REGRESSION(r150187): updateIdForTreeScope may not be called inside shadow trees
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 19 Sep 2015 02:53:54 +0000 (02:53 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 19 Sep 2015 02:53:54 +0000 (02:53 +0000)
commitf3a44f6deeec03f92025fd30fd9f6bd51e552687
tree72346286a65d25f91284ae93f0ef57fff743903a
parentccd997ecfa4f21a51bfd163def7f4ab0b0b8695e
REGRESSION(r150187): updateIdForTreeScope may not be called inside shadow trees
https://bugs.webkit.org/show_bug.cgi?id=149364

Reviewed by Antti Koivisto.

Since the tree scope is set to that of Document's inside removeBetween when a node is removed from a shadow tree,
oldScope != &treeScope() was already true inside Element::removedFrom. This can introduce an inconsistency in
DocumentOrderedMap which could result in a crash. Fixed the bug by checking it against document(), which is the
behavior we had prior to r150187.

Also added a consistency check in DocumentOrderedMap to catch bugs like this.

No new tests. New assertions fail in existing tests without this fix.

* dom/DocumentOrderedMap.cpp:
(WebCore::DocumentOrderedMap::add):
(WebCore::DocumentOrderedMap::remove):
(WebCore::DocumentOrderedMap::get):
* dom/DocumentOrderedMap.h:
* dom/Element.cpp:
(WebCore::Element::removedFrom):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@190007 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/dom/DocumentOrderedMap.cpp
Source/WebCore/dom/DocumentOrderedMap.h
Source/WebCore/dom/Element.cpp