Changeset 140452 in webkit

Timestamp:

Jan 22, 2013, 12:57:32 PM (13 years ago)

Author:

esprehn@chromium.org

Message:

Assertion parent->inDocument() failed in WebCore::PseudoElement::PseudoElement
​https://bugs.webkit.org/show_bug.cgi?id=106224

Reviewed by Ojan Vafai.

Appending a node that contains a <style> and also elements that should have
generated content can cause us to create PseudoElements in nodes that are not
yet inDocument because we may recalcStyle in HTMLStyleElement::insertedInto
triggering a reattach() which could then traverse into the siblings of the
<style> attaching them even though they are not yet inDocument.

This means that we should not assert about the parent of a PseudoElement
being inDocument as this is not always the case.

Instead forward Node::insertedInto and removedFrom notifications to
PseudoElements so they will correctly get their inDocument bit set. Nothing
in the code appears to depend on them being inDocument we just make sure to
set it so they're consistent with the rest of the document.

No new tests, there's no way to test that PseudoElements are really inDocument.

• dom/Element.cpp:

(WebCore::Element::insertedInto):
(WebCore::Element::removedFrom):

• dom/PseudoElement.cpp:

(WebCore::PseudoElement::PseudoElement):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• dom/Element.cpp (modified) (2 diffs)
• dom/PseudoElement.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-01-22  Elliott Sprehn  <esprehn@chromium.org>
+
+        Assertion parent->inDocument() failed in WebCore::PseudoElement::PseudoElement
+        https://bugs.webkit.org/show_bug.cgi?id=106224
+
+        Reviewed by Ojan Vafai.
+
+        Appending a node that contains a <style> and also elements that should have
+        generated content can cause us to create PseudoElements in nodes that are not
+        yet inDocument because we may recalcStyle in HTMLStyleElement::insertedInto
+        triggering a reattach() which could then traverse into the siblings of the
+        <style> attaching them even though they are not yet inDocument.
+
+        This means that we should not assert about the parent of a PseudoElement
+        being inDocument as this is not always the case.
+
+        Instead forward Node::insertedInto and removedFrom notifications to
+        PseudoElements so they will correctly get their inDocument bit set. Nothing
+        in the code appears to depend on them being inDocument we just make sure to
+        set it so they're consistent with the rest of the document.
+
+        No new tests, there's no way to test that PseudoElements are really inDocument.
+
+        * dom/Element.cpp:
+        (WebCore::Element::insertedInto):
+        (WebCore::Element::removedFrom):
+        * dom/PseudoElement.cpp:
+        (WebCore::PseudoElement::PseudoElement):
+
 2013-01-22  Alexis Menard  <alexis@webkit.org>
 

trunk/Source/WebCore/dom/Element.cpp

@@ -1139 +1139 @@
 #endif
 
+    if (Element* before = pseudoElement(BEFORE))
+        before->insertedInto(insertionPoint);
+
+    if (Element* after = pseudoElement(AFTER))
+        after->insertedInto(insertionPoint);
+
     if (!insertionPoint->isInTreeScope())
         return InsertionDone;
@@ -1170 +1176 @@
     bool wasInDocument = insertionPoint->document();
 #endif
+
+    if (Element* before = pseudoElement(BEFORE))
+        before->removedFrom(insertionPoint);
+
+    if (Element* after = pseudoElement(AFTER))
+        after->removedFrom(insertionPoint);
 
 #if ENABLE(DIALOG_ELEMENT)

trunk/Source/WebCore/dom/PseudoElement.cpp

@@ -45 +45 @@
 {
     ASSERT(pseudoId != NOPSEUDO);
-    ASSERT(parent->inDocument());
     setParentOrHostNode(parent);
     setHasCustomCallbacks();