- Revision
- 186421
- Author
- [email protected]
- Date
- 2015-07-07 02:02:35 -0700 (Tue, 07 Jul 2015)
Log Message
Merge r185769 - Various assertion failures occur when executing script in the midst of DOM insertion
https://bugs.webkit.org/show_bug.cgi?id=132482
Reviewed by Darin Adler.
Source/WebCore:
Prior to this change, when an element containing a <script> child was inserted into a document, the script was
executed in ScriptElement::insertedInto(). That script can access nodes that follow it in the newly-inserted
hierarchy but are not yet fully inserted, leading to at least the following problems:
- The script could remove a node that is not yet marked as in the document.
- The script could remove a named <map> that has yet to be added to TreeScope::m_imageMapsByName.
- The script could remove a form control that has yet to be added to FormController::m_formElementsWithState.
These scenarios all result in assertion failures. This change ensures that each node in the newly-inserted
hierarchy is fully inserted before executing any scripts.
Tests: fast/dom/element-removed-while-inserting-parent-crash.html
fast/dom/named-map-removed-while-inserting-parent-crash.html
fast/forms/form-control-removed-while-inserting-parent-crash.html
svg/dom/element-removed-while-inserting-parent-crash.html
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::shouldNotifySubtreeInsertions): Renamed from insertedInto().
Returned true in the case where insertedInto() would've called prepareScript().
(WebCore::ScriptElement::didNotifySubtreeInsertions): Called prepareScript().
(WebCore::ScriptElement::insertedInto): Renamed to shouldNotifySubtreeInsertions().
* dom/ScriptElement.h:
* html/HTMLScriptElement.cpp:
(WebCore::HTMLScriptElement::insertedInto): If shouldNotifySubtreeInsertions() is true, returned InsertionShouldCallDidNotifySubtreeInsertions.
Otherwise, returned InsertionDone.
(WebCore::HTMLScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().
* html/HTMLScriptElement.h:
* svg/SVGScriptElement.cpp:
(WebCore::SVGScriptElement::insertedInto): Did the same as HTMLScriptElement::insertedInto().
(WebCore::SVGScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().
* svg/SVGScriptElement.h:
LayoutTests:
Wrote named-map-removed-while-inserting-parent-crash.html by reducing the test case attached to bug 132482.
The remaining tests were taken from blink r132482.
* fast/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
* fast/dom/element-removed-while-inserting-parent-crash.html: Added.
* fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt: Added.
* fast/dom/named-map-removed-while-inserting-parent-crash.html: Added.
* fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt: Added.
* fast/forms/form-control-removed-while-inserting-parent-crash.html: Added.
* svg/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
* svg/dom/element-removed-while-inserting-parent-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-07-07 09:02:35 UTC (rev 186421)
@@ -1,3 +1,22 @@
+2015-06-19 Andy Estes <[email protected]>
+
+ Various assertion failures occur when executing script in the midst of DOM insertion
+ https://bugs.webkit.org/show_bug.cgi?id=132482
+
+ Reviewed by Darin Adler.
+
+ Wrote named-map-removed-while-inserting-parent-crash.html by reducing the test case attached to bug 132482.
+ The remaining tests were taken from blink r132482.
+
+ * fast/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
+ * fast/dom/element-removed-while-inserting-parent-crash.html: Added.
+ * fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt: Added.
+ * fast/dom/named-map-removed-while-inserting-parent-crash.html: Added.
+ * fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt: Added.
+ * fast/forms/form-control-removed-while-inserting-parent-crash.html: Added.
+ * svg/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
+ * svg/dom/element-removed-while-inserting-parent-crash.html: Added.
+
2015-06-17 Simon Fraser <[email protected]>
REGRESSION (r173283-r173296): Amazon.com front page has no caret in the search field
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash-expected.txt (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash-expected.txt 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1 @@
+PASS
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash.html (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/element-removed-while-inserting-parent-crash.html 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var element = document.createElement();
+
+var script = document.createElement('script');
+script.textContent = 'document.currentScript.nextSibling.remove()';
+
+var container = document.createElement('div');
+container.appendChild(script);
+container.appendChild(element);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1 @@
+PASS
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash.html (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/named-map-removed-while-inserting-parent-crash.html 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+<!-- Ensures that TreeScope::m_imageMapsByName is created -->
+<map name></map>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var map = document.createElement('map');
+map.name = 'map';
+
+var script = document.createElement('script');
+script.textContent = 'document.currentScript.parentNode.remove()';
+
+var container = document.createElement('div');
+container.appendChild(script);
+container.appendChild(map);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1 @@
+PASS
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash.html (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/forms/form-control-removed-while-inserting-parent-crash.html 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var input = document.createElement('input');
+
+var script = document.createElement('script');
+script.textContent = 'document.currentScript.parentNode.remove()';
+
+var container = document.createElement('div');
+container.appendChild(script);
+container.appendChild(input);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash-expected.txt (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash-expected.txt 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1 @@
+PASS
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash.html (0 => 186421)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/svg/dom/element-removed-while-inserting-parent-crash.html 2015-07-07 09:02:35 UTC (rev 186421)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var element = document.createElementNS('http://www.w3.org/2000/svg');
+
+var script = document.createElementNS('http://www.w3.org/2000/svg', 'script');
+script.id = 'script';
+script.textContent = 'document.getElementById(\'script\').nextSibling.remove()'; // document.currentScript doesn't work for SVGScriptElement.
+
+var container = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+container.appendChild(script);
+container.appendChild(element);
+
+document.body.appendChild(container);
+document.body.innerHTML = 'PASS';
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 09:02:35 UTC (rev 186421)
@@ -1,3 +1,42 @@
+2015-06-19 Andy Estes <[email protected]>
+
+ Various assertion failures occur when executing script in the midst of DOM insertion
+ https://bugs.webkit.org/show_bug.cgi?id=132482
+
+ Reviewed by Darin Adler.
+
+ Prior to this change, when an element containing a <script> child was inserted into a document, the script was
+ executed in ScriptElement::insertedInto(). That script can access nodes that follow it in the newly-inserted
+ hierarchy but are not yet fully inserted, leading to at least the following problems:
+
+ - The script could remove a node that is not yet marked as in the document.
+ - The script could remove a named <map> that has yet to be added to TreeScope::m_imageMapsByName.
+ - The script could remove a form control that has yet to be added to FormController::m_formElementsWithState.
+
+ These scenarios all result in assertion failures. This change ensures that each node in the newly-inserted
+ hierarchy is fully inserted before executing any scripts.
+
+ Tests: fast/dom/element-removed-while-inserting-parent-crash.html
+ fast/dom/named-map-removed-while-inserting-parent-crash.html
+ fast/forms/form-control-removed-while-inserting-parent-crash.html
+ svg/dom/element-removed-while-inserting-parent-crash.html
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::shouldNotifySubtreeInsertions): Renamed from insertedInto().
+ Returned true in the case where insertedInto() would've called prepareScript().
+ (WebCore::ScriptElement::didNotifySubtreeInsertions): Called prepareScript().
+ (WebCore::ScriptElement::insertedInto): Renamed to shouldNotifySubtreeInsertions().
+ * dom/ScriptElement.h:
+ * html/HTMLScriptElement.cpp:
+ (WebCore::HTMLScriptElement::insertedInto): If shouldNotifySubtreeInsertions() is true, returned InsertionShouldCallDidNotifySubtreeInsertions.
+ Otherwise, returned InsertionDone.
+ (WebCore::HTMLScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().
+ * html/HTMLScriptElement.h:
+ * svg/SVGScriptElement.cpp:
+ (WebCore::SVGScriptElement::insertedInto): Did the same as HTMLScriptElement::insertedInto().
+ (WebCore::SVGScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().
+ * svg/SVGScriptElement.h:
+
2015-06-19 Brent Fulgham <[email protected]>
Follow-up fix to r185766.
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/dom/ScriptElement.cpp (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/dom/ScriptElement.cpp 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/dom/ScriptElement.cpp 2015-07-07 09:02:35 UTC (rev 186421)
@@ -79,12 +79,17 @@
stopLoadRequest();
}
-void ScriptElement::insertedInto(ContainerNode& insertionPoint)
+bool ScriptElement::shouldNotifySubtreeInsertions(ContainerNode& insertionPoint)
{
- if (insertionPoint.inDocument() && !m_parserInserted)
- prepareScript(); // FIXME: Provide a real starting line number here.
