Changeset 154320 in webkit

Timestamp:

Aug 20, 2013, 3:13:00 AM (12 years ago)

Author:

Antti Koivisto

Message:

<​https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp

Source/WebCore:

Reviewed by Andreas Kling.

PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.

Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.

Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html

• dom/Element.cpp:

(WebCore::Element::insertedInto):
(WebCore::Element::removedFrom):

Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
When they are added normally during render tree attach these calls don't happen either.

LayoutTests:

Reviewed by Andreas Kling.

• fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt: Added.
• fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt (added)
• LayoutTests/fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Element.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-08-20  Antti Koivisto  <antti@apple.com>
+
+        <https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
+
+        Reviewed by Andreas Kling.
+
+        * fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt: Added.
+        * fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html: Added.
+
 2013-08-20  Simon Pena  <simon.pena@samsung.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-08-20  Antti Koivisto  <antti@apple.com>
+
+        <https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
+
+        Reviewed by Andreas Kling.
+        
+        PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.
+
+        Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
+        along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
+        that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
+        insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.
+
+        Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::insertedInto):
+        (WebCore::Element::removedFrom):
+        
+            Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
+            When they are added normally during render tree attach these calls don't happen either.
+
 2013-08-20  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/dom/Element.cpp

@@ -1285 +1285 @@
 #endif
 
-    if (Element* before = pseudoElement(BEFORE))
-        before->insertedInto(insertionPoint);
-
-    if (Element* after = pseudoElement(AFTER))
-        after->insertedInto(insertionPoint);
-
     if (!insertionPoint->isInTreeScope())
         return InsertionDone;
@@ -1331 +1325 @@
     bool wasInDocument = insertionPoint->document();
 #endif
-
-    if (Element* before = pseudoElement(BEFORE))
-        before->removedFrom(insertionPoint);
-
-    if (Element* after = pseudoElement(AFTER))
-        after->removedFrom(insertionPoint);
 
 #if ENABLE(DIALOG_ELEMENT)