Crash inside moveOutOfAllShadowRoots
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Jun 2016 02:40:10 +0000 (02:40 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Jun 2016 02:40:10 +0000 (02:40 +0000)
commitb454265d4f97b891c57bf31c0e1b60cc1f631988
tree891e86beeb842fb2164d75e6689e2c34a8ad6dec
parent51fc1cee8a18e913dc2425295d62bc649bdca3ec
Crash inside moveOutOfAllShadowRoots
https://bugs.webkit.org/show_bug.cgi?id=158378

Reviewed by Antti Koivisto.

Source/WebCore:

The bug was caused by InShadowTreeFlag not being cleared when a shadow host or its ancestor was removed
due to addChildNodesToDeletionQueue not invoking notifyChildNodeRemoved when a node was in a shadow tree
but not in a document.

Fixed the bug by invoking notifyChildNodeRemoved when the removed node is either in a shadow tree
or it's in a shadow tree. Also fixed a bug in VTTCue::~VTTCue that it was trying to remove the display
tree even when the owner document was being destroyed. This results in various assertions to be hit.

Test: fast/shadow-dom/shadow-host-removal-crash.html

* dom/ContainerNodeAlgorithms.cpp:
(WebCore::addChildNodesToDeletionQueue):
* html/track/VTTCue.cpp:
(WebCore::VTTCue::~VTTCue):

LayoutTests:

Added a regression test that reproduced the crash reliably at least on my machine.

* fast/shadow-dom/shadow-host-removal-crash-expected.txt: Added.
* fast/shadow-dom/shadow-host-removal-crash.html: Added.
* platform/ios-simulator/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201736 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/shadow-dom/shadow-host-removal-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/shadow-dom/shadow-host-removal-crash.html [new file with mode: 0644]
LayoutTests/platform/ios-simulator/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/dom/ContainerNodeAlgorithms.cpp
Source/WebCore/html/track/VTTCue.cpp