Diff
Modified: trunk/LayoutTests/ChangeLog (146852 => 146853)
--- trunk/LayoutTests/ChangeLog 2013-03-26 06:35:49 UTC (rev 146852)
+++ trunk/LayoutTests/ChangeLog 2013-03-26 06:39:12 UTC (rev 146853)
@@ -1,3 +1,13 @@
+2013-03-22 Hajime Morrita <morr...@google.com>
+
+ Listening touch events on ShadowRoot can crash.
+ https://bugs.webkit.org/show_bug.cgi?id=113035
+
+ Reviewed by Kentaro Hara.
+
+ * fast/dom/shadow/shadow-root-touch-listener-crash-expected.txt: Added.
+ * fast/dom/shadow/shadow-root-touch-listener-crash.html: Added.
+
2013-03-25 James Robinson <jam...@chromium.org>
Update a few more chromium compositor baselines.
Added: trunk/LayoutTests/fast/dom/shadow/shadow-root-touch-listener-crash-expected.txt (0 => 146853)
--- trunk/LayoutTests/fast/dom/shadow/shadow-root-touch-listener-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/shadow-root-touch-listener-crash-expected.txt 2013-03-26 06:39:12 UTC (rev 146853)
@@ -0,0 +1,10 @@
+Tests to ensure that event dispatching behaves as the Shadow DOM spec describes.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS unless crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/dom/shadow/shadow-root-touch-listener-crash.html (0 => 146853)
--- trunk/LayoutTests/fast/dom/shadow/shadow-root-touch-listener-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/shadow-root-touch-listener-crash.html 2013-03-26 06:39:12 UTC (rev 146853)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script src=""
+<script src=""
+<div id=target></div>
+<script>
+jsTestIsAsync = true;
+
+function addTouchEventListeners(name)
+{
+ var node = getNodeInShadowTreeStack(name);
+ node.addEventListener('touchstart', recordEvent, false);
+}
+
+target.appendChild(
+ createDOM('div', {'id': 'A'},
+ createShadowRoot()));
+addTouchEventListeners('A/');
+
+setTimeout(function() {
+ target.parentNode.removeChild(target);
+ gc();
+ debug("PASS unless crash");
+ finishJSTest();
+}, 0);
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (146852 => 146853)
--- trunk/Source/WebCore/ChangeLog 2013-03-26 06:35:49 UTC (rev 146852)
+++ trunk/Source/WebCore/ChangeLog 2013-03-26 06:39:12 UTC (rev 146853)
@@ -1,3 +1,29 @@
+2013-03-22 Hajime Morrita <morr...@google.com>
+
+ Listening touch events on ShadowRoot can crash.
+ https://bugs.webkit.org/show_bug.cgi?id=113035
+
+ Reviewed by Kentaro Hara.
+
+ TreeScope destructor clears a document reference on ShadowRoot but
+ destructors of ContainerNode and Node assumed it being available
+ and tried to access it for some cleanup purposes.
+
+ This change extracts such cleanup to Node::willBeDeletedFrom() and
+ calls it from ShadowRoot dtor before the document reference gets cleared.
+
+ Test: fast/dom/shadow/shadow-root-touch-listener-crash.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::~ContainerNode): Adopted willBeDeletedFrom()
+ * dom/Node.cpp:
+ (WebCore::Node::~Node): Adopted willBeDeletedFrom()
+ (WebCore::Node::willBeDeletedFrom): Extracted from Node and ContainerNode
+ (WebCore):
+ * dom/Node.h:
+ * dom/ShadowRoot.cpp:
+ (WebCore::ShadowRoot::~ShadowRoot): Adopted willBeDeletedFrom()
+
2013-03-25 Hajime Morrita <morr...@google.com>
Custom Elements Refactoring: The name V8CustomElement is confusing.
Modified: trunk/Source/WebCore/dom/ContainerNode.cpp (146852 => 146853)
--- trunk/Source/WebCore/dom/ContainerNode.cpp 2013-03-26 06:35:49 UTC (rev 146852)
+++ trunk/Source/WebCore/dom/ContainerNode.cpp 2013-03-26 06:39:12 UTC (rev 146853)
@@ -138,11 +138,8 @@
ContainerNode::~ContainerNode()
{
- if (documentInternal()) {
- if (AXObjectCache* cache = documentInternal()->existingAXObjectCache())
- cache->remove(this);
- }
-
+ if (Document* document = documentInternal())
+ willBeDeletedFrom(document);
removeDetachedChildren();
}
Modified: trunk/Source/WebCore/dom/Node.cpp (146852 => 146853)
--- trunk/Source/WebCore/dom/Node.cpp 2013-03-26 06:35:49 UTC (rev 146852)
+++ trunk/Source/WebCore/dom/Node.cpp 2013-03-26 06:39:12 UTC (rev 146853)
@@ -418,24 +418,14 @@
if (hasRareData())
clearRareData();
- Document* doc = documentInternal();
-
- if (hasEventTargetData()) {
-#if ENABLE(TOUCH_EVENT_TRACKING)
- if (doc)
- doc->didRemoveEventTargetNode(this);
-#endif
- clearEventTargetData();
- }
-
if (renderer())
detach();
- if (doc && !isContainerNode()) {
- if (AXObjectCache* cache = doc->existingAXObjectCache())
- cache->remove(this);
+ if (!isContainerNode()) {
+ if (Document* document = documentInternal())
+ willBeDeletedFrom(document);
}
-
+
if (m_previous)
m_previous->setNextSibling(0);
if (m_next)
@@ -446,6 +436,22 @@
InspectorCounters::decrementCounter(InspectorCounters::NodeCounter);
}
+void Node::willBeDeletedFrom(Document* document)
+{
+ if (hasEventTargetData()) {
+#if ENABLE(TOUCH_EVENT_TRACKING)
+ if (document)
+ document->didRemoveEventTargetNode(this);
+#endif
+ clearEventTargetData();
+ }
+
+ if (document) {
+ if (AXObjectCache* cache = document->existingAXObjectCache())
+ cache->remove(this);
+ }
+}
+
NodeRareData* Node::rareData() const
{
ASSERT(hasRareData());
Modified: trunk/Source/WebCore/dom/Node.h (146852 => 146853)
--- trunk/Source/WebCore/dom/Node.h 2013-03-26 06:35:49 UTC (rev 146852)
+++ trunk/Source/WebCore/dom/Node.h 2013-03-26 06:39:12 UTC (rev 146853)
@@ -176,6 +176,7 @@
static StyleChange diff(const RenderStyle*, const RenderStyle*, Document*);
virtual ~Node();
+ void willBeDeletedFrom(Document*);
// DOM methods & attributes for Node
Modified: trunk/Source/WebCore/dom/ShadowRoot.cpp (146852 => 146853)
--- trunk/Source/WebCore/dom/ShadowRoot.cpp 2013-03-26 06:35:49 UTC (rev 146852)
+++ trunk/Source/WebCore/dom/ShadowRoot.cpp 2013-03-26 06:39:12 UTC (rev 146853)
@@ -77,6 +77,12 @@
ASSERT(!m_prev);
ASSERT(!m_next);
+ // We cannot let ContainerNode destructor call willBeDeletedFrom()
+ // for this ShadowRoot instance because TreeScope destructor
+ // clears Node::m_treeScope thus ContainerNode is no longer able
+ // to access it Document reference after that.
+ willBeDeletedFrom(documentInternal());
+
// We must remove all of our children first before the TreeScope destructor
// runs so we don't go through TreeScopeAdopter for each child with a
// destructed tree scope in each descendant.
