Title: [191091] branches/safari-601.1.46-branch/Source/WebCore
- Revision
- 191091
- Author
- matthew_han...@apple.com
- Date
- 2015-10-14 23:46:27 -0700 (Wed, 14 Oct 2015)
Log Message
Merge r190007. rdar://problem/23075843
Modified Paths
Diff
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (191090 => 191091)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-10-15 06:46:24 UTC (rev 191090)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-10-15 06:46:27 UTC (rev 191091)
@@ -1,5 +1,33 @@
2015-10-14 Matthew Hanson <matthew_han...@apple.com>
+ Merge r190007. rdar://problem/23075843
+
+ 2015-09-18 Ryosuke Niwa <rn...@webkit.org>
+
+ REGRESSION(r150187): updateIdForTreeScope may not be called inside shadow trees
+ https://bugs.webkit.org/show_bug.cgi?id=149364
+
+ Reviewed by Antti Koivisto.
+
+ Since the tree scope is set to that of Document's inside removeBetween when a node is removed from a shadow tree,
+ oldScope != &treeScope() was already true inside Element::removedFrom. This can introduce an inconsistency in
+ DocumentOrderedMap which could result in a crash. Fixed the bug by checking it against document(), which is the
+ behavior we had prior to r150187.
+
+ Also added a consistency check in DocumentOrderedMap to catch bugs like this.
+
+ No new tests. New assertions fail in existing tests without this fix.
+
+ * dom/DocumentOrderedMap.cpp:
+ (WebCore::DocumentOrderedMap::add):
+ (WebCore::DocumentOrderedMap::remove):
+ (WebCore::DocumentOrderedMap::get):
+ * dom/DocumentOrderedMap.h:
+ * dom/Element.cpp:
+ (WebCore::Element::removedFrom):
+
+2015-10-14 Matthew Hanson <matthew_han...@apple.com>
+
Merge r188531. rdar://problem/22707497
2015-08-17 Andy Estes <aes...@apple.com>
Modified: branches/safari-601.1.46-branch/Source/WebCore/dom/DocumentOrderedMap.cpp (191090 => 191091)
--- branches/safari-601.1.46-branch/Source/WebCore/dom/DocumentOrderedMap.cpp 2015-10-15 06:46:24 UTC (rev 191090)
+++ branches/safari-601.1.46-branch/Source/WebCore/dom/DocumentOrderedMap.cpp 2015-10-15 06:46:27 UTC (rev 191091)
@@ -51,13 +51,20 @@
UNUSED_PARAM(treeScope);
ASSERT_WITH_SECURITY_IMPLICATION(element.isInTreeScope());
ASSERT_WITH_SECURITY_IMPLICATION(treeScope.rootNode().containsIncludingShadowDOM(&element));
+
if (!element.isInTreeScope())
return;
Map::AddResult addResult = m_map.add(&key, MapEntry(&element));
+ MapEntry& entry = addResult.iterator->value;
+
+#ifndef NDEBUG
+ ASSERT_WITH_SECURITY_IMPLICATION(!entry.registeredElements.contains(&element));
+ entry.registeredElements.add(&element);
+#endif
+
if (addResult.isNewEntry)
return;
- MapEntry& entry = addResult.iterator->value;
ASSERT_WITH_SECURITY_IMPLICATION(entry.count);
entry.element = nullptr;
entry.count++;
@@ -68,11 +75,13 @@
{
m_map.checkConsistency();
auto it = m_map.find(&key);
+
ASSERT_WITH_SECURITY_IMPLICATION(it != m_map.end());
if (it == m_map.end())
return;
+
MapEntry& entry = it->value;
-
+ ASSERT_WITH_SECURITY_IMPLICATION(entry.registeredElements.remove(&element));
ASSERT_WITH_SECURITY_IMPLICATION(entry.count);
if (entry.count == 1) {
ASSERT_WITH_SECURITY_IMPLICATION(!entry.element || entry.element == &element);
@@ -99,6 +108,7 @@
if (entry.element) {
ASSERT_WITH_SECURITY_IMPLICATION(entry.element->isInTreeScope());
ASSERT_WITH_SECURITY_IMPLICATION(&entry.element->treeScope() == &scope);
+ ASSERT_WITH_SECURITY_IMPLICATION(entry.registeredElements.contains(entry.element));
return entry.element;
}
@@ -109,6 +119,7 @@
entry.element = &element;
ASSERT_WITH_SECURITY_IMPLICATION(element.isInTreeScope());
ASSERT_WITH_SECURITY_IMPLICATION(&element.treeScope() == &scope);
+ ASSERT_WITH_SECURITY_IMPLICATION(entry.registeredElements.contains(entry.element));
return &element;
}
ASSERT_NOT_REACHED();
Modified: branches/safari-601.1.46-branch/Source/WebCore/dom/DocumentOrderedMap.h (191090 => 191091)
--- branches/safari-601.1.46-branch/Source/WebCore/dom/DocumentOrderedMap.h 2015-10-15 06:46:24 UTC (rev 191090)
+++ branches/safari-601.1.46-branch/Source/WebCore/dom/DocumentOrderedMap.h 2015-10-15 06:46:27 UTC (rev 191091)
@@ -33,6 +33,7 @@
#include <wtf/HashCountedSet.h>
#include <wtf/HashMap.h>
+#include <wtf/HashSet.h>
#include <wtf/Vector.h>
#include <wtf/text/AtomicStringImpl.h>
@@ -84,6 +85,9 @@
Element* element;
unsigned count;
Vector<Element*> orderedList;
+#ifndef NDEBUG
+ HashSet<Element*> registeredElements;
+#endif
};
typedef HashMap<const AtomicStringImpl*, MapEntry> Map;
Modified: branches/safari-601.1.46-branch/Source/WebCore/dom/Element.cpp (191090 => 191091)
--- branches/safari-601.1.46-branch/Source/WebCore/dom/Element.cpp 2015-10-15 06:46:24 UTC (rev 191090)
+++ branches/safari-601.1.46-branch/Source/WebCore/dom/Element.cpp 2015-10-15 06:46:27 UTC (rev 191091)
@@ -1562,7 +1562,7 @@
if (insertionPoint.isInTreeScope()) {
TreeScope* oldScope = &insertionPoint.treeScope();
HTMLDocument* oldDocument = inDocument() && is<HTMLDocument>(oldScope->documentScope()) ? &downcast<HTMLDocument>(oldScope->documentScope()) : nullptr;
- if (oldScope != &treeScope() || !isInTreeScope())
+ if (!isInTreeScope() || &treeScope() != &document())
oldScope = nullptr;
const AtomicString& idValue = getIdAttribute();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
