Skip to content
Blame Permalink
  • antti@apple.com's avatar
    3cf260a2
    <https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp · 3cf260a2
    antti@apple.com authored 
    Source/WebCore: 

Reviewed by Andreas Kling.
        
PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.

Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.

Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html

* dom/Element.cpp:
(WebCore::Element::insertedInto):
(WebCore::Element::removedFrom):
        
    Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
    When they are added normally during render tree attach these calls don't happen either.

LayoutTests: 

Reviewed by Andreas Kling.

* fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt: Added.
* fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154320 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    3cf260a2
    <https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
    antti@apple.com authored 
    Source/WebCore: 

Reviewed by Andreas Kling.
        
PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.

Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.

Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html

* dom/Element.cpp:
(WebCore::Element::insertedInto):
(WebCore::Element::removedFrom):
        
    Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
    When they are added normally during render tree attach these calls don't happen either.

LayoutTests: 

Reviewed by Andreas Kling.

* fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt: Added.
* fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154320 268f45cc-cd09-0410-ab3c-d52691b4dbfc