RESOLVED FIXED Bug 63607
Crash if ShadowRoot has a text node. 
https://bugs.webkit.org/show_bug.cgi?id=63607
Summary Crash if ShadowRoot has a text node.
Hajime Morrita
Reported 2011-06-28 22:11:07 PDT
Reproduction is coming. Note that this happens only if you use internals testing API. There is no shadow tree which has text node as its immediate child.
Attachments
Patch (11.84 KB, patch)
2011-06-29 00:59 PDT, Hajime Morrita 		no flags
DetailsFormatted DiffDiff
patch for landing (11.85 KB, patch)
2011-06-29 23:47 PDT, Hajime Morrita 		no flags
DetailsFormatted DiffDiff
patch for landing (11.80 KB, patch)
2011-06-29 23:50 PDT, Hajime Morrita 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Hajime Morrita
Comment 1 2011-06-29 00:59:11 PDT
Created attachment 99052 [details] Patch
Dimitri Glazkov (Google)
Comment 2 2011-06-29 07:23:36 PDT
Comment on attachment 99052 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=99052&action=review > Source/WebCore/dom/Element.cpp:1109 > + RefPtr<RenderStyle> newStyle = styleForRenderer(NodeRenderingContext(this, 0)); Using NodeRenderingContext(this, 0) constructor as a way to avoid running initialization code in NodeRenderingContext(Node*) seems inelegant. It seems we are having an abstraction problem here. It's not obvious what (this, 0) means in the context of this call.
Dimitri Glazkov (Google)
Comment 3 2011-06-29 09:18:38 PDT
Comment on attachment 99052 [details] Patch It seems like styleForRenderer is begging to be devirtualized and folded into NodeRenderingContext ... or something...
Hajime Morrita
Comment 4 2011-06-29 22:12:27 PDT
(In reply to comment #2) > (From update of attachment 99052 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=99052&action=review > > > Source/WebCore/dom/Element.cpp:1109 > > + RefPtr<RenderStyle> newStyle = styleForRenderer(NodeRenderingContext(this, 0)); > > Using NodeRenderingContext(this, 0) constructor as a way to avoid running initialization code in NodeRenderingContext(Node*) seems inelegant. It seems we are having an abstraction problem here. It's not obvious what (this, 0) means in the context of this call. Well, I'll introduce tag-type for making it clear. (In reply to comment #3) > (From update of attachment 99052 [details]) > It seems like styleForRenderer is begging to be devirtualized and folded into NodeRenderingContext ... or something... Yes. That's what I tried to do at first... or it might be a part of CSSSelector because it knows the parent node.
WebKit Review Bot
Comment 5 2011-06-29 22:54:55 PDT
Comment on attachment 99052 [details] Patch Rejecting attachment 99052 [details] from commit-queue. Failed to run "['./Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=ec2-cq-02', '--port..." exit_code: 2 Last 500 characters of output: 57086529701d950b16c617d4401733e5f55b8e22 r90088 = 03758942d934755c9c03bc963fb16a1d5258ea7d Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Updating chromium port dependencies using gclient... ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/8966336
Hajime Morrita
Comment 6 2011-06-29 23:47:00 PDT
Created attachment 99243 [details] patch for landing
Hajime Morrita
Comment 7 2011-06-29 23:50:14 PDT
Created attachment 99244 [details] patch for landing
WebKit Review Bot
Comment 8 2011-06-30 00:43:53 PDT
Comment on attachment 99244 [details] patch for landing Clearing flags on attachment: 99244 Committed r90094: <http://trac.webkit.org/changeset/90094>
WebKit Review Bot
Comment 9 2011-06-30 00:43:57 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.