Bug 149365

Summary: Inserting or removing slot elements can cause a crash
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cmarcelo, commit-queue, esprehn+autocc, gyuyoung.kim, kangil.han, koivisto
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 149330    
Attachments:
Description Flags
Fixes the bug
none
Patch for landing
none
Patch for landing none

Ryosuke Niwa
Reported 2015-09-18 19:24:44 PDT
HTMLSlotElement::insertedInto and HTMLSlotElement::removedFrom are completely wrong.
Attachments
Fixes the bug (8.78 KB, patch)
2015-09-18 19:46 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Patch for landing (11.05 KB, patch)
2015-09-18 20:30 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Patch for landing (11.27 KB, patch)
2015-09-18 20:33 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2015-09-18 19:46:30 PDT
Created attachment 261561 [details] Fixes the bug
Antti Koivisto
Comment 2 2015-09-18 20:08:46 PDT
Comment on attachment 261561 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=261561&action=review > Source/WebCore/html/HTMLSlotElement.cpp:52 > + if (insertionPoint.isInShadowTree() && isInShadowTree() && &insertionPoint.treeScope() == &treeScope()) { This could use a comment. > Source/WebCore/html/HTMLSlotElement.cpp:53 > + if (auto shadowRoot = containingShadowRoot()) auto* > Source/WebCore/html/HTMLSlotElement.cpp:63 > // Can't call containingShadowRoot() here since this node has already been disconnected from the parent. > - if (isInShadowTree()) { > - auto& oldShadowRoot = downcast<ShadowRoot>(insertionPoint.treeScope().rootNode()); > - oldShadowRoot.removeSlotElementByName(fastGetAttribute(nameAttr), *this); > + if (insertionPoint.isInShadowTree() && isInShadowTree() && &treeScope() == &document()) { This could use a bit more comprehensive comment.
Ryosuke Niwa
Comment 3 2015-09-18 20:30:16 PDT
Created attachment 261563 [details] Patch for landing
WebKit Commit Bot
Comment 4 2015-09-18 20:32:04 PDT
Comment on attachment 261563 [details] Patch for landing Rejecting attachment 261563 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 261563, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/185244
Ryosuke Niwa
Comment 5 2015-09-18 20:33:21 PDT
Created attachment 261564 [details] Patch for landing
WebKit Commit Bot
Comment 6 2015-09-18 21:18:44 PDT
Comment on attachment 261564 [details] Patch for landing Clearing flags on attachment: 261564 Committed r190008: <http://trac.webkit.org/changeset/190008>
WebKit Commit Bot
Comment 7 2015-09-18 21:18:49 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.