RESOLVED FIXED 62116
REGRESSION(r87980): Crash in RenderTextControl::setInnerText() / ieForbidsInsertHTML 
https://bugs.webkit.org/show_bug.cgi?id=62116
Summary REGRESSION(r87980): Crash in RenderTextControl::setInnerText() / ieForbidsIns...
Kent Tamura
Reported 2011-06-06 03:07:35 PDT
TextFieldInputElement::innerTextElement() return 0 though it specifies the ID value of a shadow element which was appended to the <input> in the <input> factory method. We can't assume attach() is called after insertedIntoDocument().
Attachments
Patch (8.94 KB, patch)
2011-06-06 03:28 PDT, Kent Tamura 		dglazkov: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kent Tamura
Comment 2 2011-06-06 03:28:08 PDT
Created attachment 96072 [details] Patch
Dimitri Glazkov (Google)
Comment 3 2011-06-06 09:36:47 PDT
Comment on attachment 96072 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96072&action=review I think this approach is wrong. We should not be special-casing id handling inside shadow DOM. Or maybe I just don't understand why we would want to do that? > Source/WebCore/dom/Element.cpp:961 > + if (hasID() && m_attributeMap && treeScope() == document()) { Why do we have to have a special way of handling shadow DOM nodes here? Other than working around the bug you're fixing? I don't think this is right.
Dimitri Glazkov (Google)
Comment 4 2011-06-06 09:45:04 PDT
Comment on attachment 96072 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96072&action=review > Source/WebCore/ChangeLog:11 > + - insertedIntoDocument() for HTMLInputElement and shadow nodes were This seems like the problem we need to be fixing.
Kent Tamura
Comment 5 2011-06-06 16:55:30 PDT
Comment on attachment 96072 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=96072&action=review >> Source/WebCore/ChangeLog:11 >> + - insertedIntoDocument() for HTMLInputElement and shadow nodes were > > This seems like the problem we need to be fixing. Yeah, probably this behavior is not intended. I'll try to fix it today. >> Source/WebCore/dom/Element.cpp:961 >> + if (hasID() && m_attributeMap && treeScope() == document()) { > > Why do we have to have a special way of handling shadow DOM nodes here? Other than working around the bug you're fixing? I don't think this is right. I think this is a right change though it might be a good way to fix this bug. We had a similar problem in https://bugs.webkit.org/show_bug.cgi?id=61986#c25 . ID registration/unregistration is handled in insertedIntoDocument()/removedFromDocument() because IDs are managed by a document. Now ShadowRoot also manges subordinate IDs. So ID registration/unregistration for ShadowRoot should be handled when an element is inserted into or removed from a ShadowRoot. I think it's very straightforward behavior.
Kent Tamura
Comment 6 2011-06-06 16:56:19 PDT
(In reply to comment #5) > it might be a good way to fix this bug. it might not be a ...
Kent Tamura
Comment 7 2011-06-06 19:00:35 PDT
(In reply to comment #5) > (From update of attachment 96072 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=96072&action=review > > >> Source/WebCore/ChangeLog:11 > >> + - insertedIntoDocument() for HTMLInputElement and shadow nodes were > > > > This seems like the problem we need to be fixing. > > Yeah, probably this behavior is not intended. I'll try to fix it today. It seems to be hard. My simple change to fix the attach-before-insertedIntoDocument issue made another 7 layout test regressions.
Kent Tamura
Comment 8 2011-06-06 19:01:49 PDT
(In reply to comment #5) > >> Source/WebCore/dom/Element.cpp:961 > >> + if (hasID() && m_attributeMap && treeScope() == document()) { > > > > Why do we have to have a special way of handling shadow DOM nodes here? Other than working around the bug you're fixing? I don't think this is right. > > I think this is a right change though it might be a good way to fix this bug. We had a similar problem in https://bugs.webkit.org/show_bug.cgi?id=61986#c25 . > > ID registration/unregistration is handled in insertedIntoDocument()/removedFromDocument() because IDs are managed by a document. Now ShadowRoot also manges subordinate IDs. So ID registration/unregistration for ShadowRoot should be handled when an element is inserted into or removed from a ShadowRoot. I think it's very straightforward behavior. Roland, Morita-san, do you have any comments on ID in ShadowRoot?
Kent Tamura
Comment 9 2011-06-06 19:04:43 PDT
*** Bug 62109 has been marked as a duplicate of this bug. ***
Ryosuke Niwa
Comment 10 2011-06-06 21:48:24 PDT
*** Bug 62030 has been marked as a duplicate of this bug. ***
Kent Tamura
Comment 11 2011-06-06 21:49:40 PDT
It's not good to keep the crash. So I have decided to revert a part of r87980. Let's discuss the ID issue in a separate bug.
Ryosuke Niwa
Comment 12 2011-06-06 21:49:56 PDT
Renaming the bug so that this bug shows up when people search for ieForbidsInsertHTML.
Kent Tamura
Comment 13 2011-06-06 21:53:26 PDT
Landed the revert: http://trac.webkit.org/changeset/88216
Roland Steiner
Comment 14 2011-06-06 22:35:51 PDT
(In reply to comment #8) > (In reply to comment #5) > > ID registration/unregistration is handled in insertedIntoDocument()/removedFromDocument() because IDs are managed by a document. Now ShadowRoot also manges subordinate IDs. So ID registration/unregistration for ShadowRoot should be handled when an element is inserted into or removed from a ShadowRoot. I think it's very straightforward behavior. I also think the above is correct. The cleanest solution IMHO would be that a node ALWAYS registers its ID with its TreeScope when it's inserted into the tree. To this end, we would need another TreeScope sub-class to contain the nodes that are associated with the Document, but !inDocument(). (This specific sub-class could even just do a no-op on ID registration). However, this is a larger refactoring, probably outside the immediate scope of this bug.
Note You need to log in before you can comment on or make changes to this bug.