Changeset 121162 in webkit

Timestamp:

Jun 25, 2012 9:59:25 AM (12 years ago)

Author:

shinyak@chromium.org

Message:

[Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash
​https://bugs.webkit.org/show_bug.cgi?id=88495

Reviewed by Ryosuke Niwa.

Source/WebCore:

InsertionPoint::removedFrom(insertionPoint) tries to find its owner ElementShadow from
parentNode or insertionPoint. If the parent node exsits but we cannot reach ElementShadow from
the parent node, InsertionPoint::removedFrom does not try to find ElementShadow anymore.

It's OK if the ElementShadow is being destructed, but there is a case ElementShadow is not being
destructed in editing. In this case, we should try to find ElementShadow from insertionPoint.
Otherwise it will bring inconsistency to Shadow DOM, and causes a crash.

Actually checking the existence of parentNode() does not make any sense. We should get
shadowRoot() directly.

Test: editing/shadow/insertorderedlist-crash.html

• html/shadow/InsertionPoint.cpp:

(WebCore::InsertionPoint::removedFrom):

LayoutTests:

• editing/shadow/insertorderedlist-crash-expected.txt: Added.
• editing/shadow/insertorderedlist-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/shadow/insertorderedlist-crash-expected.txt (added)
• LayoutTests/editing/shadow/insertorderedlist-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/shadow/InsertionPoint.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-06-25  Shinya Kawanaka  <shinyak@chromium.org>
+
+        [Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=88495
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/shadow/insertorderedlist-crash-expected.txt: Added.
+        * editing/shadow/insertorderedlist-crash.html: Added.
+
 2012-06-25  Allan Sandfeld Jensen  <allan.jensen@nokia.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-06-25  Shinya Kawanaka  <shinyak@chromium.org>
+
+        [Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=88495
+
+        Reviewed by Ryosuke Niwa.
+
+        InsertionPoint::removedFrom(insertionPoint) tries to find its owner ElementShadow from
+        parentNode or insertionPoint. If the parent node exsits but we cannot reach ElementShadow from
+        the parent node, InsertionPoint::removedFrom does not try to find ElementShadow anymore.
+
+        It's OK if the ElementShadow is being destructed, but there is a case ElementShadow is not being
+        destructed in editing. In this case, we should try to find ElementShadow from insertionPoint.
+        Otherwise it will bring inconsistency to Shadow DOM, and causes a crash.
+
+        Actually checking the existence of parentNode() does not make any sense. We should get
+        shadowRoot() directly.
+
+        Test: editing/shadow/insertorderedlist-crash.html
+
+        * html/shadow/InsertionPoint.cpp:
+        (WebCore::InsertionPoint::removedFrom):
+
 2012-06-25  Kinuko Yasuda  <kinuko@chromium.org>
 

trunk/Source/WebCore/html/shadow/InsertionPoint.cpp

@@ -129 +129 @@
 {
     if (insertionPoint->inDocument()) {
-        Node* parent = parentNode();
-        if (!parent)
-            parent = insertionPoint;
-        if (ShadowRoot* root = parent->shadowRoot()) {
-            // host can be null when removedFrom() is called from ElementShadow destructor.
-            if (root->host())
-                root->owner()->invalidateDistribution();
-        }
+        ShadowRoot* root = shadowRoot();
+        if (!root)
+            root = insertionPoint->shadowRoot();
+
+        // host can be null when removedFrom() is called from ElementShadow destructor.
+        if (root && root->host())
+            root->owner()->invalidateDistribution();
 
         // Since this insertion point is no longer visible from the shadow subtree, it need to clean itself up.