Skip to site navigation (Press enter)

[webkit-changes] [122432] trunk

morrita Thu, 12 Jul 2012 02:11:24 -0700

Title: [122432] trunk

Revision: 122432
Author: [email protected]
Date: 2012-07-12 02:11:17 -0700 (Thu, 12 Jul 2012)

Log Message

[Shadow DOM] <video> with <shadow> crashes
https://bugs.webkit.org/show_bug.cgi?id=91055


Reviewed by Kent Tamura.

Source/WebCore:

This is similar to Bug 90480, where an undesired renderer is created by
locating an insertion point on the shadow boundary.

This change adds a guard for such case by cheking whether the
source node of each to-be-created renderer comes from the UA shadow
tree, which is allowed to have a renderer.

Test: fast/dom/shadow/insertion-point-video-crash.html

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::childShouldCreateRenderer): Added a check.
(WebCore::HTMLMediaElement::mediaControls): Added const.
(WebCore::HTMLMediaElement::hasMediaControls): Added const.
* html/HTMLMediaElement.h:
(HTMLMediaElement):

LayoutTests:

* fast/dom/shadow/insertion-point-video-crash-expected.txt: Added.
* fast/dom/shadow/insertion-point-video-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLMediaElement.cpp
trunk/Source/WebCore/html/HTMLMediaElement.h

Added Paths

trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash-expected.txt
trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (122431 => 122432)


--- trunk/LayoutTests/ChangeLog	2012-07-12 09:07:24 UTC (rev 122431)
+++ trunk/LayoutTests/ChangeLog	2012-07-12 09:11:17 UTC (rev 122432)
@@ -1,3 +1,13 @@
+2012-07-12  MORITA Hajime  <[email protected]>
+
+        [Shadow DOM] <video> with <shadow> crashes
+        https://bugs.webkit.org/show_bug.cgi?id=91055
+
+        Reviewed by Kent Tamura.
+
+        * fast/dom/shadow/insertion-point-video-crash-expected.txt: Added.
+        * fast/dom/shadow/insertion-point-video-crash.html: Added.
+
 2012-07-12  Kristóf Kosztyó  <[email protected]>
 
         [Qt] Unreviewed gardening. Skip new failing test introduced in r122399

Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash-expected.txt (0 => 122432)


--- trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash-expected.txt	2012-07-12 09:11:17 UTC (rev 122432)
@@ -0,0 +1,2 @@
+PASS unless crash
+

Added: trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash.html (0 => 122432)


--- trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/insertion-point-video-crash.html	2012-07-12 09:11:17 UTC (rev 122432)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+jsTestIsAsync = true;
+function boom() {
+    divNode = document.createElement('div');
+    document.documentElement.appendChild(divNode);
+    divShadow1 = new WebKitShadowRoot(divNode);
+    divShadow2 = new WebKitShadowRoot(divNode);
+    
+    videoNode = document.createElement('video');
+    divShadow2.appendChild(videoNode);
+    
+    shadowNode = document.createElement('shadow');
+    videoNode.appendChild(shadowNode);
+    
+    text = document.createTextNode('Hello');
+    divShadow1.appendChild(text);
+
+    testPassed("unless crash");
+    finishJSTest();    
+}
+
+window._onload_ = boom;
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (122431 => 122432)


--- trunk/Source/WebCore/ChangeLog	2012-07-12 09:07:24 UTC (rev 122431)
+++ trunk/Source/WebCore/ChangeLog	2012-07-12 09:11:17 UTC (rev 122432)
@@ -1,3 +1,26 @@
+2012-07-12  MORITA Hajime  <[email protected]>
+
+        [Shadow DOM] <video> with <shadow> crashes
+        https://bugs.webkit.org/show_bug.cgi?id=91055
+
+        Reviewed by Kent Tamura.
+
+        This is similar to Bug 90480, where an undesired renderer is created by
+        locating an insertion point on the shadow boundary.
+
+        This change adds a guard for such case by cheking whether the
+        source node of each to-be-created renderer comes from the UA shadow
+        tree, which is allowed to have a renderer.
+
+        Test: fast/dom/shadow/insertion-point-video-crash.html
+
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::childShouldCreateRenderer): Added a check.
+        (WebCore::HTMLMediaElement::mediaControls): Added const.
+        (WebCore::HTMLMediaElement::hasMediaControls): Added const.
+        * html/HTMLMediaElement.h:
+        (HTMLMediaElement):
+
 2012-07-12  Yoshifumi Inoue  <[email protected]>
 
         REGRESSION(r122184): LocaleMac::currentLocale should use current locale rather than newly create locale object.

Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (122431 => 122432)


--- trunk/Source/WebCore/html/HTMLMediaElement.cpp	2012-07-12 09:07:24 UTC (rev 122431)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp	2012-07-12 09:11:17 UTC (rev 122432)
@@ -488,7 +488,11 @@
 
 bool HTMLMediaElement::childShouldCreateRenderer(const NodeRenderingContext& childContext) const
 {
-    return childContext.isOnUpperEncapsulationBoundary() && HTMLElement::childShouldCreateRenderer(childContext);
+    if (!hasMediaControls())
+        return false;
+    // Only allows nodes from the controls shadow subtree.
+    return (mediaControls()->treeScope() == childContext.node()->treeScope()
+            && childContext.isOnUpperEncapsulationBoundary() && HTMLElement::childShouldCreateRenderer(childContext));
 }
 
 Node::InsertionNotificationRequest HTMLMediaElement::insertedInto(ContainerNode* insertionPoint)
@@ -4142,12 +4146,12 @@
     m_player->setPrivateBrowsingMode(privateMode);
 }
 
-MediaControls* HTMLMediaElement::mediaControls()
+MediaControls* HTMLMediaElement::mediaControls() const
 {
     return toMediaControls(shadow()->oldestShadowRoot()->firstChild());
 }
 
-bool HTMLMediaElement::hasMediaControls()
+bool HTMLMediaElement::hasMediaControls() const
 {
     ElementShadow* elementShadow = shadow();
     if (!elementShadow)

Modified: trunk/Source/WebCore/html/HTMLMediaElement.h (122431 => 122432)


--- trunk/Source/WebCore/html/HTMLMediaElement.h	2012-07-12 09:07:24 UTC (rev 122431)
+++ trunk/Source/WebCore/html/HTMLMediaElement.h	2012-07-12 09:11:17 UTC (rev 122432)
@@ -291,7 +291,7 @@
     bool closedCaptionsVisible() const;
     void setClosedCaptionsVisible(bool);
 
-    MediaControls* mediaControls();
+    MediaControls* mediaControls() const;
 
     void sourceWasRemoved(HTMLSourceElement*);
     void sourceWasAdded(HTMLSourceElement*);
@@ -508,7 +508,7 @@
     void invalidateCachedTime();
     void refreshCachedTime() const;
 
-    bool hasMediaControls();
+    bool hasMediaControls() const;
     bool createMediaControls();
     void configureMediaControls();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes