<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[213822] releases/WebKitGTK/webkit-2.16</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/213822">213822</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2017-03-13 04:07:53 -0700 (Mon, 13 Mar 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/213501">r213501</a> - Validate DOM after potentially destructive actions during parser insert operations
https://bugs.webkit.org/show_bug.cgi?id=169222
<rdar://problem/30689729>
Reviewed by Ryosuke Niwa.
Source/WebCore:
Do not perform an insert operation if the next child's parent is no longer
part of the tree. This can happen if JavaScript runs during node removal
events and modifies the contents of the document.
This patch was inspired by a similar Blink change by Marius Mlynski:
<https://src.chromium.org/viewvc/blink?view=revision&revision=200690>
Tests: fast/parser/scriptexec-during-parserInsertBefore.html
* html/parser/HTMLConstructionSite.cpp:
(WebCore::executeReparentTask):
(WebCore::executeInsertAlreadyParsedChildTask):
LayoutTests:
This change merges a Blink test case from:
<https://src.chromium.org/viewvc/blink?view=revision&revision=200690>
* fast/parser/scriptexec-during-parserInsertBefore-expected.txt: Added.
* fast/parser/scriptexec-during-parserInsertBefore.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit216LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit216SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit216SourceWebCorehtmlparserHTMLConstructionSitecpp">releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit216LayoutTestsfastparserscriptexecduringparserInsertBeforeexpectedtxt">releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit216LayoutTestsfastparserscriptexecduringparserInsertBeforehtml">releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit216LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (213821 => 213822)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-03-13 11:04:04 UTC (rev 213821)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-03-13 11:07:53 UTC (rev 213822)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2017-03-06 Brent Fulgham <bfulgham@apple.com>
+
+ Validate DOM after potentially destructive actions during parser insert operations
+ https://bugs.webkit.org/show_bug.cgi?id=169222
+ <rdar://problem/30689729>
+
+ Reviewed by Ryosuke Niwa.
+
+ This change merges a Blink test case from:
+ <https://src.chromium.org/viewvc/blink?view=revision&revision=200690>
+
+ * fast/parser/scriptexec-during-parserInsertBefore-expected.txt: Added.
+ * fast/parser/scriptexec-during-parserInsertBefore.html: Added.
+
</ins><span class="cx"> 2017-03-06 Alex Christensen <achristensen@webkit.org>
</span><span class="cx">
</span><span class="cx"> Fix URLs relative to file URLs with paths beginning with Windows drive letters
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit216LayoutTestsfastparserscriptexecduringparserInsertBeforeexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt (0 => 213822)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt 2017-03-13 11:07:53 UTC (rev 213822)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+Ensure that DOM is consistent after a specific child has been removed during reparenting.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS containerNode.firstChild is firstChild
+PASS nextChild.previousSibling is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit216LayoutTestsfastparserscriptexecduringparserInsertBeforehtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html (0 => 213822)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html 2017-03-13 11:07:53 UTC (rev 213822)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+<!DOCTYPE html>
+<script src="../../resources/js-test.js"></script>
+<body>
+<div><i></i><table><b><p><iframe></iframe><script>
+/*
+The adoption agency algorithm, step 10, will end up calling
+ContainerNode::parserInsertBefore with the following arguments:
+|this| == <div>
+|newChild| == <p>
+|nextChild| == <table>
+parserInsertBefore calls parserRemoveChild(newChild), which
+triggers the unload event in the contained iframe.
+*/
+var containerNode = document.querySelector("div");
+var firstChild = document.querySelector("i");
+var nextChild = document.querySelector("table");
+frames[0].onunload = function() {
+ containerNode.removeChild(nextChild);
+}
+</script></b></p><!--This order is intentional to force reparenting--></table></div>
+<script>
+description("Ensure that DOM is consistent after a specific child has been removed during reparenting.")
+shouldBe("containerNode.firstChild", "firstChild");
+shouldBe("nextChild.previousSibling", "null");
+</script>
+</body>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit216SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (213821 => 213822)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-03-13 11:04:04 UTC (rev 213821)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-03-13 11:07:53 UTC (rev 213822)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2017-03-06 Brent Fulgham <bfulgham@apple.com>
+
+ Validate DOM after potentially destructive actions during parser insert operations
+ https://bugs.webkit.org/show_bug.cgi?id=169222
+ <rdar://problem/30689729>
+
+ Reviewed by Ryosuke Niwa.
+
+ Do not perform an insert operation if the next child's parent is no longer
+ part of the tree. This can happen if JavaScript runs during node removal
+ events and modifies the contents of the document.
+
+ This patch was inspired by a similar Blink change by Marius Mlynski:
+ <https://src.chromium.org/viewvc/blink?view=revision&revision=200690>
+
+ Tests: fast/parser/scriptexec-during-parserInsertBefore.html
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::executeReparentTask):
+ (WebCore::executeInsertAlreadyParsedChildTask):
+
</ins><span class="cx"> 2017-03-06 Fujii Hironori <Hironori.Fujii@sony.com>
</span><span class="cx">
</span><span class="cx"> [CMake] SN-DBS fails to build: Cannot open include file: 'WebCoreTestSupportPrefix.h'
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit216SourceWebCorehtmlparserHTMLConstructionSitecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp (213821 => 213822)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2017-03-13 11:04:04 UTC (rev 213821)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2017-03-13 11:07:53 UTC (rev 213822)
</span><span class="lines">@@ -127,6 +127,7 @@
</span><span class="cx"> static inline void executeReparentTask(HTMLConstructionSiteTask& task)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(task.operation == HTMLConstructionSiteTask::Reparent);
</span><ins>+ ASSERT(!task.nextChild);
</ins><span class="cx">
</span><span class="cx"> if (auto* parent = task.child->parentNode())
</span><span class="cx"> parent->parserRemoveChild(*task.child);
</span><span class="lines">@@ -147,6 +148,9 @@
</span><span class="cx"> if (task.child->parentNode())
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ if (task.nextChild && task.nextChild->parentNode() != task.parent)
+ return;
+
</ins><span class="cx"> insert(task);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -153,6 +157,7 @@
</span><span class="cx"> static inline void executeTakeAllChildrenAndReparentTask(HTMLConstructionSiteTask& task)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(task.operation == HTMLConstructionSiteTask::TakeAllChildrenAndReparent);
</span><ins>+ ASSERT(!task.nextChild);
</ins><span class="cx">
</span><span class="cx"> auto* furthestBlock = task.oldParent();
</span><span class="cx"> task.parent->takeAllChildrenFrom(furthestBlock);
</span></span></pre>
</div>
</div>
</body>
</html>