Commit 3cf260a2 authored by antti@apple.com's avatar antti@apple.com
Browse files

<https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp

Source/WebCore: 

Reviewed by Andreas Kling.
        
PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.

Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.

Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html

* dom/Element.cpp:
(WebCore::Element::insertedInto):
(WebCore::Element::removedFrom):
        
    Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
    When they are added normally during rende...
parent d0e29b01
2013-08-20 Antti Koivisto <antti@apple.com>
<https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
Reviewed by Andreas Kling.
* fast/css-generated-content/insert-stylesheet-and-pseudo-crash-expected.txt: Added.
* fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html: Added.
2013-08-20 Simon Pena <simon.pena@samsung.com>
 
<https://webkit.org/b/117584> [GTK][WK1] http/tests/loading/unfinished-load-back-to-cached-page-callbacks.html is failing
<script src="../js/resources/js-test-pre.js"></script>
<body>
<script>
var style = document.createElement("style");
style.innerText = '#test:before { content: "before"; } #test:after { content: "after"; }';
var span = document.createElement("span");
span.id = "test";
var div = document.createElement("div");
div.appendChild(style);
div.appendChild(span);
document.body.appendChild(div);
</script>
<script src="../js/resources/js-test-post.js"></script>
2013-08-20 Antti Koivisto <antti@apple.com>
<https://webkit.org/b/119969> REGRESSION (r154232): Crash on the japantimes.co.jp
Reviewed by Andreas Kling.
PseudoElement no longer has parent and calling Element::insertedInto for them crashes as it tries to access it.
Normally there are no pseudo elements when Element::insertedInto() is invoked as they get detached and attached
along with rendering. However in this case the page inserts a <style> that uses ::before along with an element
that it applies to. Stylesheet insertion triggers synchronous style recalc that attaches rendering to all newly
insered elements. Later Element::insertedInto gets called for the element that has pseudo element and we crash.
Test: fast/css-generated-content/insert-stylesheet-and-pseudo-crash.html
* dom/Element.cpp:
(WebCore::Element::insertedInto):
(WebCore::Element::removedFrom):
Remove calls to insertedInto/removedFrom for pseudo elements. They are not considered to be in document.
When they are added normally during render tree attach these calls don't happen either.
2013-08-20 Ryosuke Niwa <rniwa@webkit.org>
 
Windows build fix after r154314.
......@@ -1284,12 +1284,6 @@ Node::InsertionNotificationRequest Element::insertedInto(ContainerNode* insertio
setContainsFullScreenElementOnAncestorsCrossingFrameBoundaries(true);
#endif
if (Element* before = pseudoElement(BEFORE))
before->insertedInto(insertionPoint);
if (Element* after = pseudoElement(AFTER))
after->insertedInto(insertionPoint);
if (!insertionPoint->isInTreeScope())
return InsertionDone;
......@@ -1331,12 +1325,6 @@ void Element::removedFrom(ContainerNode* insertionPoint)
bool wasInDocument = insertionPoint->document();
#endif
if (Element* before = pseudoElement(BEFORE))
before->removedFrom(insertionPoint);
if (Element* after = pseudoElement(AFTER))
after->removedFrom(insertionPoint);
#if ENABLE(DIALOG_ELEMENT)
document()->removeFromTopLayer(this);
#endif
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment