An assertion failure inside removeChildren
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 Feb 2017 09:57:28 +0000 (09:57 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 Feb 2017 09:57:28 +0000 (09:57 +0000)
commit5a35f7e3bff6b0cc447d0c7e25e0c3ee3c911f6a
tree6ec8a9283cb3ef400e6ed6c258c7655bccb7e096
parentecc71e88db401656688f79fb438283db0c860944
An assertion failure inside removeChildren
https://bugs.webkit.org/show_bug.cgi?id=168069

Reviewed by Brent Fulgham.

Source/WebCore:

The bug was caused by notifyRemovePendingSheet executing scripts synchronously where it shouldn't.

Removed the call to notifyRemovePendingSheetIfNeeded in notifyChildNodeRemoved. Instead, invoke it
in its call sites when they're safe.

Test: http/tests/security/move-iframe-within-focus-handler-inside-removal.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::takeAllChildrenFrom):
(WebCore::ContainerNode::notifyChildInserted):
(WebCore::ContainerNode::removeChild):
(WebCore::ContainerNode::parserRemoveChild):
(WebCore::ContainerNode::replaceAllChildren):
(WebCore::ContainerNode::removeChildren):
* dom/ContainerNodeAlgorithms.cpp:
(WebCore::notifyChildNodeRemoved):

LayoutTests:

* http/tests/security/move-iframe-within-focus-handler-inside-removal-expected.txt: Added.
* http/tests/security/move-iframe-within-focus-handler-inside-removal.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@212354 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/move-iframe-within-focus-handler-inside-removal-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/move-iframe-within-focus-handler-inside-removal.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/ContainerNode.cpp
Source/WebCore/dom/ContainerNodeAlgorithms.cpp