Title: [135456] trunk
- Revision
- 135456
- Author
- morr...@google.com
- Date
- 2012-11-21 16:44:58 -0800 (Wed, 21 Nov 2012)
Log Message
[Shadow DOM][V8] Assertion failure when shadow host is reclaimed before ShadowRoot
https://bugs.webkit.org/show_bug.cgi?id=102893
Reviewed by Kentaro Hara.
Source/WebCore:
Due to bug 88834, shadow hosts can be reclaimed before
corresponding ShadowRoots are. This breaks an invariant, that is,
the host is always available for any ShadowRoot. This change adds
guards for the possibly broken invariant.
Since bug 88834 is planned to be fixed shortly, this change
doesn't aim to fix this problem by make it work correctly, but
just lays a safety net which is needed until the root cause is
gone.
Test: fast/dom/shadow/host-wrapper-reclaimed.html
* dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::setInnerHTML):
(WebCore::ShadowRoot::setApplyAuthorStyles):
(WebCore::ShadowRoot::setResetStyleInheritance):
(WebCore::ShadowRoot::childrenChanged):
LayoutTests:
* fast/dom/shadow/host-wrapper-reclaimed-expected.txt: Added.
* fast/dom/shadow/host-wrapper-reclaimed.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (135455 => 135456)
--- trunk/LayoutTests/ChangeLog 2012-11-22 00:28:05 UTC (rev 135455)
+++ trunk/LayoutTests/ChangeLog 2012-11-22 00:44:58 UTC (rev 135456)
@@ -1,3 +1,13 @@
+2012-11-21 Hajime Morrita <morr...@google.com>
+
+ [Shadow DOM][V8] Assertion failure when shadow host is reclaimed before ShadowRoot
+ https://bugs.webkit.org/show_bug.cgi?id=102893
+
+ Reviewed by Kentaro Hara.
+
+ * fast/dom/shadow/host-wrapper-reclaimed-expected.txt: Added.
+ * fast/dom/shadow/host-wrapper-reclaimed.html: Added.
+
2012-11-21 Daniel Bates <dba...@webkit.org>
_javascript_ fails to concatenate large strings
Added: trunk/LayoutTests/fast/dom/shadow/host-wrapper-reclaimed-expected.txt (0 => 135456)
--- trunk/LayoutTests/fast/dom/shadow/host-wrapper-reclaimed-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/host-wrapper-reclaimed-expected.txt 2012-11-22 00:44:58 UTC (rev 135456)
@@ -0,0 +1 @@
+PASS unless crash.
Added: trunk/LayoutTests/fast/dom/shadow/host-wrapper-reclaimed.html (0 => 135456)
--- trunk/LayoutTests/fast/dom/shadow/host-wrapper-reclaimed.html (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/host-wrapper-reclaimed.html 2012-11-22 00:44:58 UTC (rev 135456)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function makeOrphanShadow() {
+ var host = document.createElement("div");
+ var shadow = new WebKitShadowRoot(host);
+ return shadow;
+};
+
+var shadow = makeOrphanShadow();
+gc(true);
+
+try { shadow.innerHTML = "Hello"; } catch(e) { }
+shadow.appendChild(document.createElement("span"));
+shadow.resetStyleInheritance = true;
+shadow.applyAuthorStyles = false;
+
+document.body.innerHTML = "PASS unless crash.";
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (135455 => 135456)
--- trunk/Source/WebCore/ChangeLog 2012-11-22 00:28:05 UTC (rev 135455)
+++ trunk/Source/WebCore/ChangeLog 2012-11-22 00:44:58 UTC (rev 135456)
@@ -1,3 +1,28 @@
+2012-11-21 Hajime Morrita <morr...@google.com>
+
+ [Shadow DOM][V8] Assertion failure when shadow host is reclaimed before ShadowRoot
+ https://bugs.webkit.org/show_bug.cgi?id=102893
+
+ Reviewed by Kentaro Hara.
+
+ Due to bug 88834, shadow hosts can be reclaimed before
+ corresponding ShadowRoots are. This breaks an invariant, that is,
+ the host is always available for any ShadowRoot. This change adds
+ guards for the possibly broken invariant.
+
+ Since bug 88834 is planned to be fixed shortly, this change
+ doesn't aim to fix this problem by make it work correctly, but
+ just lays a safety net which is needed until the root cause is
+ gone.
+
+ Test: fast/dom/shadow/host-wrapper-reclaimed.html
+
+ * dom/ShadowRoot.cpp:
+ (WebCore::ShadowRoot::setInnerHTML):
+ (WebCore::ShadowRoot::setApplyAuthorStyles):
+ (WebCore::ShadowRoot::setResetStyleInheritance):
+ (WebCore::ShadowRoot::childrenChanged):
+
2012-11-21 Dirk Schulze <k...@webkit.org>
Make CachedSVGDocumentReference independent of FilterOperation
Modified: trunk/Source/WebCore/dom/ShadowRoot.cpp (135455 => 135456)
--- trunk/Source/WebCore/dom/ShadowRoot.cpp 2012-11-22 00:28:05 UTC (rev 135455)
+++ trunk/Source/WebCore/dom/ShadowRoot.cpp 2012-11-22 00:44:58 UTC (rev 135456)
@@ -46,6 +46,13 @@
#include "StyleResolver.h"
#include "markup.h"
+// FIXME: This shouldn't happen. https://bugs.webkit.org/show_bug.cgi?id=88834
+#define GuardOrphanShadowRoot(rejectStatement) \
+ if (!this->host()) { \
+ rejectStatement; \
+ return; \
+ }
+
namespace WebCore {
ShadowRoot::ShadowRoot(Document* document)
@@ -171,6 +178,8 @@
void ShadowRoot::setInnerHTML(const String& markup, ExceptionCode& ec)
{
+ GuardOrphanShadowRoot(ec = INVALID_ACCESS_ERR);
+
if (RefPtr<DocumentFragment> fragment = createFragmentForInnerOuterHTML(markup, host(), AllowScriptingContent, ec))
replaceChildrenWithFragment(this, fragment.release(), ec);
}
@@ -209,6 +218,8 @@
void ShadowRoot::setApplyAuthorStyles(bool value)
{
+ GuardOrphanShadowRoot({ });
+
if (m_applyAuthorStyles != value) {
m_applyAuthorStyles = value;
host()->setNeedsStyleRecalc();
@@ -222,6 +233,8 @@
void ShadowRoot::setResetStyleInheritance(bool value)
{
+ GuardOrphanShadowRoot({ });
+
if (value != m_resetStyleInheritance) {
m_resetStyleInheritance = value;
if (attached() && owner())
@@ -275,6 +288,8 @@
void ShadowRoot::childrenChanged(bool changedByParser, Node* beforeChange, Node* afterChange, int childCountDelta)
{
+ GuardOrphanShadowRoot({ });
+
ContainerNode::childrenChanged(changedByParser, beforeChange, afterChange, childCountDelta);
owner()->invalidateDistribution();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
