[Webkit-unassigned] [Bug 107223] ASSERTION FAILED: parent->inDocument() loading playboy.com
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 18 02:55:02 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=107223
--- Comment #3 from Elliott Sprehn <esprehn at chromium.org> 2013-01-18 02:56:49 PST ---
I believe I've figured this out:
When you appendChild a node with a <style> in it we recursively notify all the children with Node::insertedInto which hits the HTMLStyleElement::insertedInto which then calls StyleElement::insertedIntoDocument if the insertionPoint is inDocument. This kicks off a bunch of style machinery and we end up in Document::styleResolverChanged where we do a recalcStyle(Forced) on the Document which may cause a reattach() which would then recursively walk the tree creating renderers.
At this point we're still inside the HTMLStyleElement::insertedInto so none of the siblings of that style element know they're inDocument yet, even though they're going through recalcStyle, being attached, and creating renderers.
Something like:
var div = document.createElement('div');
var style = document.createElement('style');
style.textContent = 'body { display: inline; } span:before { content: "x"; }';
div.appendChild(style);
div.appendChild(document.createElement('span'));
document.body.appendChild(div);
Here we end up reattach()'ing <body> because now it's inline, which then attach()'s the <span>, which creates a PseudoElement, but the <span> still hasn't been notified it's inDocument since this all was triggered inside HTMLStyleElement::insertedInto.
This feels really wrong, but it's always been this way so the fix is to just remove that assertion and then make Element::insertedInto call insertedInto on the PseudoElements.
Eventually we should fix this though since it appears if you appendChild a <div> that contains three <style> elements, each of which changes the display of the <body>, we'll destroy and recreate the entire document three times even though we really only needed to do it once!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list