Using image map inside a shadow tree results hits a release assert in DocumentOrdered...
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 May 2018 21:34:10 +0000 (21:34 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 May 2018 21:34:10 +0000 (21:34 +0000)
commit107dade5e8301428d02a4ab6cf2344207dbee612
treec92ccb8db2d864352d3e6d99e44cca66ae2260e5
parente139d37f497409288994f920ce177964cb54788f
Using image map inside a shadow tree results hits a release assert in DocumentOrderedMap::add
https://bugs.webkit.org/show_bug.cgi?id=185238

Reviewed by Antti Koivisto.

Source/WebCore:

The bug was caused by DocumentOrderedMap for the image elements with usemap being stored in Document
even if those image elements were in a shadow tree. Fixed the bug by moving the map to TreeScope.

Test: fast/images/imagemap-in-nested-shadow-tree.html
      fast/images/imagemap-in-shadow-tree.html

* dom/Document.cpp:
(WebCore::Document::addImageElementByUsemap): Moved to TreeScope.
(WebCore::Document::removeImageElementByUsemap): Ditto.
(WebCore::Document::imageElementByUsemap const): Ditto.
* dom/Document.h:
* dom/TreeScope.cpp:
(WebCore::TreeScope::destroyTreeScopeData): Clear m_imagesByUsemap as well as m_elementsByName.
(WebCore::TreeScope::getImageMap const): Removed the code to parse usemap. RenderImage::imageMap()
which used to call this function with the raw value of the usemap content attribute now calls it
via HTMLImageElement::associatedMapElement(), which uses the parsed usemap.
(WebCore::TreeScope::addImageElementByUsemap): Moved from Document.
(WebCore::TreeScope::removeImageElementByUsemap): Ditto.
(WebCore::TreeScope::imageElementByUsemap const): Ditto.
* dom/TreeScope.h:
* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::parseAttribute):
(WebCore::HTMLImageElement::insertedIntoAncestor): This image element can be associated with a map element
if it's connected to a document.
(WebCore::HTMLImageElement::removedFromAncestor):
(WebCore::HTMLImageElement::associatedMapElement const):
* html/HTMLImageElement.h:
* html/HTMLMapElement.cpp:
(WebCore::HTMLMapElement::imageElement):
* rendering/RenderImage.cpp:
(WebCore::RenderImage::imageMap const):

LayoutTests:

* fast/images/imagemap-in-nested-shadow-tree-expected.txt: Added.
* fast/images/imagemap-in-nested-shadow-tree.html: Added.
* fast/images/imagemap-in-shadow-tree-expected.txt: Added.
* fast/images/imagemap-in-shadow-tree.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231329 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/images/imagemap-in-shadow-tree-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/imagemap-in-shadow-tree.html [new file with mode: 0644]
LayoutTests/http/tests/media/video-play-stall.html
LayoutTests/platform/mac/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/Document.h
Source/WebCore/dom/TreeScope.cpp
Source/WebCore/dom/TreeScope.h
Source/WebCore/html/HTMLImageElement.cpp
Source/WebCore/html/HTMLImageElement.h
Source/WebCore/html/HTMLMapElement.cpp
Source/WebCore/rendering/RenderImage.cpp