Changeset 212647 in webkit


Ignore:
Timestamp:
Feb 20, 2017 9:29:20 AM (7 years ago)
Author:
matthew_hanson@apple.com
Message:

Merge r212621. rdar://problem/30563318

Location:
branches/safari-603-branch
Files:
6 added
6 edited

Legend:

Unmodified
Added
Removed

  • branches/safari-603-branch/LayoutTests/ChangeLog

    r212645 r212647  
     12017-02-20  Matthew Hanson  <matthew_hanson@apple.com>
     2
     3        Merge r212621. rdar://problem/30563318
     4
     5    2017-02-18  Ryosuke Niwa  <rniwa@webkit.org>
     6
     7            REGRESSION(r212218): Assertion failures in and after parserRemoveChild
     8            https://bugs.webkit.org/show_bug.cgi?id=168458
     9
     10            Reviewed by Antti Koivisto.
     11
     12            Add tests to make sure parserAppendChild aren't called when a node removed by parserRemoveChild
     13            had already been been inserted elsewhere by scripts.
     14
     15            * fast/parser/adoption-agency-unload-iframe-3-expected.txt: Added.
     16            * fast/parser/adoption-agency-unload-iframe-3.html: Added.
     17            * fast/parser/adoption-agency-unload-iframe-4-expected.txt: Added.
     18            * fast/parser/adoption-agency-unload-iframe-4.html: Added.
     19            * fast/parser/xml-error-unload-iframe-expected.txt: Added.
     20            * fast/parser/xml-error-unload-iframe.html: Added.
     21
    1222017-02-20  Matthew Hanson  <matthew_hanson@apple.com>
    223

  • branches/safari-603-branch/Source/WebCore/ChangeLog

    r212645 r212647  
     12017-02-20  Matthew Hanson  <matthew_hanson@apple.com>
     2
     3        Merge r212621. rdar://problem/30563318
     4
     5    2017-02-18  Ryosuke Niwa  <rniwa@webkit.org>
     6
     7            REGRESSION(r212218): Assertion failures in and after parserRemoveChild
     8            https://bugs.webkit.org/show_bug.cgi?id=168458
     9
     10            Reviewed by Antti Koivisto.
     11
     12            The bug was caused by parserRemoveChild not preceeding to remove oldChild even when
     13            oldChild had been inserted elsewhere during unload evnets of the disconnected frames.
     14            Fixed the bug by checking this condition and exiting early.
     15
     16            Also fixed various callers of parserRemoveChild to not call parserAppendChild when
     17            the removed node had already been inserted elsewhere by scripts.
     18
     19            Tests: fast/parser/adoption-agency-unload-iframe-3.html
     20                   fast/parser/adoption-agency-unload-iframe-4.html
     21                   fast/parser/xml-error-unload-iframe.html
     22
     23            * dom/ContainerNode.cpp:
     24            (WebCore::ContainerNode::parserRemoveChild): Exit early when the node had been
     25            inserted elsewhere while firing unload events. Also moved the call to
     26            notifyRemovePendingSheetIfNeeded outside NoEventDispatchAssertion since it can
     27            synchrnously fire a focus event.
     28            (WebCore::ContainerNode::parserAppendChild): Moved adoptNode call to inside
     29            NoEventDispatchAssertion since adoptNode call here should never mutate DOM.
     30            * html/parser/HTMLConstructionSite.cpp:
     31            (WebCore::executeReparentTask): Added an early exit when the node had already been
     32            inserted elsewhere.
     33            (WebCore::executeInsertAlreadyParsedChildTask): Ditto.
     34            * xml/XMLErrors.cpp:
     35            (WebCore::XMLErrors::insertErrorMessageBlock): Ditto.
     36            * xml/parser/XMLDocumentParser.cpp:
     37            (WebCore::XMLDocumentParser::end): Fixed a crash unveiled by one of the test cases.
     38            Exit early when insertErrorMessageBlock detached the parser (by author scripts).
     39            (WebCore::XMLDocumentParser::finish): Keep the parser alive until we exit.
     40
    1412017-02-20  Matthew Hanson  <matthew_hanson@apple.com>
    242

  • branches/safari-603-branch/Source/WebCore/dom/ContainerNode.cpp

    r212600 r212647  
    599599{
    600600    disconnectSubframesIfNeeded(*this, DescendantsOnly);
    601 
    602     NoEventDispatchAssertion assertNoEventDispatch;
    603 
    604     document().nodeChildrenWillBeRemoved(*this);
    605 
    606     ASSERT(oldChild.parentNode() == this);
    607     ASSERT(!oldChild.isDocumentFragment());
    608 
    609     Node* prev = oldChild.previousSibling();
    610     Node* next = oldChild.nextSibling();
    611 
    612     ChildListMutationScope(*this).willRemoveChild(oldChild);
    613     oldChild.notifyMutationObserversNodeWillDetach();
    614 
    615     removeBetween(prev, next, oldChild);
    616 
    617     notifyChildRemoved(oldChild, prev, next, ChildChangeSourceParser);
    618     document().notifyRemovePendingSheetIfNeeded();
     601    if (oldChild.parentNode() != this)
     602        return;
     603
     604    {
     605        NoEventDispatchAssertion assertNoEventDispatch;
     606
     607        document().nodeChildrenWillBeRemoved(*this);
     608
     609        ASSERT(oldChild.parentNode() == this);
     610        ASSERT(!oldChild.isDocumentFragment());
     611
     612        Node* prev = oldChild.previousSibling();
     613        Node* next = oldChild.nextSibling();
     614
     615        ChildListMutationScope(*this).willRemoveChild(oldChild);
     616        oldChild.notifyMutationObserversNodeWillDetach();
     617
     618        removeBetween(prev, next, oldChild);
     619
     620        notifyChildRemoved(oldChild, prev, next, ChildChangeSourceParser);
     621        document().notifyRemovePendingSheetIfNeeded();
     622    }
    619623}
    620624
     
    720724    ASSERT(!hasTagName(HTMLNames::templateTag));
    721725
    722     if (&document() != &newChild.document())
    723         document().adoptNode(newChild);
    724 
    725726    {
    726727        NoEventDispatchAssertion assertNoEventDispatch;
     728
     729        if (&document() != &newChild.document())
     730            document().adoptNode(newChild);
     731
    727732        appendChildCommon(newChild);
    728733        treeScope().adoptIfNeeded(newChild);

  • branches/safari-603-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp

    r212598 r212647  
    134134        parent->parserRemoveChild(*task.child);
    135135
     136    if (task.child->parentNode())
     137        return;
     138
    136139    task.parent->parserAppendChild(*task.child);
    137140}
     
    140143{
    141144    ASSERT(task.operation == HTMLConstructionSiteTask::InsertAlreadyParsedChild);
     145
     146    if (task.child->parentNode())
     147        return;
    142148
    143149    insert(task);

  • branches/safari-603-branch/Source/WebCore/xml/XMLErrors.cpp

    r209627 r212647  
    141141
    142142        m_document.parserRemoveChild(*documentElement);
     143        if (!documentElement->parentNode())
     144            body->parserAppendChild(*documentElement);
    143145
    144         body->parserAppendChild(*documentElement);
    145146        m_document.parserAppendChild(rootElement);
    146147

  • branches/safari-603-branch/Source/WebCore/xml/parser/XMLDocumentParser.cpp

    r209129 r212647  
    196196        return;
    197197
    198     if (m_sawError)
     198    if (m_sawError) {
    199199        insertErrorMessageBlock();
    200     else {
     200        if (isDetached()) // Inserting an error message may have ran arbitrary scripts.
     201            return;
     202    } else {
    201203        updateLeafTextNode();
    202204        document()->styleScope().didChangeStyleSheetEnvironment();
     
    215217    // makes sense to call any methods on DocumentParser once it's been stopped.
    216218    // However, FrameLoader::stop calls DocumentParser::finish unconditionally.
     219
     220    Ref<XMLDocumentParser> protectedThis(*this);
    217221
    218222    if (m_parserPaused)
Note: See TracChangeset for help on using the changeset viewer.