Changeset 201471 in webkit

Timestamp:

May 27, 2016 3:31:43 PM (8 years ago)

Author:

rniwa@webkit.org

Message:

Crash in TreeScope::focusedElement
​https://bugs.webkit.org/show_bug.cgi?id=158108

Reviewed by Enrica Casucci.

Source/WebCore:

The bug was caused by a flawed sequence of steps we took to remove an element. When an element is removed,
willRemoveChild and willRemoveChildren fire blur events on removed focused element and its ancestors and
unload event on any removed iframes. However, it was possible to focus an element on which we had fired blur
during an unload event, leaving m_focusedElement point to an element that's not in the document anymore.

Changing the order doesn't help because that would make it possible to insert the removed iframes back into
the document inside a event listener of the blur event, which was specifically fixed by r127534 four years ago.

Instead, fix the bug by not firing blur and change events on removed nodes. New behavior matches Firefox and HTML5
specification: ​https://html.spec.whatwg.org/multipage/interaction.html#focus-fixup-rule-one

Test: fast/shadow-dom/shadow-root-active-element-crash.html

• dom/ContainerNode.cpp:

(WebCore::willRemoveChild): Made this function static local since it didn't need to have access to any private
member variables. Call Document::nodeWillBeRemoved after disconnecting iframes since unload event handler could
allocate new Ranges just like mutation events.
(WebCore::willRemoveChildren): Ditto.
(WebCore::ContainerNode::removeChild): Removed the calls to removeFullScreenElementOfSubtree and
removeFocusedNodeOfSubtree as they're now called in Document::nodeWillBeRemoved.
(WebCore::ContainerNode::removeChildren): Ditto.

• dom/ContainerNode.h:
• dom/Document.cpp:

(WebCore::Document::removeFocusedNodeOfSubtree): Don't dispatch blur and change events when a node is removed.
(WebCore::Document::setFocusedElement): Added FocusRemovalEventsMode as the third argument. Avoid dispatching blur
and change events when FocusRemovalEventsMode::Dispatch is set.
(WebCore::Document::nodeChildrenWillBeRemoved): Added calls to removeFullScreenElementOfSubtree and
removeFocusedNodeOfSubtree. Also assert that no events are fired within this function. If we ever fire an event here,
"unloaded" iframes can be inserted back into a document before ContainerNode::removeChild actually removes them.
(WebCore::Document::nodeWillBeRemoved): Ditto.

• dom/Document.h:
• dom/TreeScope.cpp:

(WebCore::TreeScope::focusedElement): Added a release assertion to make sure the focused element is in the document
of the tree scope, and added an explicit type check just in case.

LayoutTests:

Added a regression test for accessing shadowRoot.activeElement after re-focusing an element
inside DOMNodeRemovedFromDocument event and unload events.

This patch also restores the expected result of fast/events/onblur-remove.html to that of when
the test was in r15720 and updated in r19014. The expected result was changed in r85495 as it was
converted to a eventSender test.

• fast/dom/Range/range-created-during-remove-children-expected.txt:
• fast/dom/Range/range-created-during-remove-children.html: Update the test to use unload event

of an iframe since we no longer fire blur event when removing a focused element.

