Changeset 149881 in webkit

Timestamp:

May 10, 2013 9:38:21 AM (11 years ago)

Author:

rniwa@webkit.org

Message:

REGRESSION (r149652): Videos do not play on cnn.com, just black box
​https://bugs.webkit.org/show_bug.cgi?id=115887

Reviewed by Antti Koivisto.

Source/WebCore:

The bug was caused by window and document named item maps counting the same element twice
when it has the same id and name attribute values. Fixed the bug by avoiding to add or remove
an element per id and name attribute updates when it had already been added or removed by
name and id attribute updates respectively.

We do this by checking whether the other attribute affects the element's precense in window
and document named item maps and avoiding to add or remove the attribute when they do and
the other attribute is present in updateId and updateName.

Consider a scenario when an object element has id "foo", and name attribute is about to be also
set to "foo". If the id attribute doesn't affect element's presense in window or document
named item maps, we're done. If it does, then the maps already have this element so we don't
want to add it again. Conversely, if the element already has id and name attributes set to
"foo", and we're moving the id attribute, then we want to remove the element from the maps only
if the id doesn't affect the presence of the element in the maps.

Unfortuntely, this logic doesn't work when we're inserting or removing an element on its entirely
because updateId and updateName are called when both id and name attributes are present so skip
this step (AlwaysUpdateHTMLDocumentNamedItemMaps) for the id attribute to break the symmetry.

Test: fast/dom/HTMLDocument/image-with-same-id-and-name.html

fast/dom/HTMLDocument/object-with-same-id-and-name.html

• dom/Element.cpp:

(WebCore::Element::insertedInto): Call updateId and updateName with
AlwaysUpdateHTMLDocumentNamedItemMaps.
(WebCore::Element::removedFrom): Ditto.
(WebCore::Element::updateName): Don't add or remove this element if the id attribute has already
done so except when we're inserting, removing, or cloning an element.
(WebCore::Element::updateId): Ditto for the name attribute.
(WebCore::Element::cloneAttributesFromElement): Added a comment and assert that we never call this
function when this element is in the document. We can't update window and documemt named item
maps here because image element's id attribute value, for example, is present in the document's
named item map if it has a name attribute. Since this function calls updateId and updateName
before updating attributes, this check is going to fail in DocumentNameCollection's
nodeMatchesIfIdAttributeMatch and bad things will happen.

• dom/Element.h:

• editing/ReplaceNodeWithSpanCommand.cpp:

(WebCore::swapInNodePreservingAttributesAndChildren): Clone children and attributes before
inserting the swapped span to avoid hitting the assertion in cloneAttributesFromElement we added.

• html/HTMLImageElement.cpp:

(WebCore::HTMLImageElement::parseAttribute):

• html/HTMLObjectElement.cpp:

(WebCore::HTMLObjectElement::updateDocNamedItem):

LayoutTests:

Add regression tests.

• fast/dom/HTMLDocument/image-with-same-id-and-name-expected.txt: Added.
• fast/dom/HTMLDocument/image-with-same-id-and-name.html: Added.
• fast/dom/HTMLDocument/object-with-same-id-and-name-expected.txt: Added.
• fast/dom/HTMLDocument/object-with-same-id-and-name.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/HTMLDocument/object-with-same-id-and-name-expected.txt (added)
• LayoutTests/fast/dom/HTMLDocument/object-with-same-id-and-name.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Element.cpp (modified) (6 diffs)
• Source/WebCore/dom/Element.h (modified) (1 diff)
• Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp (modified) (2 diffs)
• Source/WebCore/html/HTMLImageElement.cpp (modified) (1 diff)
• Source/WebCore/html/HTMLObjectElement.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-05-10  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION (r149652): Videos do not play on cnn.com, just black box
+        https://bugs.webkit.org/show_bug.cgi?id=115887
+
+        Reviewed by Antti Koivisto.
+
+        Add regression tests.
+
+        * fast/dom/HTMLDocument/image-with-same-id-and-name-expected.txt: Added.
+        * fast/dom/HTMLDocument/image-with-same-id-and-name.html: Added.
+        * fast/dom/HTMLDocument/object-with-same-id-and-name-expected.txt: Added.
+        * fast/dom/HTMLDocument/object-with-same-id-and-name.html: Added.
+
 2013-05-10  Christophe Dumez  <ch.dumez@sisa.samsung.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-05-10  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION (r149652): Videos do not play on cnn.com, just black box
+        https://bugs.webkit.org/show_bug.cgi?id=115887
+
+        Reviewed by Antti Koivisto.
+
+        The bug was caused by window and document named item maps counting the same element twice
+        when it has the same id and name attribute values. Fixed the bug by avoiding to add or remove
+        an element per id and name attribute updates when it had already been added or removed by
+        name and id attribute updates respectively.
+
+        We do this by checking whether the other attribute affects the element's precense in window
+        and document named item maps and avoiding to add or remove the attribute when they do and
+        the other attribute is present in updateId and updateName.
+
+        Consider a scenario when an object element has id "foo", and name attribute is about to be also
+        set to "foo". If the id attribute doesn't affect element's presense in window or document
+        named item maps, we're done. If it does, then the maps already have this element so we don't
+        want to add it again. Conversely, if the element already has id and name attributes set to
+        "foo", and we're moving the id attribute, then we want to remove the element from the maps only
+        if the id doesn't affect the presence of the element in the maps.
+
+        Unfortuntely, this logic doesn't work when we're inserting or removing an element on its entirely
+        because updateId and updateName are called when both id and name attributes are present so skip
+        this step (AlwaysUpdateHTMLDocumentNamedItemMaps) for the id attribute to break the symmetry.
+
+        Test: fast/dom/HTMLDocument/image-with-same-id-and-name.html
+              fast/dom/HTMLDocument/object-with-same-id-and-name.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::insertedInto): Call updateId and updateName with
+        AlwaysUpdateHTMLDocumentNamedItemMaps.
+        (WebCore::Element::removedFrom): Ditto.
+        (WebCore::Element::updateName): Don't add or remove this element if the id attribute has already
+        done so except when we're inserting, removing, or cloning an element.
+        (WebCore::Element::updateId): Ditto for the name attribute.
+        (WebCore::Element::cloneAttributesFromElement): Added a comment and assert that we never call this
+        function when this element is in the document. We can't update window and documemt named item
+        maps here because image element's id attribute value, for example, is present in the document's
+        named item map if it has a name attribute. Since this function calls updateId and updateName
+        before updating attributes, this check is going to fail in DocumentNameCollection's
+        nodeMatchesIfIdAttributeMatch and bad things will happen.
+
+        * dom/Element.h:
+
+        * editing/ReplaceNodeWithSpanCommand.cpp:
+        (WebCore::swapInNodePreservingAttributesAndChildren): Clone children and attributes before
+        inserting the swapped span to avoid hitting the assertion in cloneAttributesFromElement we added.
+
+        * html/HTMLImageElement.cpp:
+        (WebCore::HTMLImageElement::parseAttribute):
+
+        * html/HTMLObjectElement.cpp:
+        (WebCore::HTMLObjectElement::updateDocNamedItem):
+
 2013-05-09  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebCore/dom/Element.cpp

@@ -1178 +1178 @@
     const AtomicString& idValue = getIdAttribute();
     if (!idValue.isNull())
-        updateId(scope, nullAtom, idValue);
+        updateId(scope, nullAtom, idValue, AlwaysUpdateHTMLDocumentNamedItemMaps);
 
     const AtomicString& nameValue = getNameAttribute();
@@ -1221 +1221 @@
         const AtomicString& idValue = getIdAttribute();
         if (!idValue.isNull())
-            updateId(insertionPoint->treeScope(), idValue, nullAtom);
+            updateId(insertionPoint->treeScope(), idValue, nullAtom, AlwaysUpdateHTMLDocumentNamedItemMaps);
 
         const AtomicString& nameValue = getNameAttribute();
@@ -2649 +2649 @@
 
     if (WindowNameCollection::nodeMatchesIfNameAttributeMatch(this)) {
-        if (!oldName.isEmpty())
+        const AtomicString& id = WindowNameCollection::nodeMatchesIfIdAttributeMatch(this) ? getIdAttribute() : nullAtom;
+        if (!oldName.isEmpty() && oldName != id)
             toHTMLDocument(ownerDocument)->windowNamedItemMap().remove(oldName.impl(), this);
-        if (!newName.isEmpty())
+        if (!newName.isEmpty() && newName != id)
             toHTMLDocument(ownerDocument)->windowNamedItemMap().add(newName.impl(), this);
     }
 
     if (DocumentNameCollection::nodeMatchesIfNameAttributeMatch(this)) {
-        if (!oldName.isEmpty())
+        const AtomicString& id = DocumentNameCollection::nodeMatchesIfIdAttributeMatch(this) ? getIdAttribute() : nullAtom;
+        if (!oldName.isEmpty() && oldName != id)
             toHTMLDocument(ownerDocument)->documentNamedItemMap().remove(oldName.impl(), this);
-        if (!newName.isEmpty())
+        if (!newName.isEmpty() && newName != id)
             toHTMLDocument(ownerDocument)->documentNamedItemMap().add(newName.impl(), this);
     }
@@ -2671 +2673 @@
         return;
 