+ return insertionPoint.inDocument() && !m_parserInserted;
}
+void ScriptElement::didNotifySubtreeInsertions()
+{
+ ASSERT(!m_parserInserted);
+ prepareScript(); // FIXME: Provide a real starting line number here.
+}
+
void ScriptElement::childrenChanged()
{
if (!m_parserInserted && m_element.inDocument())
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/dom/ScriptElement.h (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/dom/ScriptElement.h 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/dom/ScriptElement.h 2015-07-07 09:02:35 UTC (rev 186421)
@@ -69,7 +69,8 @@
bool forceAsync() const { return m_forceAsync; }
// Helper functions used by our parent classes.
- void insertedInto(ContainerNode&);
+ bool shouldNotifySubtreeInsertions(ContainerNode&);
+ void didNotifySubtreeInsertions();
void childrenChanged();
void handleSourceAttribute(const String& sourceUrl);
void handleAsyncAttribute();
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/html/HTMLScriptElement.cpp (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/html/HTMLScriptElement.cpp 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/html/HTMLScriptElement.cpp 2015-07-07 09:02:35 UTC (rev 186421)
@@ -73,10 +73,14 @@
Node::InsertionNotificationRequest HTMLScriptElement::insertedInto(ContainerNode& insertionPoint)
{
HTMLElement::insertedInto(insertionPoint);
- ScriptElement::insertedInto(insertionPoint);
- return InsertionDone;
+ return shouldNotifySubtreeInsertions(insertionPoint) ? InsertionShouldCallDidNotifySubtreeInsertions : InsertionDone;
}
+void HTMLScriptElement::didNotifySubtreeInsertions()
+{
+ ScriptElement::didNotifySubtreeInsertions();
+}
+
void HTMLScriptElement::setText(const String &value)
{
Ref<HTMLScriptElement> protectFromMutationEvents(*this);
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/html/HTMLScriptElement.h (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/html/HTMLScriptElement.h 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/html/HTMLScriptElement.h 2015-07-07 09:02:35 UTC (rev 186421)
@@ -46,6 +46,7 @@
virtual void parseAttribute(const QualifiedName&, const AtomicString&) override;
virtual InsertionNotificationRequest insertedInto(ContainerNode&) override;
+ virtual void didNotifySubtreeInsertions() override;
virtual void childrenChanged(const ChildChange&) override;
virtual bool isURLAttribute(const Attribute&) const override;
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/svg/SVGScriptElement.cpp (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/svg/SVGScriptElement.cpp 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/svg/SVGScriptElement.cpp 2015-07-07 09:02:35 UTC (rev 186421)
@@ -116,12 +116,16 @@
Node::InsertionNotificationRequest SVGScriptElement::insertedInto(ContainerNode& rootParent)
{
SVGElement::insertedInto(rootParent);
- ScriptElement::insertedInto(rootParent);
if (rootParent.inDocument())
SVGExternalResourcesRequired::insertedIntoDocument(this);
- return InsertionDone;
+ return shouldNotifySubtreeInsertions(rootParent) ? InsertionShouldCallDidNotifySubtreeInsertions : InsertionDone;
}
+void SVGScriptElement::didNotifySubtreeInsertions()
+{
+ ScriptElement::didNotifySubtreeInsertions();
+}
+
void SVGScriptElement::childrenChanged(const ChildChange& change)
{
SVGElement::childrenChanged(change);
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/svg/SVGScriptElement.h (186420 => 186421)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/svg/SVGScriptElement.h 2015-07-07 08:59:48 UTC (rev 186420)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/svg/SVGScriptElement.h 2015-07-07 09:02:35 UTC (rev 186421)
@@ -43,6 +43,7 @@
bool isSupportedAttribute(const QualifiedName&);
virtual void parseAttribute(const QualifiedName&, const AtomicString&) override;
virtual InsertionNotificationRequest insertedInto(ContainerNode&) override;
+ virtual void didNotifySubtreeInsertions() override;
virtual void childrenChanged(const ChildChange&) override;
virtual void svgAttributeChanged(const QualifiedName&) override;