• fast/dom/adopt-node-prevented-expected.txt:
• fast/dom/adopt-node-prevented.html: Ditto.
• fast/dom/remove-body-during-body-replacement2.html: Ditto. Use DOMNodeRemoved instead.
• fast/events/nested-event-remove-node-crash.html: Ditto. Use DOMNodeRemovedFromDocument instead.
• fast/events/onblur-remove-expected.txt:
• fast/events/onblur-remove.html: See above.
• fast/shadow-dom/shadow-root-active-element-crash-expected.txt: Added.
• fast/shadow-dom/shadow-root-active-element-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Range/range-created-during-remove-children-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Range/range-created-during-remove-children.html (modified) (3 diffs)
• LayoutTests/fast/dom/adopt-node-prevented-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/adopt-node-prevented.html (modified) (2 diffs)
• LayoutTests/fast/dom/remove-body-during-body-replacement2.html (modified) (1 diff)
• LayoutTests/fast/events/nested-event-remove-node-crash.html (modified) (1 diff)
• LayoutTests/fast/events/onblur-remove-expected.txt (modified) (1 diff)
• LayoutTests/fast/events/onblur-remove.html (modified) (3 diffs)
• LayoutTests/fast/shadow-dom/shadow-root-active-element-crash-expected.txt (added)
• LayoutTests/fast/shadow-dom/shadow-root-active-element-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/ContainerNode.cpp (modified) (6 diffs)
• Source/WebCore/dom/ContainerNode.h (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (5 diffs)
• Source/WebCore/dom/Document.h (modified) (1 diff)
• Source/WebCore/dom/TreeScope.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-05-26  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in TreeScope::focusedElement
+        https://bugs.webkit.org/show_bug.cgi?id=158108
+
+        Reviewed by Enrica Casucci.
+
+        Added a regression test for accessing shadowRoot.activeElement after re-focusing an element
+        inside DOMNodeRemovedFromDocument event and unload events.
+
+        This patch also restores the expected result of fast/events/onblur-remove.html to that of when
+        the test was in r15720 and updated in r19014. The expected result was changed in r85495 as it was
+        converted to a eventSender test.
+
+        * fast/dom/Range/range-created-during-remove-children-expected.txt:
+        * fast/dom/Range/range-created-during-remove-children.html: Update the test to use unload event
+        of an iframe since we no longer fire blur event when removing a focused element.
+        * fast/dom/adopt-node-prevented-expected.txt:
+        * fast/dom/adopt-node-prevented.html: Ditto.
+        * fast/dom/remove-body-during-body-replacement2.html: Ditto. Use DOMNodeRemoved instead.
+        * fast/events/nested-event-remove-node-crash.html: Ditto. Use DOMNodeRemovedFromDocument instead.
+        * fast/events/onblur-remove-expected.txt:
+        * fast/events/onblur-remove.html: See above.
+        * fast/shadow-dom/shadow-root-active-element-crash-expected.txt: Added.
+        * fast/shadow-dom/shadow-root-active-element-crash.html: Added.
+
 2016-05-27  Brent Fulgham  <bfulgham@apple.com>
 

trunk/LayoutTests/fast/dom/Range/range-created-during-remove-children-expected.txt

@@ -1 @@
-PASS ranges["blur"].startContainer is sample
-PASS ranges["blur"].endContainer is sample
-PASS ranges["blur"].startOffset is 0
-PASS ranges["blur"].endOffset is 0
+PASS ranges["unload"].startContainer is sample
+PASS ranges["unload"].endContainer is sample
+PASS ranges["unload"].startOffset is 0
+PASS ranges["unload"].endOffset is 0
 PASS ranges["DOMNodeRemovedFromDocument"].startContainer is sample
 PASS ranges["DOMNodeRemovedFromDocument"].endContainer is sample

trunk/LayoutTests/fast/dom/Range/range-created-during-remove-children.html

@@ -1 +1 @@
 <div id="container">
 <p id="description"></p>
-<div id="sample"><span contenteditable="true">foobar</span></div>
+<div id="sample"><span contenteditable="true">foobar<iframe id="target"></iframe></span></div>
 </div>
 <div id="console"></div>
@@ -17 +17 @@
 }
 
-document.addEventListener('blur', eventHandler, true);
+document.querySelector('iframe').contentWindow.addEventListener('unload', eventHandler, true);
 document.addEventListener('DOMNodeRemovedFromDocument', eventHandler, true);
 
@@ -23 +23 @@
 sample.innerHTML = '';
 
-shouldBe('ranges["blur"].startContainer', 'sample');
-shouldBe('ranges["blur"].endContainer', 'sample');
-shouldBe('ranges["blur"].startOffset', '0');
-shouldBe('ranges["blur"].endOffset', '0');
+shouldBe('ranges["unload"].startContainer', 'sample');
+shouldBe('ranges["unload"].endContainer', 'sample');
+shouldBe('ranges["unload"].startOffset', '0');
+shouldBe('ranges["unload"].endOffset', '0');
 shouldBe('ranges["DOMNodeRemovedFromDocument"].startContainer', 'sample');
 shouldBe('ranges["DOMNodeRemovedFromDocument"].endContainer', 'sample');

trunk/LayoutTests/fast/dom/adopt-node-prevented-expected.txt

@@ -9 +9 @@
 PASS target.ownerDocument.location is document.location
 
+

trunk/LayoutTests/fast/dom/adopt-node-prevented.html

@@ -6 +6 @@
 <body>
   <div id="newParent"></div>
-  <a href="#" id="target"></a>
+  <iframe href="#" id="target"></iframe>
 <script>
 description("Test that adoptNode fails safely if prevented by a DOM mutation.");
@@ -13 +13 @@
     newParent = document.getElementById("newParent");
     target = document.getElementById("target");
-    target.addEventListener("blur", function () { newParent.appendChild(target); }, false);
+    target.contentWindow.addEventListener("unload", function () { newParent.appendChild(target); }, false);
     target.focus();
     var anotherDocument = document.implementation.createDocument("", "", null);

