangeLog	2017-03-30 05:38:59 UTC (rev 214599)
@@ -1,3 +1,15 @@
+2017-03-29  Ryosuke Niwa  
+
+Disconnecting a HTMLObjectElement does not always unload its content document
+https://bugs.webkit.org/show_bug.cgi?id=169606
+
+Reviewed by Andy Estes.
+
+Add a regression test.
+
+* fast/dom/removing-focused-object-element-expected.txt: Added.
+* fast/dom/removing-focused-object-element.html: Added.
+
 2017-03-29  Simon Fraser  
 
 Add some tests that dump the touch event regions with various content configurations


Added: trunk/LayoutTests/fast/dom/removing-focused-object-element-expected.txt (0 => 214599)

--- trunk/LayoutTests/fast/dom/removing-focused-object-element-expected.txt	(rev 0)
+++ trunk/LayoutTests/fast/dom/removing-focused-object-element-expected.txt	2017-03-30 05:38:59 UTC (rev 214599)
@@ -0,0 +1 @@
+This tests removing a focused object element. WebKit must not crash.


Added: trunk/LayoutTests/fast/dom/removing-focused-object-element.html (0 => 214599)

--- trunk/LayoutTests/fast/dom/removing-focused-object-element.html	(rev 0)
+++ trunk/LayoutTests/fast/dom/removing-focused-object-element.html	2017-03-30 05:38:59 UTC (rev 214599)
@@ -0,0 +1,27 @@
+
+
+
+
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+function startTest()
+{
+const target = document.getElementById('target');
+const object = document.createElement('object');
+document.getElementById('container').appendChild(object);
+object.data = ""
+object.focus();
+object.appendChild(document.createElement('div'));
+target.appendChild(object);
+
+location.href = ''
++ '