-    updateId(treeScope(), oldId, newId);
-}
-
-void Element::updateId(TreeScope* scope, const AtomicString& oldId, const AtomicString& newId)
+    updateId(treeScope(), oldId, newId, UpdateHTMLDocumentNamedItemMapsOnlyIfDiffersFromNameAttribute);
+}
+
+void Element::updateId(TreeScope* scope, const AtomicString& oldId, const AtomicString& newId, HTMLDocumentNamedItemMapsUpdatingCondition condition)
 {
     ASSERT(isInTreeScope());
@@ -2692 +2694 @@
 
     if (WindowNameCollection::nodeMatchesIfIdAttributeMatch(this)) {
-        if (!oldId.isEmpty())
+        const AtomicString& name = condition == UpdateHTMLDocumentNamedItemMapsOnlyIfDiffersFromNameAttribute && WindowNameCollection::nodeMatchesIfNameAttributeMatch(this) ? getNameAttribute() : nullAtom;
+        if (!oldId.isEmpty() && oldId != name)
             toHTMLDocument(ownerDocument)->windowNamedItemMap().remove(oldId.impl(), this);
-        if (!newId.isEmpty())
+        if (!newId.isEmpty() && newId != name)
             toHTMLDocument(ownerDocument)->windowNamedItemMap().add(newId.impl(), this);
     }
 
     if (DocumentNameCollection::nodeMatchesIfIdAttributeMatch(this)) {
-        if (!oldId.isEmpty())
+        const AtomicString& name = condition == UpdateHTMLDocumentNamedItemMapsOnlyIfDiffersFromNameAttribute && DocumentNameCollection::nodeMatchesIfNameAttributeMatch(this) ? getNameAttribute() : nullAtom;
+        if (!oldId.isEmpty() && oldId != name)
             toHTMLDocument(ownerDocument)->documentNamedItemMap().remove(oldId.impl(), this);
-        if (!newId.isEmpty())
+        if (!newId.isEmpty() && newId != name)
             toHTMLDocument(ownerDocument)->documentNamedItemMap().add(newId.impl(), this);
     }
@@ -2887 +2891 @@
     }
 
+    // We can't update window and document's named item maps since the presence of image and object elements depend on other attributes and children.
+    // Fortunately, those named item maps are only updated when this element is in the document, which should never be the case.
+    ASSERT(!inDocument());
+
     const AtomicString& oldID = getIdAttribute();
     const AtomicString& newID = other.getIdAttribute();

trunk/Source/WebCore/dom/Element.h

@@ -675 +675 @@
 
     void updateId(const AtomicString& oldId, const AtomicString& newId);
-    void updateId(TreeScope*, const AtomicString& oldId, const AtomicString& newId);
+    enum HTMLDocumentNamedItemMapsUpdatingCondition { AlwaysUpdateHTMLDocumentNamedItemMaps, UpdateHTMLDocumentNamedItemMapsOnlyIfDiffersFromNameAttribute };
+    void updateId(TreeScope*, const AtomicString& oldId, const AtomicString& newId, HTMLDocumentNamedItemMapsUpdatingCondition);
     void updateName(const AtomicString& oldName, const AtomicString& newName);
     void updateName(TreeScope*, const AtomicString& oldName, const AtomicString& newName);

trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp

@@ -53 +53 @@
     ASSERT(nodeToReplace->inDocument());
     RefPtr<ContainerNode> parentNode = nodeToReplace->parentNode();
-    parentNode->insertBefore(newNode, nodeToReplace, ASSERT_NO_EXCEPTION);
 
+    // FIXME: Fix this to send the proper MutationRecords when MutationObservers are present.
+    newNode->cloneDataFromElement(*nodeToReplace);
     NodeVector children;
     getChildNodes(nodeToReplace, children);
@@ -60 +61 @@
         newNode->appendChild(children[i], ASSERT_NO_EXCEPTION);
 
-    // FIXME: Fix this to send the proper MutationRecords when MutationObservers are present.
-    newNode->cloneDataFromElement(*nodeToReplace);
-
+    parentNode->insertBefore(newNode, nodeToReplace, ASSERT_NO_EXCEPTION);
     parentNode->removeChild(nodeToReplace, ASSERT_NO_EXCEPTION);
 }

trunk/Source/WebCore/html/HTMLImageElement.cpp

@@ -131 +131 @@
                 HTMLDocument* document = toHTMLDocument(this->document());
                 const AtomicString& id = getIdAttribute();
-                if (!id.isEmpty()) {
+                if (!id.isEmpty() && id != getNameAttribute()) {
                     if (willHaveName)
                         document->documentNamedItemMap().add(id.impl(), this);

trunk/Source/WebCore/html/HTMLObjectElement.cpp

@@ -452 +452 @@
 
         const AtomicString& name = getNameAttribute();
-        if (!name.isEmpty()) {
+        if (!name.isEmpty() && id != name) {
             if (isNamedItem)
                 document->documentNamedItemMap().add(name.impl(), this);