trunk/LayoutTests/fast/dom/remove-body-during-body-replacement2.html

@@ -18 +18 @@
 
     setTimeout(function () {
-        document.addEventListener('DOMFocusOut', function () { crash(); }, true);
+        document.addEventListener('DOMNodeRemoved', function () { crash(); }, true);
         document.addEventListener('DOMSubtreeModified', function () { /* noop */ }, false);
         document.designMode = "on";

trunk/LayoutTests/fast/events/nested-event-remove-node-crash.html

@@ -35 +35 @@
     4. the onblur event handler will send off an XHR who's handler will remove the node
 */
-    document.getElementById("theSelect").focus();
+    var select = document.getElementById("theSelect");
+    select.addEventListener('DOMNodeRemovedFromDocument', function () { sendXHR();GC(); });
+    select.focus();
     sendXHR();
     

trunk/LayoutTests/fast/events/onblur-remove-expected.txt

@@ -1 @@
-This tests that elements shouldn't emit any onblur events when they are being removed from the document. 
-Note, this test is expected to fail as of 04/25/2011. See bug #59379.
+This tests that elements shouldn't emit any onblur events when they are being removed from the document.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
 
 
-FAIL Onblur handler called.
+PASS blurEventCount is 0
 
 TEST COMPLETE

trunk/LayoutTests/fast/events/onblur-remove.html

@@ -6 +6 @@
             testRunner.waitUntilDone();
 
-        var numBlurs = 0;
+        var blurEventCount = 0;
 
         window.onload = function() { document.getElementById("input").focus(); }
@@ -15 +15 @@
             f.innerHTML = '';
 
-            if (numBlurs)
-                testFailed('Onblur handler called.');
-            else
-                testPassed('Onblur handler not called.');
+            shouldBe("blurEventCount", "0");
 
             debug('<br /><span class="pass">TEST COMPLETE</span>');
@@ -29 +26 @@
     <p id="description"></p>
     <form id='f'>
-      <input id="input" onblur="numBlurs++" onfocus="setTimeout('finish()', 0)">
+      <input id="input" onblur="blurEventCount++" onfocus="setTimeout('finish()', 0)">
     </form>
     <div id="console"></div>
     <script>
-        description("This tests that elements shouldn't emit any onblur events when they are being removed from the document. <br>" +
-                    "Note, this test is expected to fail as of 04/25/2011. See bug #59379.");
+        description("This tests that elements shouldn't emit any onblur events when they are being removed from the document.");
     </script>
   </body>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-05-26  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in TreeScope::focusedElement
+        https://bugs.webkit.org/show_bug.cgi?id=158108
+
+        Reviewed by Enrica Casucci.
+
+        The bug was caused by a flawed sequence of steps we took to remove an element. When an element is removed,
+        willRemoveChild and willRemoveChildren fire blur events on removed focused element and its ancestors and
+        unload event on any removed iframes. However, it was possible to focus an element on which we had fired blur
+        during an unload event, leaving m_focusedElement point to an element that's not in the document anymore.
+
+        Changing the order doesn't help because that would make it possible to insert the removed iframes back into
+        the document inside a event listener of the blur event, which was specifically fixed by r127534 four years ago.
+
+        Instead, fix the bug by not firing blur and change events on removed nodes. New behavior matches Firefox and HTML5
+        specification: https://html.spec.whatwg.org/multipage/interaction.html#focus-fixup-rule-one
+
+        Test: fast/shadow-dom/shadow-root-active-element-crash.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::willRemoveChild): Made this function static local since it didn't need to have access to any private
+        member variables. Call Document::nodeWillBeRemoved after disconnecting iframes since unload event handler could
+        allocate new Ranges just like mutation events.
+        (WebCore::willRemoveChildren): Ditto.
+        (WebCore::ContainerNode::removeChild): Removed the calls to removeFullScreenElementOfSubtree and
+        removeFocusedNodeOfSubtree as they're now called in Document::nodeWillBeRemoved.
+        (WebCore::ContainerNode::removeChildren): Ditto.
+        * dom/ContainerNode.h:
+        * dom/Document.cpp:
+        (WebCore::Document::removeFocusedNodeOfSubtree): Don't dispatch blur and change events when a node is removed.
+        (WebCore::Document::setFocusedElement): Added FocusRemovalEventsMode as the third argument. Avoid dispatching blur
+        and change events when FocusRemovalEventsMode::Dispatch is set.
+        (WebCore::Document::nodeChildrenWillBeRemoved): Added calls to removeFullScreenElementOfSubtree and
+        removeFocusedNodeOfSubtree. Also assert that no events are fired within this function. If we ever fire an event here,
+        "unloaded" iframes can be inserted back into a document before ContainerNode::removeChild actually removes them.
+        (WebCore::Document::nodeWillBeRemoved): Ditto.
+        * dom/Document.h:
+        * dom/TreeScope.cpp:
+        (WebCore::TreeScope::focusedElement): Added a release assertion to make sure the focused element is in the document
+        of the tree scope, and added an explicit type check just in case.
+
 2016-05-27  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebCore/dom/ContainerNode.cpp

