https://bugs.webkit.org/show_bug.cgi?id=178974
<rdar://problem/
35234372>
Reviewed by Brent Fulgham.
Source/WebCore:
The bug was caused by HTMLConstructionSite::insertTextNode constructing an ill-formed tree
when fostering parent under a template element by adjusting HTMLConstructionSiteTask's parent
without clearing nextChild. Fixed the crash by simply removing this code since executeTask
already takes care of fostering the parent in static inline insert(HTMLConstructionSiteTask&).
Test: fast/parser/foster-parent-under-template.html
* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::insertTextNode):
LayoutTests:
Add a regression test.
* fast/parser/foster-parent-inside-template-expected.txt: Added.
* fast/parser/foster-parent-inside-template.html: Added.
* resources/dump-as-markup.js:
(Markup._get): Fixed the bug that this code would always throw an exception inside a browser.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224199
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2017-10-27 Ryosuke Niwa <rniwa@webkit.org>
+
+ Crash in addChildNodesToDeletionQueue
+ https://bugs.webkit.org/show_bug.cgi?id=178974
+ <rdar://problem/35234372>
+
+ Reviewed by Brent Fulgham.
+
+ Add a regression test.
+
+ * fast/parser/foster-parent-inside-template-expected.txt: Added.
+ * fast/parser/foster-parent-inside-template.html: Added.
+ * resources/dump-as-markup.js:
+ (Markup._get): Fixed the bug that this code would always throw an exception inside a browser.
+
2017-10-30 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r224078.
--- /dev/null
+This tests running the foster parent algorithm under a template element. WebKit should not hit any debug assertions.
+| "
+"
+| <template>
+| content
+| "
+ hello
+ "
+| <table>
+| "
+ "
+| <script>
+| "
+ document.querySelector('template').appendChild(document.querySelector('table'));
+ "
+| <caption>
+| "hello"
+| "
+ "
+| <tbody>
+| <tr>
+| "
+ "
+| <th>
+| <shadow>
+| "hello"
+| "
+ "
+| "
+ "
+| <tr>
+| "
+"
+| "
+
+
+
+"
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/dump-as-markup.js"></script>
+<script>
+document.addEventListener('DOMContentLoaded', () => {
+ Markup.description('This tests running the foster parent algorithm under a template element. WebKit should not hit any debug assertions.');
+ Markup.dump(document.body);
+});
+</script>
+</head>
+<body>
+<template></template>
+<table>
+ <script>
+ document.querySelector('template').appendChild(document.querySelector('table'));
+ </script><caption>hello</caption>
+ <tr>
+ <th><shadow>hello</shadow></th>
+ </tr>
+ <tr>
+ hello
+ </tr>
+</table>
+</body>
+</html>
break;
case Node.DOCUMENT_FRAGMENT_NODE:
- if (shadowRootList && internals.address(node) in shadowRootList)
+ if (shadowRootList && window.internals && internals.address(node) in shadowRootList)
str += "<shadow:root>";
else
str += "content";
+2017-10-27 Ryosuke Niwa <rniwa@webkit.org>
+
+ Crash in addChildNodesToDeletionQueue
+ https://bugs.webkit.org/show_bug.cgi?id=178974
+ <rdar://problem/35234372>
+
+ Reviewed by Brent Fulgham.
+
+ The bug was caused by HTMLConstructionSite::insertTextNode constructing an ill-formed tree
+ when fostering parent under a template element by adjusting HTMLConstructionSiteTask's parent
+ without clearing nextChild. Fixed the crash by simply removing this code since executeTask
+ already takes care of fostering the parent in static inline insert(HTMLConstructionSiteTask&).
+
+ Test: fast/parser/foster-parent-under-template.html
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::insertTextNode):
+
2017-10-30 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r224078.
if (shouldFosterParent())
findFosterSite(task);
- if (is<HTMLTemplateElement>(*task.parent))
- task.parent = &downcast<HTMLTemplateElement>(*task.parent).content();
-
// Strings composed entirely of whitespace are likely to be repeated.
// Turn them into AtomicString so we share a single string for each.
bool shouldUseAtomicString = whitespaceMode == AllWhitespace || (whitespaceMode == WhitespaceUnknown && isAllWhitespace(characters));
git://git.webkit.org / WebKit-https.git / commitdiff