<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[215015] releases/WebKitGTK/webkit-2.14</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/215015">215015</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2017-04-06 03:42:30 -0700 (Thu, 06 Apr 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/212621">r212621</a> - REGRESSION(<a href="http://trac.webkit.org/projects/webkit/changeset/212218">r212218</a>): Assertion failures in and after parserRemoveChild
https://bugs.webkit.org/show_bug.cgi?id=168458
Reviewed by Antti Koivisto.
Source/WebCore:
The bug was caused by parserRemoveChild not preceeding to remove oldChild even when
oldChild had been inserted elsewhere during unload evnets of the disconnected frames.
Fixed the bug by checking this condition and exiting early.
Also fixed various callers of parserRemoveChild to not call parserAppendChild when
the removed node had already been inserted elsewhere by scripts.
Tests: fast/parser/adoption-agency-unload-iframe-3.html
fast/parser/adoption-agency-unload-iframe-4.html
fast/parser/xml-error-unload-iframe.html
* dom/ContainerNode.cpp:
(WebCore::ContainerNode::parserRemoveChild): Exit early when the node had been
inserted elsewhere while firing unload events. Also moved the call to
notifyRemovePendingSheetIfNeeded outside NoEventDispatchAssertion since it can
synchrnously fire a focus event.
(WebCore::ContainerNode::parserAppendChild): Moved adoptNode call to inside
NoEventDispatchAssertion since adoptNode call here should never mutate DOM.
* html/parser/HTMLConstructionSite.cpp:
(WebCore::executeReparentTask): Added an early exit when the node had already been
inserted elsewhere.
(WebCore::executeInsertAlreadyParsedChildTask): Ditto.
* xml/XMLErrors.cpp:
(WebCore::XMLErrors::insertErrorMessageBlock): Ditto.
* xml/parser/XMLDocumentParser.cpp:
(WebCore::XMLDocumentParser::end): Fixed a crash unveiled by one of the test cases.
Exit early when insertErrorMessageBlock detached the parser (by author scripts).
(WebCore::XMLDocumentParser::finish): Keep the parser alive until we exit.
LayoutTests:
Add tests to make sure parserAppendChild aren't called when a node removed by parserRemoveChild
had already been been inserted elsewhere by scripts.
* fast/parser/adoption-agency-unload-iframe-3-expected.txt: Added.
* fast/parser/adoption-agency-unload-iframe-3.html: Added.
* fast/parser/adoption-agency-unload-iframe-4-expected.txt: Added.
* fast/parser/adoption-agency-unload-iframe-4.html: Added.
* fast/parser/xml-error-unload-iframe-expected.txt: Added.
* fast/parser/xml-error-unload-iframe.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoredomContainerNodecpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/ContainerNode.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCorehtmlparserHTMLConstructionSitecpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/HTMLConstructionSite.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCorexmlXMLErrorscpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/XMLErrors.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCorexmlparserXMLDocumentParsercpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/parser/XMLDocumentParser.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe3expectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe3html">releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3.html</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe4expectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe4html">releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4.html</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsfastparserxmlerrorunloadiframeexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsfastparserxmlerrorunloadiframehtml">releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit214LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (215014 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 10:42:16 UTC (rev 215014)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2017-02-18 Ryosuke Niwa <rniwa@webkit.org>
+
+ REGRESSION(r212218): Assertion failures in and after parserRemoveChild
+ https://bugs.webkit.org/show_bug.cgi?id=168458
+
+ Reviewed by Antti Koivisto.
+
+ Add tests to make sure parserAppendChild aren't called when a node removed by parserRemoveChild
+ had already been been inserted elsewhere by scripts.
+
+ * fast/parser/adoption-agency-unload-iframe-3-expected.txt: Added.
+ * fast/parser/adoption-agency-unload-iframe-3.html: Added.
+ * fast/parser/adoption-agency-unload-iframe-4-expected.txt: Added.
+ * fast/parser/adoption-agency-unload-iframe-4.html: Added.
+ * fast/parser/xml-error-unload-iframe-expected.txt: Added.
+ * fast/parser/xml-error-unload-iframe.html: Added.