@@ -457 +457 @@
 }
 
-void ContainerNode::willRemoveChild(Node& child)
+static void willRemoveChild(ContainerNode& container, Node& child)
 {
     ASSERT(child.parentNode());
@@ -465 +465 @@
     dispatchChildRemovalEvents(child);
 
-    if (child.parentNode() != this)
+    if (child.parentNode() != &container)
         return;
 
-    child.document().nodeWillBeRemoved(child); // e.g. mutation event listener can create a new range.
     if (is<ContainerNode>(child))
         disconnectSubframesIfNeeded(downcast<ContainerNode>(child), RootAndDescendants);
+
+    if (child.parentNode() != &container)
+        return;
+
+    child.document().nodeWillBeRemoved(child); // e.g. mutation event listener can create a new range.
 }
 
@@ -487 +491 @@
     }
 
+    disconnectSubframesIfNeeded(container, DescendantsOnly);
+
     container.document().nodeChildrenWillBeRemoved(container);
 
-    disconnectSubframesIfNeeded(container, DescendantsOnly);
 }
 
@@ -514 +519 @@
 
     Ref<Node> child(oldChild);
-
-    document().removeFocusedNodeOfSubtree(child.ptr());
-
-#if ENABLE(FULLSCREEN_API)
-    document().removeFullScreenElementOfSubtree(&child.get());
-#endif
 
     // Events fired when blurring currently focused node might have moved this
@@ -528 +527 @@
     }
 
-    willRemoveChild(child);
+    willRemoveChild(*this, child);
 
     // Mutation events might have moved this child into a different parent.
@@ -611 +610 @@
     // The container node can be removed from event handlers.
     Ref<ContainerNode> protectedThis(*this);
-
-    // exclude this node when looking for removed focusedNode since only children will be removed
-    document().removeFocusedNodeOfSubtree(this, true);
-
-#if ENABLE(FULLSCREEN_API)
-    document().removeFullScreenElementOfSubtree(this, true);
-#endif
 
     // Do any prep work needed before actually starting to detach

trunk/Source/WebCore/dom/ContainerNode.h

@@ -131 +131 @@
     bool isContainerNode() const = delete;
 
-    void willRemoveChild(Node& child);
-
     Node* m_firstChild { nullptr };
     Node* m_lastChild { nullptr };

trunk/Source/WebCore/dom/Document.cpp

@@ -3701 +3701 @@
     
     if (nodeInSubtree)
-        setFocusedElement(nullptr);
+        setFocusedElement(nullptr, FocusDirectionNone, FocusRemovalEventsMode::DoNotDispatch);
 }
 
@@ -3739 +3739 @@
 #endif
 
-bool Document::setFocusedElement(Element* element, FocusDirection direction)
+bool Document::setFocusedElement(Element* element, FocusDirection direction, FocusRemovalEventsMode eventsMode)
 {
     RefPtr<Element> newFocusedElement = element;
@@ -3762 +3762 @@
         oldFocusedElement->setFocus(false);
 
