Changeset 138923 in webkit


Ignore:
Timestamp:
Jan 6, 2013 10:10:27 PM (11 years ago)
Author:
tasak@google.com
Message:

[Shadow DOM]: crash in WebCore::ElementShadow::setValidityUndetermined
https://bugs.webkit.org/show_bug.cgi?id=106203

Reviewed by Hajime Morita.

InsertionPoint should check whether ElementShadow is available or not
before invoking its methods.

No new tests. Webcomponents_fuzzer reported this bug. Would like to
use the fuzzer to check this issue.

  • html/shadow/InsertionPoint.cpp:

(WebCore::InsertionPoint::getDistributedNodes):
(WebCore::InsertionPoint::childrenChanged):
(WebCore::InsertionPoint::insertedInto):
Added ifs to check whether ElementShadow is available or not before
invoking ElementShadow's methods, i.e. setValidityUndetermined,
invalidateDistribution, and ensureDistributionDocument.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r138922 r138923  
     12013-01-06  Takashi Sakamoto  <tasak@google.com>
     2
     3        [Shadow DOM]: crash in WebCore::ElementShadow::setValidityUndetermined
     4        https://bugs.webkit.org/show_bug.cgi?id=106203
     5
     6        Reviewed by Hajime Morita.
     7
     8        InsertionPoint should check whether ElementShadow is available or not
     9        before invoking its methods.
     10
     11        No new tests. Webcomponents_fuzzer reported this bug. Would like to
     12        use the fuzzer to check this issue.
     13
     14        * html/shadow/InsertionPoint.cpp:
     15        (WebCore::InsertionPoint::getDistributedNodes):
     16        (WebCore::InsertionPoint::childrenChanged):
     17        (WebCore::InsertionPoint::insertedInto):
     18        Added ifs to check whether ElementShadow is available or not before
     19        invoking ElementShadow's methods, i.e. setValidityUndetermined,
     20        invalidateDistribution, and ensureDistributionDocument.
     21
    1222013-01-06  Shinya Kawanaka  <shinyak@chromium.org>
    223

  • trunk/Source/WebCore/html/shadow/InsertionPoint.cpp

    r137552 r138923  
    100100PassRefPtr<NodeList> InsertionPoint::getDistributedNodes() const
    101101{
    102     if (treeScope()->rootNode()->isShadowRoot())
    103         toShadowRoot(treeScope()->rootNode())->owner()->ensureDistributionFromDocument();
     102    ContainerNode* rootNode = treeScope()->rootNode();
     103    if (rootNode->isShadowRoot())
     104        if (ElementShadow* rootOwner = toShadowRoot(rootNode)->owner())
     105            rootOwner->ensureDistributionFromDocument();
    104106
    105107    Vector<RefPtr<Node> > nodes;
     
    120122    HTMLElement::childrenChanged(changedByParser, beforeChange, afterChange, childCountDelta);
    121123    if (ShadowRoot* root = containingShadowRoot())
    122         root->owner()->invalidateDistribution();
     124        if (ElementShadow* rootOwner = root->owner())
     125            rootOwner->invalidateDistribution();
    123126}
    124127
     
    128131
    129132    if (ShadowRoot* root = containingShadowRoot()) {
    130         root->owner()->setValidityUndetermined();
    131         root->owner()->invalidateDistribution();
    132         if (isActive() && !m_registeredWithShadowRoot && insertionPoint->treeScope()->rootNode() == root) {
    133             m_registeredWithShadowRoot = true;
    134             root->registerInsertionPoint(this);
     133        if (ElementShadow* rootOwner = root->owner()) {
     134            rootOwner->setValidityUndetermined();
     135            rootOwner->invalidateDistribution();
     136            if (isActive() && !m_registeredWithShadowRoot && insertionPoint->treeScope()->rootNode() == root) {
     137                m_registeredWithShadowRoot = true;
     138                root->registerInsertionPoint(this);
     139            }
    135140        }
    136141    }
    137 
    138142
    139143    return InsertionDone;
Note: See TracChangeset for help on using the changeset viewer.