+
</ins><span class="cx"> 2017-02-12 Ryosuke Niwa <rniwa@webkit.org>
</span><span class="cx">
</span><span class="cx"> parserRemoveChild should unload subframes
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe3expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3-expected.txt (0 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3-expected.txt 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS An element removed by the adoption agency algorithm must not be inserted if it had been inserted elsewhere
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe3html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3.html (0 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-3.html 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -0,0 +1,41 @@
</span><ins>+<!DOCTYPE html>
+<head>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<script>
+
+function runTest() {
+ const section = document.querySelector('section');
+ const container = document.querySelector('div');
+ const p = document.querySelector('p');
+ const iframe = document.createElement('iframe');
+ document.querySelector('b').appendChild(iframe);
+ /* div
+ + b
+ + p
+ + script
+ + iframe */
+ iframe.contentWindow.onunload = () => {
+ section.appendChild(p);
+ container.remove();
+ /* body
+ + p
+ + script
+ + iframe */
+ }
+
+ window.onload = () => {
+ let test = async_test('An element removed by the adoption agency algorithm must not be inserted if it had been inserted elsewhere');
+ test.step(() => {
+ assert_not_equals(p.parentNode, container);
+ assert_equals(p.parentNode, section);
+ });
+ test.done();
+ }
+}
+
+</script>
+</head>
+<body>
+<section><div><b><p><script>runTest();</script></b></p></div></section>
+</body>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe4expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4-expected.txt (0 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4-expected.txt 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS An element removed by the adoption agency algorithm must not be inserted if it had been inserted elsewhere
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestsfastparseradoptionagencyunloadiframe4html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4.html (0 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/adoption-agency-unload-iframe-4.html 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -0,0 +1,47 @@
</span><ins>+<html>
+<head>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+
+let test = async_test('An element removed by the adoption agency algorithm must not be inserted if it had been inserted elsewhere');
+
+var p;
+test.step(() => {
+ const iframe = document.createElement('iframe');
+ document.body.appendChild(iframe);
+
+ let doc = iframe.contentDocument;
+ doc.write(`<body><a id="target" href="#"></a>`);
+
+ const target = doc.querySelector('a');
+ target.onfocus = () => {
+ target.onfocus = null;
+
+ test.step(() => {
+ let container = doc.querySelector('div');
+ container.remove();
+ doc.body.appendChild(p);
+ });
+
+ setTimeout(() => {
+ test.step(() => {
+ assert_equals(p.parentNode, doc.body);
+ });
+ test.done();
+ iframe.remove();
+ }, 0);
+ }
+
+ doc.write(`<div><b><p><script>
+ parent.p = document.querySelector('p');
+ document.write('<link rel="stylesheet" href="data:,a">');
+ location.hash = 'target';
+ <\/script></b></p></div></body>`);
+});
+
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestsfastparserxmlerrorunloadiframeexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe-expected.txt (0 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe-expected.txt 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS An element removed by the adoption agency algorithm must not be inserted if it had been inserted elsewhere
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestsfastparserxmlerrorunloadiframehtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe.html (0 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/parser/xml-error-unload-iframe.html 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+<!DOCTYPE html>
+<head>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+
+let svgElement;
+function moveIframe(svgDoc) {
+ if (svgElement)
+ return;
+ svgElement = svgDoc.documentElement;
+ const iframe = document.createElement('iframe');
+ svgDoc.documentElement.appendChild(iframe);
+ iframe.contentWindow.onunload = () => {
+ document.body.appendChild(svgElement);
+ }
+}
+
+const content = `<svg xmlns="http://www.w3.org/2000/svg"><script>parent.moveIframe(document);<\/script><element a="1" a="2"/></svg>`;
+const iframe = document.createElement('iframe');
+iframe.src = URL.createObjectURL(new Blob([content], {type: 'text/xml'}));
+document.documentElement.appendChild(iframe);
+
+window.onload = () => {
+ let test = async_test('An element removed by the adoption agency algorithm must not be inserted if it had been inserted elsewhere');
+ test.step(() => {
+ assert_equals(svgElement.parentNode, document.body);
+ svgElement.remove();
+ });
+ test.done();
+}
+
+</script>
+</body>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (215014 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 10:42:16 UTC (rev 215014)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -1,3 +1,39 @@
</span><ins>+2017-02-18 Ryosuke Niwa <rniwa@webkit.org>
+
+ REGRESSION(r212218): Assertion failures in and after parserRemoveChild
+ https://bugs.webkit.org/show_bug.cgi?id=168458
+
+ Reviewed by Antti Koivisto.
+
+ The bug was caused by parserRemoveChild not preceeding to remove oldChild even when
+ oldChild had been inserted elsewhere during unload evnets of the disconnected frames.
+ Fixed the bug by checking this condition and exiting early.
+
+ Also fixed various callers of parserRemoveChild to not call parserAppendChild when
+ the removed node had already been inserted elsewhere by scripts.
+
+ Tests: fast/parser/adoption-agency-unload-iframe-3.html
+ fast/parser/adoption-agency-unload-iframe-4.html
+ fast/parser/xml-error-unload-iframe.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::parserRemoveChild): Exit early when the node had been
+ inserted elsewhere while firing unload events. Also moved the call to
+ notifyRemovePendingSheetIfNeeded outside NoEventDispatchAssertion since it can
+ synchrnously fire a focus event.
+ (WebCore::ContainerNode::parserAppendChild): Moved adoptNode call to inside
+ NoEventDispatchAssertion since adoptNode call here should never mutate DOM.
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::executeReparentTask): Added an early exit when the node had already been
+ inserted elsewhere.
+ (WebCore::executeInsertAlreadyParsedChildTask): Ditto.
+ * xml/XMLErrors.cpp:
+ (WebCore::XMLErrors::insertErrorMessageBlock): Ditto.
+ * xml/parser/XMLDocumentParser.cpp:
+ (WebCore::XMLDocumentParser::end): Fixed a crash unveiled by one of the test cases.
+ Exit early when insertErrorMessageBlock detached the parser (by author scripts).
+ (WebCore::XMLDocumentParser::finish): Keep the parser alive until we exit.
+
</ins><span class="cx"> 2017-02-12 Ryosuke Niwa <rniwa@webkit.org>
</span><span class="cx">
</span><span class="cx"> parserRemoveChild should unload subframes
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoredomContainerNodecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/ContainerNode.cpp (215014 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/ContainerNode.cpp 2017-04-06 10:42:16 UTC (rev 215014)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/ContainerNode.cpp 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -593,23 +593,27 @@
</span><span class="cx"> void ContainerNode::parserRemoveChild(Node& oldChild)
</span><span class="cx"> {
</span><span class="cx"> disconnectSubframesIfNeeded(*this, DescendantsOnly);
</span><ins>+ if (oldChild.parentNode() != this)
+ return;
</ins><span class="cx">
</span><del>- NoEventDispatchAssertion assertNoEventDispatch;
</del><ins>+ {
+ NoEventDispatchAssertion assertNoEventDispatch;
</ins><span class="cx">
</span><del>- document().nodeChildrenWillBeRemoved(*this);
</del><ins>+ document().nodeChildrenWillBeRemoved(*this);
</ins><span class="cx">
</span><del>- ASSERT(oldChild.parentNode() == this);
- ASSERT(!oldChild.isDocumentFragment());
</del><ins>+ ASSERT(oldChild.parentNode() == this);
+ ASSERT(!oldChild.isDocumentFragment());
</ins><span class="cx">
</span><del>- Node* prev = oldChild.previousSibling();
- Node* next = oldChild.nextSibling();
</del><ins>+ Node* prev = oldChild.previousSibling();
+ Node* next = oldChild.nextSibling();
</ins><span class="cx">
</span><del>- ChildListMutationScope(*this).willRemoveChild(oldChild);
- oldChild.notifyMutationObserversNodeWillDetach();
</del><ins>+ ChildListMutationScope(*this).willRemoveChild(oldChild);
+ oldChild.notifyMutationObserversNodeWillDetach();
</ins><span class="cx">
</span><del>- removeBetween(prev, next, oldChild);
</del><ins>+ removeBetween(prev, next, oldChild);
</ins><span class="cx">
</span><del>- notifyChildRemoved(oldChild, prev, next, ChildChangeSourceParser);
</del><ins>+ notifyChildRemoved(oldChild, prev, next, ChildChangeSourceParser);
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // this differs from other remove functions because it forcibly removes all the children,
</span><span class="lines">@@ -712,12 +716,13 @@
</span><span class="cx"> ASSERT(!newChild.isDocumentFragment());
</span><span class="cx"> ASSERT(!hasTagName(HTMLNames::templateTag));
</span><span class="cx">
</span><del>- if (&document() != &newChild.document())
- document().adoptNode(newChild, ASSERT_NO_EXCEPTION);
-
</del><span class="cx"> {
</span><span class="cx"> NoEventDispatchAssertion assertNoEventDispatch;
</span><span class="cx"> // FIXME: This method should take a PassRefPtr.
