Many textarea tests leak documents because Document::removeFocusNavigationNodeOfSubtr...
authorsimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 10 Sep 2018 21:42:45 +0000 (21:42 +0000)
committersimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 10 Sep 2018 21:42:45 +0000 (21:42 +0000)
commitc037933edb987fd4b3f3bc5d76790c2939e16cca
treeb2dd23d206d75e07d0155e5bce569217ed12f74c
parentf6ef52033f98b73ef3a8cdcda769d84054df8296
Many textarea tests leak documents because Document::removeFocusNavigationNodeOfSubtree() can trigger a Document retain cycle
https://bugs.webkit.org/show_bug.cgi?id=188722

Reviewed by Ryosuke Niwa.

Fix a retain cycle created when Document::adjustFocusNavigationNodeOnNodeRemoval() sets
m_focusNavigationStartingNode to itself. m_focusNavigationStartingNode is a Node* (not sure why it's not an Element*),
making it possible to assign the Document to it, which creates a reference to the document which prevents
Document::removedLastRef() ever running and doing the necessary cleanup.

Fix by setting m_focusNavigationStartingNode to null if code tries to set it to the Document. This can happen
when an element is focused and the page calls document.write(), which removes all children.

Will be tested by future leak testing. Fixes the document leak in at least the following tests:
  fast/forms/append-children-during-form-submission.html
  fast/forms/empty-textarea-toggle-disabled.html
  fast/forms/textarea-paste-newline.html
  fast/forms/textarea-trailing-newline.html

* dom/Document.cpp:
(WebCore::Document::setFocusNavigationStartingNode):
(WebCore::Document::adjustFocusNavigationNodeOnNodeRemoval):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235863 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp