REGRESSION (r190840): crash inside details element's slotNameFunction
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 Mar 2016 01:57:17 +0000 (01:57 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 Mar 2016 01:57:17 +0000 (01:57 +0000)
commit9e70323589b706a96e2eb4b1e331d955e7aaa9b7
treed0dd6bff0ec89dec08b2a77cb01f85adb11141cf
parent20d56ac5b16dd7f2412b3f1adb6050745cf66197
REGRESSION (r190840): crash inside details element's slotNameFunction
https://bugs.webkit.org/show_bug.cgi?id=155388

Reviewed by Antti Koivisto.

Source/WebCore:

The bug was caused by HTMLDetailsElement::isActiveSummary calling findAssignedSlot with a summary element
inside the shadow tree of the detials element. Fixed it by existing early when the summary element passed
to isActiveSummary is not a direct child of the details element.

Test: fast/html/details-summary-tabindex-crash.html

* dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::findAssignedSlot): Added an assertion for regression testing.
* dom/SlotAssignment.cpp:
(WebCore::SlotAssignment::findAssignedSlot): Removed the superfluous call to assignSlots added in r190840.
There is no need to update the slot assignments here (entires in m_slots are added or removed by
addSlotElementByName or removeSlotElementByName and assignSlots only updates assignedNodes in each SlotInfo
which is never used in this function or findFirstSlotElement.
* html/HTMLDetailsElement.cpp:
(WebCore::HTMLDetailsElement::isActiveSummary): Fixed the bug.

LayoutTests:

Added a regression test.

* fast/html/details-summary-tabindex-crash-expected.txt: Added.
* fast/html/details-summary-tabindex-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@198090 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/html/details-summary-tabindex-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/html/details-summary-tabindex-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/ShadowRoot.cpp
Source/WebCore/dom/SlotAssignment.cpp
Source/WebCore/html/HTMLDetailsElement.cpp