<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[186516] branches/safari-600.1.4.17-branch</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/186516">186516</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2015-07-08 11:34:52 -0700 (Wed, 08 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/185435">r185435</a>. rdar://problem/21708253</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari6001417branchLayoutTestsChangeLog">branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog</a></li>
<li><a href="#branchessafari6001417branchSourceWebCoreChangeLog">branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari6001417branchSourceWebCoredomContainerNodecpp">branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNode.cpp</a></li>
<li><a href="#branchessafari6001417branchSourceWebCoredomContainerNodeAlgorithmscpp">branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp</a></li>
<li><a href="#branchessafari6001417branchSourceWebCoredomContainerNodeAlgorithmsh">branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.h</a></li>
<li><a href="#branchessafari6001417branchSourceWebCoredomElementcpp">branches/safari-600.1.4.17-branch/Source/WebCore/dom/Element.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#branchessafari6001417branchLayoutTestsfastdomscriptgetElementByIdduringinsertionexpectedtxt">branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion-expected.txt</a></li>
<li><a href="#branchessafari6001417branchLayoutTestsfastdomscriptgetElementByIdduringinsertionhtml">branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion.html</a></li>
<li><a href="#branchessafari6001417branchLayoutTestsfastdomscriptremovechildidmapexpectedtxt">branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map-expected.txt</a></li>
<li><a href="#branchessafari6001417branchLayoutTestsfastdomscriptremovechildidmaphtml">branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari6001417branchLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog (186515 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-08 17:58:35 UTC (rev 186515)
+++ branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2015-06-10 Chris Dumez <cdumez@apple.com>
+
+ ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById
+ https://bugs.webkit.org/show_bug.cgi?id=145857
+ <rdar://problem/16798440>
+
+ Reviewed by Darin Adler.
+
+ Add layout tests covering different crashes caused by the same bug.
+
+ * fast/dom/script-getElementById-during-insertion-expected.txt: Added.
+ * fast/dom/script-getElementById-during-insertion.html: Added.
+
+ Reduction test case for <rdar://problem/16798440>.
+
+ * fast/dom/script-remove-child-id-map-expected.txt: Added.
+ * fast/dom/script-remove-child-id-map.html: Added.
+
+ Test imported from Blink r178976.
+
</ins><span class="cx"> 2015-07-08 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r185848. rdar://problem/21708274
</span></span></pre></div>
<a id="branchessafari6001417branchLayoutTestsfastdomscriptgetElementByIdduringinsertionexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion-expected.txt (0 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion-expected.txt 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+PASS
+
</ins></span></pre></div>
<a id="branchessafari6001417branchLayoutTestsfastdomscriptgetElementByIdduringinsertionhtml"></a>
<div class="addfile"><h4>Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion.html (0 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-getElementById-during-insertion.html 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+// Tests that we don't crash if a script is being executed as a result of appending a child to it.</p>
+executedScript = false;
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<div id="test"></div>
+<script>
+var elem = document.getElementById("test");
+if (!executedScript) {
+ executedScript = true;
+
+ document.documentElement.appendChild(elem.cloneNode(true));
+
+ var range = document.createRange();
+ range.setStartBefore(document.body);
+ range.setEndAfter(document.body);
+ range.surroundContents(document.head.appendChild(document.createElement("script")));
+} else {
+ var span = document.createElement("span");
+ document.documentElement.appendChild(span);
+ span.innerHTML = 'PASS<br/>';
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="branchessafari6001417branchLayoutTestsfastdomscriptremovechildidmapexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map-expected.txt (0 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map-expected.txt 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+Passes if it doesn't crash and the child is not in the id map
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.getElementById('child') is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="branchessafari6001417branchLayoutTestsfastdomscriptremovechildidmaphtml"></a>
<div class="addfile"><h4>Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map.html (0 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/dom/script-remove-child-id-map.html 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+<!DOCTYPE html>
+
+<script src="../../resources/js-test.js"></script>
+
+<script>
+description("Passes if it doesn't crash and the child is not in the id map");
+
+var script = document.createElement("script");
+script.type = "dont-execute";
+script.textContent = "script.remove()";
+child = document.createElement("div");
+child.id = "child";
+script.appendChild(child);
+
+// The script won't execute here because the type is invalid, but it also won't
+// get marked as being already run, so changing the children later will run it.
