Regression(r129406): Fix the scope of the WidgetHierarchyUpdateSuspensionScope in...
authortsepez@chromium.org <tsepez@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Nov 2012 21:50:15 +0000 (21:50 +0000)
committertsepez@chromium.org <tsepez@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Nov 2012 21:50:15 +0000 (21:50 +0000)
https://bugs.webkit.org/show_bug.cgi?id=100803

Reviewed by Abhishek Arya.

Source/WebCore:

Ensures that the suspension scope has gone out of scope before calling into
resumePostAttachCallbacks().

Test: fast/dom/adopt-node-crash-2.html

* dom/Element.cpp:
(WebCore::Element::attach):

LayoutTests:

* fast/dom/adopt-node-crash-2-expected.txt: Added.
* fast/dom/adopt-node-crash-2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@135914 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/adopt-node-crash-2-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/adopt-node-crash-2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Element.cpp

index 6fa323f..88836d5 100644 (file)
@@ -1,3 +1,13 @@
+2012-11-27  Tom Sepez  <tsepez@chromium.org>
+
+        Regression(r129406): Fix the scope of the WidgetHierarchyUpdateSuspensionScope in Element::Attach().
+        https://bugs.webkit.org/show_bug.cgi?id=100803
+
+        Reviewed by Abhishek Arya.
+
+        * fast/dom/adopt-node-crash-2-expected.txt: Added.
+        * fast/dom/adopt-node-crash-2.html: Added.
+
 2012-11-27  Tony Chang  <tony@chromium.org>
 
         Remove hidden limiter div in the input slider shadow DOM
diff --git a/LayoutTests/fast/dom/adopt-node-crash-2-expected.txt b/LayoutTests/fast/dom/adopt-node-crash-2-expected.txt
new file mode 100644 (file)
index 0000000..ec981ea
--- /dev/null
@@ -0,0 +1,2 @@
+Tests for a crash due to adopting a DOM node during DOMFocusOut event. Test passes if it doesn't crash.
+
diff --git a/LayoutTests/fast/dom/adopt-node-crash-2.html b/LayoutTests/fast/dom/adopt-node-crash-2.html
new file mode 100644 (file)
index 0000000..1c1566a
--- /dev/null
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<div>Tests for a crash due to adopting a DOM node during DOMFocusOut event. Test passes if it doesn't crash.</div>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+</script>
+<div id="div1"></div>
+<div id="div2">
+  <applet>
+    <iframe srcdoc="<iframe srcdoc=''>">
+    </iframe>
+  </applet>
+  <header id="header1">
+    <keygen autofocus>
+  </header>
+</div>
+<script>
+function doit()
+{
+    div2.addEventListener("DOMFocusOut", function () { document.implementation.createDocument("", "", null).adoptNode(div2); }, false);
+    div1.outerHTML = header1.outerHTML;
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+document.addEventListener("DOMContentLoaded", setTimeout("doit()", 1), false);
+</script>
+</html>
index 0747a7d..6eac19b 100644 (file)
@@ -1,3 +1,18 @@
+2012-11-27  Tom Sepez  <tsepez@chromium.org>
+
+        Regression(r129406): Fix the scope of the WidgetHierarchyUpdateSuspensionScope in Element::Attach().
+        https://bugs.webkit.org/show_bug.cgi?id=100803
+
+        Reviewed by Abhishek Arya.
+
+        Ensures that the suspension scope has gone out of scope before calling into
+        resumePostAttachCallbacks().
+        
+        Test: fast/dom/adopt-node-crash-2.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::attach):
+
 2012-11-27  Tony Chang  <tony@chromium.org>
 
         Remove hidden limiter div in the input slider shadow DOM
index 8f2fb7e..146c2bf 100644 (file)
@@ -1198,34 +1198,34 @@ void Element::createRendererIfNeeded()
 void Element::attach()
 {
     suspendPostAttachCallbacks();
-    WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
-
-    createRendererIfNeeded();
+    {
+        WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
+        createRendererIfNeeded();
 
-    StyleResolverParentPusher parentPusher(this);
+        StyleResolverParentPusher parentPusher(this);
 
-    if (parentElement() && parentElement()->isInCanvasSubtree())
-        setIsInCanvasSubtree(true);
+        if (parentElement() && parentElement()->isInCanvasSubtree())
+            setIsInCanvasSubtree(true);
 
-    // When a shadow root exists, it does the work of attaching the children.
-    if (ElementShadow* shadow = this->shadow()) {
-        parentPusher.push();
-        shadow->attach();
-    } else {
-        if (firstChild())
+        // When a shadow root exists, it does the work of attaching the children.
+        if (ElementShadow* shadow = this->shadow()) {
             parentPusher.push();
-    }
-    ContainerNode::attach();
+            shadow->attach();
+        } else {
+            if (firstChild())
+                parentPusher.push();
+        }
+        ContainerNode::attach();
 
-    if (hasRareData()) {   
-        ElementRareData* data = elementRareData();
-        if (data->needsFocusAppearanceUpdateSoonAfterAttach()) {
-            if (isFocusable() && document()->focusedNode() == this)
-                document()->updateFocusAppearanceSoon(false /* don't restore selection */);
-            data->setNeedsFocusAppearanceUpdateSoonAfterAttach(false);
+        if (hasRareData()) {   
+            ElementRareData* data = elementRareData();
+            if (data->needsFocusAppearanceUpdateSoonAfterAttach()) {
+                if (isFocusable() && document()->focusedNode() == this)
+                    document()->updateFocusAppearanceSoon(false /* don't restore selection */);
+                data->setNeedsFocusAppearanceUpdateSoonAfterAttach(false);
+            }
         }
     }
-
     resumePostAttachCallbacks();
 }