Release assert in TreeScopeOrderedMap::remove via HTMLImageElement::removedFromAncestor
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 May 2018 00:08:40 +0000 (00:08 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 May 2018 00:08:40 +0000 (00:08 +0000)
https://bugs.webkit.org/show_bug.cgi?id=185493

Reviewed by Brent Fulgham.

Source/WebCore:

Fixed the bug that HTMLImageElement::removedFromAncestor and HTMLMapElement::removedFromAncestor
were calling removeImageElementByUsemap on the document instead of the shadow tree from which it was removed.

Test: fast/images/imagemap-in-shadow-tree-removed.html

* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::removedFromAncestor):
* html/HTMLMapElement.cpp:
(WebCore::HTMLMapElement::removedFromAncestor):

LayoutTests:

Added a regression test.

* fast/images/imagemap-in-shadow-tree-removed-expected.txt: Added.
* fast/images/imagemap-in-shadow-tree-removed.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231621 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/images/imagemap-in-shadow-tree-removed-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/imagemap-in-shadow-tree-removed.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLImageElement.cpp
Source/WebCore/html/HTMLMapElement.cpp

index b456dc2..d7e0571 100644 (file)
@@ -1,3 +1,15 @@
+2018-05-09  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Release assert in TreeScopeOrderedMap::remove via HTMLImageElement::removedFromAncestor
+        https://bugs.webkit.org/show_bug.cgi?id=185493
+
+        Reviewed by Brent Fulgham.
+
+        Added a regression test.
+
+        * fast/images/imagemap-in-shadow-tree-removed-expected.txt: Added.
+        * fast/images/imagemap-in-shadow-tree-removed.html: Added.
+
 2018-05-09  Joanmarie Diggs  <jdiggs@igalia.com>
 
         AX: Hidden nodes which are not directly referenced should not participate name/description from content
diff --git a/LayoutTests/fast/images/imagemap-in-shadow-tree-removed-expected.txt b/LayoutTests/fast/images/imagemap-in-shadow-tree-removed-expected.txt
new file mode 100644 (file)
index 0000000..ddef245
--- /dev/null
@@ -0,0 +1,4 @@
+This tests removing an image map area inside a shadow tree. WebKit should not hit any assertions.
+
+PASS
+
diff --git a/LayoutTests/fast/images/imagemap-in-shadow-tree-removed.html b/LayoutTests/fast/images/imagemap-in-shadow-tree-removed.html
new file mode 100644 (file)
index 0000000..6d33457
--- /dev/null
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../resources/ui-helper.js"></script>
+<p>This tests removing an image map area inside a shadow tree. WebKit should not hit any assertions.</p>
+<div id="result"></div>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const host = document.createElement('div');
+document.body.appendChild(host);
+
+const shadowRoot = host.attachShadow({mode: 'closed'});
+shadowRoot.innerHTML = `<div></div>`;
+
+const container = document.createElement('div');
+document.body.appendChild(container);
+container.innerHTML = `<img src="resources/green-400x400.png" width="400" height="400" usemap="#imagemap" onload="startTest()">
+<map name="imagemap">
+    <area id="area" shape="rect" coords="0,0,200,200" href="#" tabindex="0">
+</map>`;
+
+function startTest()
+{
+    shadowRoot.firstChild.appendChild(container);
+    container.remove();
+    document.getElementById('result').textContent = 'PASS';
+}
+
+</script>
+</body>
+</head>
+</html>
index d2f9683..d6ebbf0 100644 (file)
@@ -1,3 +1,20 @@
+2018-05-09  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Release assert in TreeScopeOrderedMap::remove via HTMLImageElement::removedFromAncestor
+        https://bugs.webkit.org/show_bug.cgi?id=185493
+
+        Reviewed by Brent Fulgham.
+
+        Fixed the bug that HTMLImageElement::removedFromAncestor and HTMLMapElement::removedFromAncestor
+        were calling removeImageElementByUsemap on the document instead of the shadow tree from which it was removed.
+
+        Test: fast/images/imagemap-in-shadow-tree-removed.html
+
+        * html/HTMLImageElement.cpp:
+        (WebCore::HTMLImageElement::removedFromAncestor):
+        * html/HTMLMapElement.cpp:
+        (WebCore::HTMLMapElement::removedFromAncestor):
+
 2018-05-09  Joanmarie Diggs  <jdiggs@igalia.com>
 
         AX: Hidden nodes which are not directly referenced should not participate name/description from content
index 92e892e..85f45d1 100644 (file)
@@ -342,7 +342,7 @@ void HTMLImageElement::removedFromAncestor(RemovalType removalType, ContainerNod
         m_form->removeImgElement(this);
 
     if (removalType.disconnectedFromDocument && !m_parsedUsemap.isNull())
-        treeScope().removeImageElementByUsemap(*m_parsedUsemap.impl(), *this);
+        oldParentOfRemovedTree.treeScope().removeImageElementByUsemap(*m_parsedUsemap.impl(), *this);
 
     if (is<HTMLPictureElement>(parentNode()))
         setPictureElement(nullptr);
index 6b13917..c7855e8 100644 (file)
@@ -126,7 +126,7 @@ Node::InsertedIntoAncestorResult HTMLMapElement::insertedIntoAncestor(InsertionT
 void HTMLMapElement::removedFromAncestor(RemovalType removalType, ContainerNode& oldParentOfRemovedTree)
 {
     if (removalType.disconnectedFromDocument)
-        treeScope().removeImageMap(*this);
+        oldParentOfRemovedTree.treeScope().removeImageMap(*this);
     HTMLElement::removedFromAncestor(removalType, oldParentOfRemovedTree);
 }