+document.documentElement.appendChild(script);
+
+// Per the spec setting the type has no effect
+script.type = "";
+
+// but changing the children *will* execute the script now that the type is
+// is valid.
+child.remove();
+
+child = null;
+gc();
+
+shouldBeNull("document.getElementById('child')");
+</script>
</ins></span></pre></div>
<a id="branchessafari6001417branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog (186515 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-08 17:58:35 UTC (rev 186515)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -1,3 +1,56 @@
</span><ins>+2015-06-10 Chris Dumez <cdumez@apple.com>
+
+ ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById
+ https://bugs.webkit.org/show_bug.cgi?id=145857
+ <rdar://problem/16798440>
+
+ Reviewed by Darin Adler.
+
+ Make sure Node::insertedInto() gets called on the inserted node and its
+ descendants after its insertion into the tree but *before*
+ ContainerNode::childrenChanged() is called on the parent node. This is
+ needed so that the descendants know they've been inserted into the tree
+ (and their InDocumentFlag flag gets set) before the parent node does
+ anything with them in childrenChanged().
+
+ In the case of <rdar://problem/16798440>, executing HTMLScriptElement's
+ childrenChanged() after appending a child to a script element was causing
+ the script to be executed. The script would call getElementBy() which
+ would traverse the DOM tree and find a matching Element in the newly
+ inserted subtree. However, the matching Element's InDocumentFlag flag was
+ not set yet because the element's insertedInto() method has not been called
+ yet at this point. This would cause us to hit an assertion as
+ DocumentOrderedMap::getElementById() is only supposed to return elements
+ that are in a Document.
+
+ This patch is based on Blink r178976 by <esprehn@chromium.org>:
+ https://src.chromium.org/viewvc/blink?view=rev&revision=178976
+
+ Tests: fast/dom/script-getElementById-during-insertion.html
+ fast/dom/script-remove-child-id-map.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::notifyChildInserted):
+ (WebCore::ContainerNode::notifyChildRemoved):
+ (WebCore::ContainerNode::removeChildren):
+ (WebCore::ContainerNode::parserInsertBefore): Deleted.
+ (WebCore::ContainerNode::removeChild): Deleted.
+ (WebCore::ContainerNode::parserRemoveChild): Deleted.
+ (WebCore::ContainerNode::parserAppendChild): Deleted.
+ (WebCore::ContainerNode::childrenChanged): Deleted.
+ (WebCore::ContainerNode::setAttributeEventListener): Deleted.
+ (WebCore::ContainerNode::querySelector): Deleted.
+ * dom/ContainerNodeAlgorithms.cpp:
+ (WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument):
+ (WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoTree):
+ * dom/ContainerNodeAlgorithms.h:
+ (WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument):
+ (WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoTree):
+ (WebCore::ChildNodeInsertionNotifier::notify):
+ (WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument): Deleted.