</span><ins>+
+ if (&document() != &newChild.document())
+ document().adoptNode(newChild, ASSERT_NO_EXCEPTION);
+
</ins><span class="cx"> appendChildCommon(newChild);
</span><span class="cx"> treeScope().adoptIfNeeded(&newChild);
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCorehtmlparserHTMLConstructionSitecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/HTMLConstructionSite.cpp (215014 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2017-04-06 10:42:16 UTC (rev 215014)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -132,6 +132,9 @@
</span><span class="cx"> if (auto* parent = task.child->parentNode())
</span><span class="cx"> parent->parserRemoveChild(*task.child);
</span><span class="cx">
</span><ins>+ if (task.child->parentNode())
+ return;
+
</ins><span class="cx"> task.parent->parserAppendChild(*task.child);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -139,6 +142,12 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(task.operation == HTMLConstructionSiteTask::InsertAlreadyParsedChild);
</span><span class="cx">
</span><ins>+ if (ContainerNode* parent = task.child->parentNode())
+ parent->parserRemoveChild(*task.child);
+
+ if (task.child->parentNode())
+ return;
+
</ins><span class="cx"> insert(task);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCorexmlXMLErrorscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/XMLErrors.cpp (215014 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/XMLErrors.cpp 2017-04-06 10:42:16 UTC (rev 215014)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/XMLErrors.cpp 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -138,8 +138,9 @@
</span><span class="cx"> rootElement->parserAppendChild(body);
</span><span class="cx">
</span><span class="cx"> m_document->parserRemoveChild(*documentElement);
</span><ins>+ if (!documentElement->parentNode())
+ body->parserAppendChild(*documentElement);
</ins><span class="cx">
</span><del>- body->parserAppendChild(*documentElement);
</del><span class="cx"> m_document->parserAppendChild(rootElement);
</span><span class="cx">
</span><span class="cx"> documentElement = WTFMove(body);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCorexmlparserXMLDocumentParsercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/parser/XMLDocumentParser.cpp (215014 => 215015)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/parser/XMLDocumentParser.cpp 2017-04-06 10:42:16 UTC (rev 215014)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/xml/parser/XMLDocumentParser.cpp 2017-04-06 10:42:30 UTC (rev 215015)
</span><span class="lines">@@ -195,9 +195,11 @@
</span><span class="cx"> if (m_parserPaused)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- if (m_sawError)
</del><ins>+ if (m_sawError) {
</ins><span class="cx"> insertErrorMessageBlock();
</span><del>- else {
</del><ins>+ if (isDetached()) // Inserting an error message may have ran arbitrary scripts.
+ return;
+ } else {
</ins><span class="cx"> updateLeafTextNode();
</span><span class="cx"> document()->styleResolverChanged(RecalcStyleImmediately);
</span><span class="cx"> }
</span><span class="lines">@@ -215,6 +217,8 @@
</span><span class="cx"> // makes sense to call any methods on DocumentParser once it's been stopped.
</span><span class="cx"> // However, FrameLoader::stop calls DocumentParser::finish unconditionally.
</span><span class="cx">
</span><ins>+ Ref<XMLDocumentParser> protectedThis(*this);
+
</ins><span class="cx"> if (m_parserPaused)
</span><span class="cx"> m_finishCalled = true;
</span><span class="cx"> else
</span></span></pre>
</div>
</div>
</body>
</html>