-        // Dispatch a change event for form control elements that have been edited.
-        if (is<HTMLFormControlElement>(*oldFocusedElement)) {
-            HTMLFormControlElement& formControlElement = downcast<HTMLFormControlElement>(*oldFocusedElement);
-            if (formControlElement.wasChangedSinceLastFormControlChangeEvent())
-                formControlElement.dispatchFormControlChangeEvent();
-        }
-
-        // Dispatch the blur event and let the node do any other blur related activities (important for text fields)
-        oldFocusedElement->dispatchBlurEvent(newFocusedElement.copyRef());
-
-        if (m_focusedElement) {
-            // handler shifted focus
-            focusChangeBlocked = true;
-            newFocusedElement = nullptr;
-        }
-        
-        oldFocusedElement->dispatchFocusOutEvent(eventNames().focusoutEvent, newFocusedElement.copyRef()); // DOM level 3 name for the bubbling blur event.
-        // FIXME: We should remove firing DOMFocusOutEvent event when we are sure no content depends
-        // on it, probably when <rdar://problem/8503958> is resolved.
-        oldFocusedElement->dispatchFocusOutEvent(eventNames().DOMFocusOutEvent, newFocusedElement.copyRef()); // DOM level 2 name for compatibility.
-
-        if (m_focusedElement) {
-            // handler shifted focus
-            focusChangeBlocked = true;
-            newFocusedElement = nullptr;
-        }
-            
+        if (eventsMode == FocusRemovalEventsMode::Dispatch) {
+            // Dispatch a change event for form control elements that have been edited.
+            if (is<HTMLFormControlElement>(*oldFocusedElement)) {
+                HTMLFormControlElement& formControlElement = downcast<HTMLFormControlElement>(*oldFocusedElement);
+                if (formControlElement.wasChangedSinceLastFormControlChangeEvent())
+                    formControlElement.dispatchFormControlChangeEvent();
+            }
+
+            // Dispatch the blur event and let the node do any other blur related activities (important for text fields)
+            oldFocusedElement->dispatchBlurEvent(newFocusedElement.copyRef());
+
+            if (m_focusedElement) {
+                // handler shifted focus
+                focusChangeBlocked = true;
+                newFocusedElement = nullptr;
+            }
+
+            oldFocusedElement->dispatchFocusOutEvent(eventNames().focusoutEvent, newFocusedElement.copyRef()); // DOM level 3 name for the bubbling blur event.
+            // FIXME: We should remove firing DOMFocusOutEvent event when we are sure no content depends
+            // on it, probably when <rdar://problem/8503958> is resolved.
+            oldFocusedElement->dispatchFocusOutEvent(eventNames().DOMFocusOutEvent, newFocusedElement.copyRef()); // DOM level 2 name for compatibility.
+
+            if (m_focusedElement) {
+                // handler shifted focus
+                focusChangeBlocked = true;
+                newFocusedElement = nullptr;
+            }
+        } else
+            ASSERT(!m_focusedElement);
+
         if (oldFocusedElement->isRootEditableElement())
             frame()->editor().didEndEditing();
@@ -3968 +3971 @@
 void Document::nodeChildrenWillBeRemoved(ContainerNode& container)
 {
+    NoEventDispatchAssertion assertNoEventDispatch;
+
+    removeFocusedNodeOfSubtree(&container, true /* amongChildrenOnly */);
+
+#if ENABLE(FULLSCREEN_API)
+    removeFullScreenElementOfSubtree(&container, true /* amongChildrenOnly */);
+#endif
+
     for (auto* range : m_ranges)
         range->nodeChildrenWillBeRemoved(container);
@@ -3992 +4003 @@
 void Document::nodeWillBeRemoved(Node& n)
 {
+    NoEventDispatchAssertion assertNoEventDispatch;
+
+    removeFocusedNodeOfSubtree(&n);
+
+#if ENABLE(FULLSCREEN_API)
+    removeFullScreenElementOfSubtree(&n);
+#endif
+
     for (auto* it : m_nodeIterators)
         it->nodeWillBeRemoved(n);

trunk/Source/WebCore/dom/Document.h

@@ -723 +723 @@
     void setSelectedStylesheetSet(const String&);
 
-    WEBCORE_EXPORT bool setFocusedElement(Element*, FocusDirection = FocusDirectionNone);
+    enum class FocusRemovalEventsMode { Dispatch, DoNotDispatch };
+    WEBCORE_EXPORT bool setFocusedElement(Element*, FocusDirection = FocusDirectionNone,
+        FocusRemovalEventsMode = FocusRemovalEventsMode::Dispatch);
     Element* focusedElement() const { return m_focusedElement.get(); }
     UserActionElementSet& userActionElements()  { return m_userActionElements; }

trunk/Source/WebCore/dom/TreeScope.cpp

@@ -312 +312 @@
         return nullptr;
     TreeScope* treeScope = &element->treeScope();
+    RELEASE_ASSERT(&document == &treeScope->documentScope());
     while (treeScope != this && treeScope != &document) {
-        element = downcast<ShadowRoot>(treeScope->rootNode()).host();
+        auto& rootNode = treeScope->rootNode();
+        if (is<ShadowRoot>(rootNode))
+            element = downcast<ShadowRoot>(rootNode).host();
+        else
+            return nullptr;
         treeScope = &element->treeScope();
     }