+ * dom/Element.cpp:
+ (WebCore::Element::addShadowRoot):
+
</ins><span class="cx"> 2015-07-08 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r186389. rdar://problem/21708243
</span></span></pre></div>
<a id="branchessafari6001417branchSourceWebCoredomContainerNodecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNode.cpp (186515 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNode.cpp 2015-07-08 17:58:35 UTC (rev 186515)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNode.cpp 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -335,6 +335,11 @@
</span><span class="cx">
</span><span class="cx"> void ContainerNode::notifyChildInserted(Node& child, ChildChangeSource source)
</span><span class="cx"> {
</span><ins>+ ChildListMutationScope(*this).childAdded(child);
+
+ NodeVector postInsertionNotificationTargets;
+ ChildNodeInsertionNotifier(*this).notify(child, postInsertionNotificationTargets);
+
</ins><span class="cx"> ChildChange change;
</span><span class="cx"> change.type = child.isElementNode() ? ElementInserted : child.isTextNode() ? TextInserted : NonContentsChildChanged;
</span><span class="cx"> change.previousSiblingElement = ElementTraversal::previousSibling(&child);
</span><span class="lines">@@ -342,10 +347,15 @@
</span><span class="cx"> change.source = source;
</span><span class="cx">
</span><span class="cx"> childrenChanged(change);
</span><ins>+
+ for (auto& target : postInsertionNotificationTargets)
+ target->didNotifySubtreeInsertions(this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ContainerNode::notifyChildRemoved(Node& child, Node* previousSibling, Node* nextSibling, ChildChangeSource source)
</span><span class="cx"> {
</span><ins>+ ChildNodeRemovalNotifier(*this).notify(child);
+
</ins><span class="cx"> ChildChange change;
</span><span class="cx"> change.type = child.isElementNode() ? ElementRemoved : child.isTextNode() ? TextRemoved : NonContentsChildChanged;
</span><span class="cx"> change.previousSiblingElement = (!previousSibling || previousSibling->isElementNode()) ? toElement(previousSibling) : ElementTraversal::previousSibling(previousSibling);
</span><span class="lines">@@ -375,12 +385,8 @@
</span><span class="cx">
</span><span class="cx"> newChild->updateAncestorConnectedSubframeCountForInsertion();
</span><span class="cx">
</span><del>- ChildListMutationScope(*this).childAdded(*newChild);
-
</del><span class="cx"> notifyChildInserted(*newChild, ChildChangeSourceParser);
</span><span class="cx">
</span><del>- ChildNodeInsertionNotifier(*this).notify(*newChild);
-
</del><span class="cx"> newChild->setNeedsStyleRecalc(ReconstructRenderTree);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -565,8 +571,6 @@
</span><span class="cx"> removeBetween(prev, next, child.get());
</span><span class="cx">
</span><span class="cx"> notifyChildRemoved(child.get(), prev, next, ChildChangeSourceAPI);
</span><del>-
- ChildNodeRemovalNotifier(*this).notify(child.get());
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx">
</span><span class="lines">@@ -623,8 +627,6 @@
</span><span class="cx"> removeBetween(prev, next, oldChild);
</span><span class="cx">
</span><span class="cx"> notifyChildRemoved(oldChild, prev, next, ChildChangeSourceParser);
</span><del>-
- ChildNodeRemovalNotifier(*this).notify(oldChild);
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // this differs from other remove functions because it forcibly removes all the children,
</span><span class="lines">@@ -648,23 +650,18 @@
</span><span class="cx"> // and remove... e.g. stop loading frames, fire unload events.
</span><span class="cx"> willRemoveChildren(*this);
</span><span class="cx">
</span><del>- NodeVector removedChildren;
</del><span class="cx"> {
</span><span class="cx"> WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
</span><span class="cx"> {
</span><span class="cx"> NoEventDispatchAssertion assertNoEventDispatch;
</span><del>- removedChildren.reserveInitialCapacity(childNodeCount());
</del><span class="cx"> while (RefPtr<Node> n = m_firstChild) {
</span><del>- removedChildren.append(*m_firstChild);
</del><span class="cx"> removeBetween(0, m_firstChild->nextSibling(), *m_firstChild);
</span><ins>+ ChildNodeRemovalNotifier(*this).notify(*n);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ChildChange change = { AllChildrenRemoved, nullptr, nullptr, ChildChangeSourceAPI };
</span><span class="cx"> childrenChanged(change);
</span><del>-
- for (size_t i = 0; i < removedChildren.size(); ++i)
- ChildNodeRemovalNotifier(*this).notify(removedChildren[i].get());
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (document().svgExtensions()) {
</span><span class="lines">@@ -754,12 +751,8 @@
</span><span class="cx">
</span><span class="cx"> newChild->updateAncestorConnectedSubframeCountForInsertion();
</span><span class="cx">
</span><del>- ChildListMutationScope(*this).childAdded(*newChild);
-
</del><span class="cx"> notifyChildInserted(*newChild, ChildChangeSourceParser);
</span><span class="cx">
</span><del>- ChildNodeInsertionNotifier(*this).notify(*newChild);
-
</del><span class="cx"> newChild->setNeedsStyleRecalc(ReconstructRenderTree);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -871,12 +864,8 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(child.refCount());
</span><span class="cx">
</span><del>- ChildListMutationScope(*this).childAdded(child);
-
</del><span class="cx"> notifyChildInserted(child, ChildChangeSourceAPI);
</span><span class="cx">
</span><del>- ChildNodeInsertionNotifier(*this).notify(child);
-
</del><span class="cx"> child.setNeedsStyleRecalc(ReconstructRenderTree);
</span><span class="cx">
</span><span class="cx"> dispatchChildInsertionEvents(child);
</span></span></pre></div>
<a id="branchessafari6001417branchSourceWebCoredomContainerNodeAlgorithmscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp (186515 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp 2015-07-08 17:58:35 UTC (rev 186515)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -29,7 +29,7 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-void ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument(ContainerNode& node)
</del><ins>+void ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument(ContainerNode& node, NodeVector& postInsertionNotificationTargets)
</ins><span class="cx"> {
</span><span class="cx"> ChildNodesLazySnapshot snapshot(node);
</span><span class="cx"> while (RefPtr<Node> child = snapshot.nextNode()) {
</span><span class="lines">@@ -37,7 +37,7 @@
</span><span class="cx"> // we don't want to tell the rest of our children that they've been
</span><span class="cx"> // inserted into the document because they haven't.
