ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 10 Jun 2015 23:07:55 +0000 (23:07 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 10 Jun 2015 23:07:55 +0000 (23:07 +0000)
commitdc95b9a3b9e99fc95539cc76015950e86e19ea73
tree87890b2b83affd9b962e64e49dbac0068a9287fd
parent58a114e8bfc02c7adf79a0d6d3067956fff21dfb
ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById
https://bugs.webkit.org/show_bug.cgi?id=145857
<rdar://problem/16798440>

Reviewed by Darin Adler.

Source/WebCore:

Make sure Node::insertedInto() gets called on the inserted node and its
descendants after its insertion into the tree but *before*
ContainerNode::childrenChanged() is called on the parent node. This is
needed so that the descendants know they've been inserted into the tree
(and their InDocumentFlag flag gets set) before the parent node does
anything with them in childrenChanged().

In the case of <rdar://problem/16798440>, executing HTMLScriptElement's
childrenChanged() after appending a child to a script element was causing
the script to be executed. The script would call getElementBy() which
would traverse the DOM tree and find a matching Element in the newly
inserted subtree. However, the matching Element's InDocumentFlag flag was
not set yet because the element's insertedInto() method has not been called
yet at this point. This would cause us to hit an assertion as
DocumentOrderedMap::getElementById() is only supposed to return elements
that are in a Document.

This patch is based on Blink r178976 by <esprehn@chromium.org>:
https://src.chromium.org/viewvc/blink?view=rev&revision=178976

Tests: fast/dom/script-getElementById-during-insertion.html
       fast/dom/script-remove-child-id-map.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::notifyChildInserted):
(WebCore::ContainerNode::notifyChildRemoved):
(WebCore::ContainerNode::removeChildren):
(WebCore::ContainerNode::parserInsertBefore): Deleted.
(WebCore::ContainerNode::removeChild): Deleted.
(WebCore::ContainerNode::parserRemoveChild): Deleted.
(WebCore::ContainerNode::parserAppendChild): Deleted.
(WebCore::ContainerNode::childrenChanged): Deleted.
(WebCore::ContainerNode::setAttributeEventListener): Deleted.
(WebCore::ContainerNode::querySelector): Deleted.
* dom/ContainerNodeAlgorithms.cpp:
(WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument):
(WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoTree):
* dom/ContainerNodeAlgorithms.h:
(WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument):
(WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoTree):
(WebCore::ChildNodeInsertionNotifier::notify):
(WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument): Deleted.
* dom/Element.cpp:
(WebCore::Element::addShadowRoot):

LayoutTests:

Add layout tests covering different crashes caused by the same bug.

* fast/dom/script-getElementById-during-insertion-expected.txt: Added.
* fast/dom/script-getElementById-during-insertion.html: Added.

Reduction test case for <rdar://problem/16798440>.

* fast/dom/script-remove-child-id-map-expected.txt: Added.
* fast/dom/script-remove-child-id-map.html: Added.

Test imported from Blink r178976.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@185435 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/script-getElementById-during-insertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/script-getElementById-during-insertion.html [new file with mode: 0644]
LayoutTests/fast/dom/script-remove-child-id-map-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/script-remove-child-id-map.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/ContainerNode.cpp
Source/WebCore/dom/ContainerNodeAlgorithms.cpp
Source/WebCore/dom/ContainerNodeAlgorithms.h
Source/WebCore/dom/Element.cpp