Reparenting during a mutation event inside appendChild could result in a circular...
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Mar 2019 22:25:44 +0000 (22:25 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Mar 2019 22:25:44 +0000 (22:25 +0000)
commit41c84ac546848f2461840f70ff4d5951bc7786e8
treeb478fb0947f481461727976a27825eed07e05130
parent663f62300c5f68674980fa8462eded6733828336
Reparenting during a mutation event inside appendChild could result in a circular DOM tree
https://bugs.webkit.org/show_bug.cgi?id=192825

Reviewed by Zalan Bujtas.

Source/WebCore:

The bug was caused by appendChildWithoutPreInsertionValidityCheck, insertBefore and replaceChild
checking the circular dependency against newChild instead of targets even though when newChild
is a document fragment, appendChildWithoutPreInsertionValidityCheck inserts the children of
the document fragment. Fixed the bug by checking the circular dependency against each target child.

Also fixed the bug that checkAcceptChildGuaranteedNodeTypes was not considering shadow inclusive
ancestors or template host elements.

Tests: fast/dom/append-child-with-mutation-event-removal-and-circular-insertion.html
       fast/dom/append-child-with-mutation-event-removal-and-circular-shadow-insertion.html
       fast/dom/append-child-with-mutation-event-removal-and-circular-template-insertion.html
       fast/dom/insert-child-with-mutation-event-removal-and-circular-insertion.html
       fast/dom/insert-child-with-mutation-event-removal-and-circular-shadow-insertion.html
       fast/dom/insert-child-with-mutation-event-removal-and-circular-template-insertion.html
       fast/dom/replace-child-with-mutation-event-removal-and-circular-insertion.html
       fast/dom/replace-child-with-mutation-event-removal-and-circular-shadow-insertion.html
       fast/dom/replace-child-with-mutation-event-removal-and-circular-template-insertion.html

* dom/ContainerNode.cpp:
(WebCore::checkAcceptChildGuaranteedNodeTypes):
(WebCore::ContainerNode::insertBefore):
(WebCore::ContainerNode::replaceChild):
(WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck):

LayoutTests:

Added regression tests.

* fast/dom/append-child-with-mutation-event-removal-and-circular-insertion-expected.txt: Added.
* fast/dom/append-child-with-mutation-event-removal-and-circular-insertion.html: Added.
* fast/dom/append-child-with-mutation-event-removal-and-circular-shadow-insertion-expected.txt: Added.
* fast/dom/append-child-with-mutation-event-removal-and-circular-shadow-insertion.html: Added.
* fast/dom/append-child-with-mutation-event-removal-and-circular-template-insertion-expected.txt: Added.
* fast/dom/append-child-with-mutation-event-removal-and-circular-template-insertion.html: Added.
* fast/dom/insert-child-with-mutation-event-removal-and-circular-insertion-expected.txt: Added.
* fast/dom/insert-child-with-mutation-event-removal-and-circular-insertion.html: Added.
* fast/dom/insert-child-with-mutation-event-removal-and-circular-shadow-insertion-expected.txt: Added.
* fast/dom/insert-child-with-mutation-event-removal-and-circular-shadow-insertion.html: Added.
* fast/dom/insert-child-with-mutation-event-removal-and-circular-template-insertion-expected.txt: Added.
* fast/dom/insert-child-with-mutation-event-removal-and-circular-template-insertion.html: Added.
* fast/dom/replace-child-with-mutation-event-removal-and-circular-insertion-expected.txt: Added.
* fast/dom/replace-child-with-mutation-event-removal-and-circular-insertion.html: Added.
* fast/dom/replace-child-with-mutation-event-removal-and-circular-shadow-insertion-expected.txt: Added.
* fast/dom/replace-child-with-mutation-event-removal-and-circular-shadow-insertion.html: Added.
* fast/dom/replace-child-with-mutation-event-removal-and-circular-template-insertion-expected.txt: Added.
* fast/dom/replace-child-with-mutation-event-removal-and-circular-template-insertion.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243175 268f45cc-cd09-0410-ab3c-d52691b4dbfc
21 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/dom/append-child-with-mutation-event-removal-and-circular-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/append-child-with-mutation-event-removal-and-circular-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/append-child-with-mutation-event-removal-and-circular-shadow-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/append-child-with-mutation-event-removal-and-circular-shadow-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/append-child-with-mutation-event-removal-and-circular-template-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/append-child-with-mutation-event-removal-and-circular-template-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/insert-child-with-mutation-event-removal-and-circular-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/insert-child-with-mutation-event-removal-and-circular-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/insert-child-with-mutation-event-removal-and-circular-shadow-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/insert-child-with-mutation-event-removal-and-circular-shadow-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/insert-child-with-mutation-event-removal-and-circular-template-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/insert-child-with-mutation-event-removal-and-circular-template-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/replace-child-with-mutation-event-removal-and-circular-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/replace-child-with-mutation-event-removal-and-circular-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/replace-child-with-mutation-event-removal-and-circular-shadow-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/replace-child-with-mutation-event-removal-and-circular-shadow-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/replace-child-with-mutation-event-removal-and-circular-template-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/replace-child-with-mutation-event-removal-and-circular-template-insertion.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/ContainerNode.cpp