</span><span class="cx"> if (node.inDocument() && child->parentNode() == &node)
</span><del>- notifyNodeInsertedIntoDocument(*child.get());
</del><ins>+ notifyNodeInsertedIntoDocument(*child.get(), postInsertionNotificationTargets);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (!node.isElementNode())
</span><span class="lines">@@ -45,19 +45,19 @@
</span><span class="cx">
</span><span class="cx"> if (RefPtr<ShadowRoot> root = toElement(node).shadowRoot()) {
</span><span class="cx"> if (node.inDocument() && root->hostElement() == &node)
</span><del>- notifyNodeInsertedIntoDocument(*root.get());
</del><ins>+ notifyNodeInsertedIntoDocument(*root.get(), postInsertionNotificationTargets);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void ChildNodeInsertionNotifier::notifyDescendantInsertedIntoTree(ContainerNode& node)
</del><ins>+void ChildNodeInsertionNotifier::notifyDescendantInsertedIntoTree(ContainerNode& node, NodeVector& postInsertionNotificationTargets)
</ins><span class="cx"> {
</span><span class="cx"> for (Node* child = node.firstChild(); child; child = child->nextSibling()) {
</span><span class="cx"> if (child->isContainerNode())
</span><del>- notifyNodeInsertedIntoTree(*toContainerNode(child));
</del><ins>+ notifyNodeInsertedIntoTree(*toContainerNode(child), postInsertionNotificationTargets);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (ShadowRoot* root = node.shadowRoot())
</span><del>- notifyNodeInsertedIntoTree(*root);
</del><ins>+ notifyNodeInsertedIntoTree(*root, postInsertionNotificationTargets);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(ContainerNode& node)
</span></span></pre></div>
<a id="branchessafari6001417branchSourceWebCoredomContainerNodeAlgorithmsh"></a>
<div class="modfile"><h4>Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.h (186515 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.h 2015-07-08 17:58:35 UTC (rev 186515)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/ContainerNodeAlgorithms.h 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -41,16 +41,15 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void notify(Node&);
</del><ins>+ void notify(Node&, NodeVector& postInsertionNotificationTargets);
</ins><span class="cx">
</span><span class="cx"> private:
</span><del>- void notifyDescendantInsertedIntoDocument(ContainerNode&);
- void notifyDescendantInsertedIntoTree(ContainerNode&);
- void notifyNodeInsertedIntoDocument(Node&);
- void notifyNodeInsertedIntoTree(ContainerNode&);
</del><ins>+ void notifyDescendantInsertedIntoDocument(ContainerNode&, NodeVector& postInsertionNotificationTargets);
+ void notifyDescendantInsertedIntoTree(ContainerNode&, NodeVector& postInsertionNotificationTargets);
+ void notifyNodeInsertedIntoDocument(Node&, NodeVector& postInsertionNotificationTargets);
+ void notifyNodeInsertedIntoTree(ContainerNode&, NodeVector& postInsertionNotificationTargets);
</ins><span class="cx">
</span><span class="cx"> ContainerNode& m_insertionPoint;
</span><del>- Vector<Ref<Node>> m_postInsertionNotificationTargets;
</del><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class ChildNodeRemovalNotifier {
</span><span class="lines">@@ -194,26 +193,26 @@
</span><span class="cx">
</span><span class="cx"> } // namespace Private
</span><span class="cx">
</span><del>-inline void ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(Node& node)
</del><ins>+inline void ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(Node& node, NodeVector& postInsertionNotificationTargets)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(m_insertionPoint.inDocument());
