Bug 28864 - Setting document.title reuses <title>'s textnode child
Summary: Setting document.title reuses <title>'s textnode child
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.5
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2009-08-31 19:53 PDT by Boris Zbarsky
Modified: 2016-07-10 22:07 PDT (History)
13 users (show)

See Also:

Attachments
Testcase (450 bytes, text/html)
2009-09-01 04:50 PDT, Boris Zbarsky 		no flags Details
Patch (1.44 KB, patch)
2012-04-15 07:45 PDT, Adrien Loison 		tkent: review-
webkit.review.bot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ec2-cr-linux-02 (6.59 MB, application/zip)
2012-04-15 08:15 PDT, WebKit Review Bot 		no flags Details
WIP Patch (7.04 KB, patch)
2016-07-10 18:21 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
WIP Patch (8.20 KB, patch)
2016-07-10 18:53 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (14.38 KB, patch)
2016-07-10 19:23 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (16.55 KB, patch)
2016-07-10 21:36 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Zbarsky 2009-08-31 19:53:04 PDT 
STEPS TO REPRODUCE:
1)  Load attached testcase
2)  See which alert comes up

EXPECTED RESULTS:
"textnode is not being reused"

ACTUAL RESULTS:
"Reusing textnode on title set"

The relevant spec draft text is at http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#document.title step 4 of the "On setting" algorithm.

Opera and Gecko both follow the HTML5 draft here.
Comment 1 Mark Rowe (bdash) 2009-08-31 21:43:24 PDT 
There's no test case attached.  Boris, can you please attach the test case you refer to in your description of the bug?
Comment 2 Boris Zbarsky 2009-09-01 04:50:54 PDT 
Created attachment 38858 [details]
Testcase

Ah, sorry.  Not sure how I failed to attach that.
Comment 3 Mark Rowe (bdash) 2009-09-01 04:54:02 PDT 
<rdar://problem/7186473>
Comment 4 Adam Barth 2010-09-21 04:11:45 PDT 
You're blowing my mind Boris.  Will fix.
Comment 5 Adrien Loison 2012-04-15 07:45:35 PDT 
Created attachment 137235 [details]
Patch
Comment 6 WebKit Review Bot 2012-04-15 08:15:40 PDT 
Comment on attachment 137235 [details]
Patch

Attachment 137235 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/12406665

New failing tests:
fast/dom/document-set-title-mutation-crash.html
Comment 7 WebKit Review Bot 2012-04-15 08:15:46 PDT 
Created attachment 137236 [details]
Archive of layout-test-results from ec2-cr-linux-02

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: ec2-cr-linux-02  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Comment 8 Kent Tamura 2012-04-19 18:04:56 PDT 
Comment on attachment 137235 [details]
Patch

r- because of the EWS failure
Comment 9 Chris Dumez 2016-07-10 10:01:06 PDT 
Looks like this still applies according to the latest specification:
- https://html.spec.whatwg.org/multipage/dom.html#document.title
- https://dom.spec.whatwg.org/#dom-node-textcontent

This is caused by the following "optimization" in HTMLTitleElement::setText():
    if (!value.isEmpty() && hasOneChild() && is<Text>(*firstChild())) {
        downcast<Text>(*firstChild()).setData(value);
        return;
    }
Comment 10 Chris Dumez 2016-07-10 10:07:59 PDT 
Chrome and Firefox seem to agree with the specification.
Comment 11 Chris Dumez 2016-07-10 18:21:37 PDT 
Created attachment 283292 [details]
WIP Patch
Comment 12 Chris Dumez 2016-07-10 18:53:23 PDT 
Created attachment 283293 [details]
WIP Patch
Comment 13 Chris Dumez 2016-07-10 19:23:42 PDT 
Created attachment 283295 [details]
Patch
Comment 14 Benjamin Poulain 2016-07-10 21:20:24 PDT 
Comment on attachment 283295 [details]
Patch

Please also include a test for the SVG title element. We always find fishy bugs with SVG.
Bonus point for a test that raise the exception on setTitle() (I guess messing up with the tree in response to mutation events).
Comment 15 Chris Dumez 2016-07-10 21:36:49 PDT 
Created attachment 283298 [details]
Patch
Comment 16 Chris Dumez 2016-07-10 21:39:00 PDT 
(In reply to comment #14)
> Comment on attachment 283295 [details]
> Patch
> 
> Please also include a test for the SVG title element. We always find fishy
> bugs with SVG.
> Bonus point for a test that raise the exception on setTitle() (I guess
> messing up with the tree in response to mutation events).

I added a test for svn title before landing. I agree we should cover the exception case, I'll look into it tomorrow and we can land the test in a follow-up.
Comment 17 WebKit Commit Bot 2016-07-10 22:07:08 PDT 
Comment on attachment 283298 [details]
Patch

Clearing flags on attachment: 283298

Committed r203047: <http://trac.webkit.org/changeset/203047>
Comment 18 WebKit Commit Bot 2016-07-10 22:07:14 PDT 
All reviewed patches have been landed.  Closing bug.