Changeset 275543 in webkit

Timestamp:

Apr 6, 2021 12:51:49 PM (3 years ago)

Author:

rniwa@webkit.org

Message:

Assert failure in isCloneInShadowTreeOfSVGUseElement
​https://bugs.webkit.org/show_bug.cgi?id=224174

Reviewed by Darin Adler and Antti Koivisto.

Source/WebCore:

The bug was caused by two related but distinct issues:

1. An element can have an instance that had been removed from a use element's shadow tree but not yet deleted. Because SVGElement clears its correspondingElement in its destructor, when addEventListener is called on such an element, it can try to add an event listener on this instance which is in the process of getting disposed.
2. DOM mutation events can be fired on the corresponding element of an instance inside a use element’s shadow tree with EventQueueScope in the stack when the event is schedueld via Node::dispatchScopedEvent, e.g. because use element's shadow tree was updated during a style update at the beginning of document.execComand. Because SVGUseElement::cloneTarget constructs the shadow tree by cloning the original tree while it's disconnected from the document, Node::dispatchSubtreeModifiedEvent sees isInShadowTree() to be false and happily tries to dispach DOMSubtreeModified event using Node::dispatchScopedEvent. This works fine when the event is dispatched synchronously since these elements had never been exposed to any scripts yet and they are still disconnected so no scripts have had an opportunity to attach an event listener. But when EventQueueScope in the stack, Node::dispatchScopedEvent will queue up the event and fire it later when those instance elements had been inserted into use element's shadow tree.

This patch addresses (1) by severing correspondingElement relationship as soon as an instance
is removed from its use element's shadow tree, and (2) by not dispatching a scheduled mutation
event if the target is inside a shadow tree. Note that this patch also addresses (2) for
a regular shadow tree attached by author scripts.

Tests: fast/shadow-dom/mutation-event-in-shadow-tree.html

svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand.html
svg/dom/update-svg-use-shadow-tree-with-execCommand.html

• dom/ScopedEventQueue.cpp:

(WebCore::ScopedEventQueue::dispatchEvent const):

• svg/SVGElement.cpp:

(WebCore::SVGElement::~SVGElement):
(WebCore::SVGElement::removedFromAncestor):
(WebCore::SVGElement::addEventListener):
(WebCore::SVGElement::removeEventListener):

LayoutTests:

Added tests for mutating nodes which is later inserted into a shadow tree during execCommand
as well as forcing a SVG use element to update its shadow tree by mutating the corresponding
element tree during execCommand.

• fast/shadow-dom/mutation-event-in-shadow-tree-expected.txt: Added.
• fast/shadow-dom/mutation-event-in-shadow-tree.html: Added.
• svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand-expected.txt: Added.
• svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand.html: Added.
• svg/dom/update-svg-use-shadow-tree-with-execCommand-expected.txt: Added.
• svg/dom/update-svg-use-shadow-tree-with-execCommand.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/shadow-dom/mutation-event-in-shadow-tree-expected.txt (added)
• LayoutTests/fast/shadow-dom/mutation-event-in-shadow-tree.html (added)
• LayoutTests/svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand-expected.txt (added)
• LayoutTests/svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand.html (added)
• LayoutTests/svg/dom/update-svg-use-shadow-tree-with-execCommand-expected.txt (added)
• LayoutTests/svg/dom/update-svg-use-shadow-tree-with-execCommand.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Node.h (modified) (3 diffs)
• Source/WebCore/dom/ScopedEventQueue.cpp (modified) (1 diff)
• Source/WebCore/dom/ShadowRoot.h (modified) (1 diff)
• Source/WebCore/svg/SVGElement.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-04-06  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Assert failure in isCloneInShadowTreeOfSVGUseElement
+        https://bugs.webkit.org/show_bug.cgi?id=224174
+
+        Reviewed by Darin Adler and Antti Koivisto.
+
+        Added tests for mutating nodes which is later inserted into a shadow tree during execCommand
+        as well as forcing a SVG use element to update its shadow tree by mutating the corresponding
+        element tree during execCommand.
+
+        * fast/shadow-dom/mutation-event-in-shadow-tree-expected.txt: Added.
+        * fast/shadow-dom/mutation-event-in-shadow-tree.html: Added.
+        * svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand-expected.txt: Added.
+        * svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand.html: Added.
+        * svg/dom/update-svg-use-shadow-tree-with-execCommand-expected.txt: Added.
+        * svg/dom/update-svg-use-shadow-tree-with-execCommand.html: Added.
+
 2021-04-06  Jiewen Tan  <jiewen_tan@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-04-06  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Assert failure in isCloneInShadowTreeOfSVGUseElement
+        https://bugs.webkit.org/show_bug.cgi?id=224174
+
+        Reviewed by Darin Adler and Antti Koivisto.
+
+        The bug was caused by two related but distinct issues:
+        1. An element can have an instance that had been removed from a use element's shadow tree
+           but not yet deleted. Because SVGElement clears its correspondingElement in its destructor,
+           when addEventListener is called on such an element, it can try to add an event listener
+           on this instance which is in the process of getting disposed.
+        2. DOM mutation events can be fired on the corresponding element of an instance inside
+           a use element’s shadow tree with EventQueueScope in the stack when the event is schedueld
+           via Node::dispatchScopedEvent, e.g. because use element's shadow tree was updated during
+           a style update at the beginning of document.execComand. Because SVGUseElement::cloneTarget
+           constructs the shadow tree by cloning the original tree while it's disconnected from the
+           document, Node::dispatchSubtreeModifiedEvent sees isInShadowTree() to be false and happily
+           tries to dispach DOMSubtreeModified event using Node::dispatchScopedEvent. This works fine
+           when the event is dispatched synchronously since these elements had never been exposed to
+           any scripts yet and they are still disconnected so no scripts have had an opportunity to
+           attach an event listener. But when EventQueueScope in the stack, Node::dispatchScopedEvent
+           will queue up the event and fire it later when those instance elements had been inserted
+           into use element's shadow tree.
+
+        This patch addresses (1) by severing correspondingElement relationship as soon as an instance
+        is removed from its use element's shadow tree, and (2) by not dispatching a scheduled mutation
+        event if the target is inside a shadow tree. Note that this patch also addresses (2) for
+        a regular shadow tree attached by author scripts.
+
+        Tests: fast/shadow-dom/mutation-event-in-shadow-tree.html
+               svg/dom/mutate-symbol-subtree-referenced-by-use-during-execCommand.html
+               svg/dom/update-svg-use-shadow-tree-with-execCommand.html
+
+        * dom/ScopedEventQueue.cpp:
+        (WebCore::ScopedEventQueue::dispatchEvent const):
+        * svg/SVGElement.cpp:
+        (WebCore::SVGElement::~SVGElement):
+        (WebCore::SVGElement::removedFromAncestor):
+        (WebCore::SVGElement::addEventListener):
+        (WebCore::SVGElement::removeEventListener):
+
 2021-04-06  Eric Carlson  <eric.carlson@apple.com>
 

trunk/Source/WebCore/dom/Node.h

@@ -217 +217 @@
     bool isDocumentFragment() const { return hasNodeFlag(NodeFlag::IsDocumentFragment); }
     bool isShadowRoot() const { return hasNodeFlag(NodeFlag::IsShadowRoot); }
+    bool isUserAgentShadowRoot() const; // Defined in ShadowRoot.h
 
     bool hasCustomStyleResolveCallbacks() const { return hasNodeFlag(NodeFlag::HasCustomStyleResolveCallbacks); }
@@ -226 +227 @@
     WEBCORE_EXPORT Element* shadowHost() const;
     ShadowRoot* containingShadowRoot() const;
-    ShadowRoot* shadowRoot() const;
+    ShadowRoot* shadowRoot() const; // Defined in ShadowRoot.h
     bool isClosedShadowHidden(const Node&) const;
 
@@ -241 +242 @@
 
     // Node's parent or shadow tree host.
-    ContainerNode* parentOrShadowHostNode() const;
+    ContainerNode* parentOrShadowHostNode() const; // Defined in ShadowRoot.h
     ContainerNode* parentInComposedTree() const;
     Element* parentElementInComposedTree() const;

trunk/Source/WebCore/dom/ScopedEventQueue.cpp

@@ -57 +57 @@
 void ScopedEventQueue::dispatchEvent(const ScopedEvent& event) const
 {
+    if (event.event->eventInterface() == MutationEventInterfaceType && event.target->isInShadowTree())
+        return;
     event.target->dispatchEvent(event.event);
 }

trunk/Source/WebCore/dom/ShadowRoot.h

@@ -154 +154 @@
 }
 
+inline bool Node::isUserAgentShadowRoot() const
+{
+    return isShadowRoot() && downcast<ShadowRoot>(*this).mode() == ShadowRootMode::UserAgent;
+}
+
 inline ContainerNode* Node::parentOrShadowHostNode() const
 {

trunk/Source/WebCore/svg/SVGElement.cpp

@@ -172 +172 @@
         for (SVGElement* instance : m_svgRareData->instances())
             instance->m_svgRareData->setCorrespondingElement(nullptr);
-        if (auto correspondingElement = makeRefPtr(m_svgRareData->correspondingElement()))
-            correspondingElement->m_svgRareData->instances().remove(this);
-
+        RELEASE_ASSERT(!m_svgRareData->correspondingElement());
         m_svgRareData = nullptr;
     }
@@ -254 +252 @@
     }
     invalidateInstances();
+
+    if (removalType.treeScopeChanged && oldParentOfRemovedTree.isUserAgentShadowRoot())
+        setCorrespondingElement(nullptr);
 }
 
@@ -376 +377 @@
     for (auto* instance : instances()) {
         ASSERT(instance->correspondingElement() == this);
+        ASSERT(instance->isInUserAgentShadowTree());
         bool result = instance->Node::addEventListener(eventType, listener.copyRef(), options);
         ASSERT_UNUSED(result, result);
@@ -403 +405 @@
     for (auto& instance : instances()) {
         ASSERT(instance->correspondingElement() == this);
+        ASSERT(instance->isInUserAgentShadowTree());
 
         if (instance->Node::removeEventListener(eventType, listener, options))