</span><span class="cx"> if (Node::InsertionShouldCallDidNotifySubtreeInsertions == node.insertedInto(m_insertionPoint))
</span><del>- m_postInsertionNotificationTargets.append(node);
</del><ins>+ postInsertionNotificationTargets.append(node);
</ins><span class="cx"> if (node.isContainerNode())
</span><del>- notifyDescendantInsertedIntoDocument(toContainerNode(node));
</del><ins>+ notifyDescendantInsertedIntoDocument(toContainerNode(node), postInsertionNotificationTargets);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-inline void ChildNodeInsertionNotifier::notifyNodeInsertedIntoTree(ContainerNode& node)
</del><ins>+inline void ChildNodeInsertionNotifier::notifyNodeInsertedIntoTree(ContainerNode& node, NodeVector& postInsertionNotificationTargets)
</ins><span class="cx"> {
</span><span class="cx"> NoEventDispatchAssertion assertNoEventDispatch;
</span><span class="cx"> ASSERT(!m_insertionPoint.inDocument());
</span><span class="cx">
</span><span class="cx"> if (Node::InsertionShouldCallDidNotifySubtreeInsertions == node.insertedInto(m_insertionPoint))
</span><del>- m_postInsertionNotificationTargets.append(node);
- notifyDescendantInsertedIntoTree(node);
</del><ins>+ postInsertionNotificationTargets.append(node);
+ notifyDescendantInsertedIntoTree(node, postInsertionNotificationTargets);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-inline void ChildNodeInsertionNotifier::notify(Node& node)
</del><ins>+inline void ChildNodeInsertionNotifier::notify(Node& node, NodeVector& postInsertionNotificationTargets)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(!NoEventDispatchAssertion::isEventDispatchForbidden());
</span><span class="cx">
</span><span class="lines">@@ -225,12 +224,9 @@
</span><span class="cx"> Ref<Node> protectNode(node);
</span><span class="cx">
</span><span class="cx"> if (m_insertionPoint.inDocument())
</span><del>- notifyNodeInsertedIntoDocument(node);
</del><ins>+ notifyNodeInsertedIntoDocument(node, postInsertionNotificationTargets);
</ins><span class="cx"> else if (node.isContainerNode())
</span><del>- notifyNodeInsertedIntoTree(toContainerNode(node));
-
- for (size_t i = 0; i < m_postInsertionNotificationTargets.size(); ++i)
- m_postInsertionNotificationTargets[i]->didNotifySubtreeInsertions(&m_insertionPoint);
</del><ins>+ notifyNodeInsertedIntoTree(toContainerNode(node), postInsertionNotificationTargets);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari6001417branchSourceWebCoredomElementcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/Element.cpp (186515 => 186516)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/Element.cpp 2015-07-08 17:58:35 UTC (rev 186515)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/Element.cpp 2015-07-08 18:34:52 UTC (rev 186516)
</span><span class="lines">@@ -1483,8 +1483,12 @@
</span><span class="cx"> shadowRoot->setParentTreeScope(&treeScope());
</span><span class="cx"> shadowRoot->distributor().didShadowBoundaryChange(this);
</span><span class="cx">
</span><del>- ChildNodeInsertionNotifier(*this).notify(*shadowRoot);
</del><ins>+ NodeVector postInsertionNotificationTargets;
+ ChildNodeInsertionNotifier(*this).notify(*shadowRoot, postInsertionNotificationTargets);
</ins><span class="cx">
</span><ins>+ for (auto& target : postInsertionNotificationTargets)
+ target->didNotifySubtreeInsertions(this);
+
</ins><span class="cx"> resetNeedsNodeRenderingTraversalSlowPath();
</span><span class="cx">
</span><span class="cx"> setNeedsStyleRecalc(ReconstructRenderTree);
</span></span></pre>
</div>
</div>
</body>
</html>