[Webkit-unassigned] [Bug 165073] REGRESSION(r203047): [GTK][Stable] "notify::title" signal unreliably triggered multiple times

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Jan 15 07:58:33 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=165073

--- Comment #15 from Michael Catanzaro <mcatanzaro at igalia.com> ---
Actually I just noticed that the signal is being triggered *three* times per title change in 2.14, and *twice* per title change in trunk. I think this does not makes sense. The problem is here in Document::setTitle:

    downcast<HTMLTitleElement>(*m_titleElement).setTextContent(title);

HTMLTitleElement subclasses HTMLElement, which subclasses StyledElement, which subclasses Element, which subclasses ContainerNode, which subclasses Node. Inside Node::setTextContent, we have this code:

    case DOCUMENT_FRAGMENT_NODE: {
        auto container = makeRef(downcast<ContainerNode>(*this));
        ChildListMutationScope mutation(container);
        container->removeChildren();
        if (text.isEmpty())
            return { };
        return container->appendChild(document().createTextNode(text));
    }

The problem is inside the call to container->removeChildren(). ContainerNode::removeChildren calls HTMLTitleElement::childrenChanged, which calls Document::titleElementTextChanged, which calls Document::updateTitleFromTitleElement, which calls Document::updateTitle. So the title gets unset (set to nullptr). Then HTMLTitleElement::childrenChanged gets called again inside ContainerNode::createTextNode. So each call to Document::setTitle still results in two calls to Document::updateTitle inside HTMLTitleElement::setTextContent.

This is not as serious, since it's (presumably) the behavior we've had for ages. It also makes perfect sense when performing a new page load, since surely we don't want the old page's title to remain after starting a new load.

But I think it doesn't make sense in a case like this:

<script>
    document.title = 'one';
    document.title = 'two';
    document.title = 'three';
</script>

In trunk, this changes the title six times: first to null, then to 'one', then to null again, then to 'two', then to null yet again, then to 'three'. (In 2.14, it changes the title nine times.)

Darin, do you want me to file a new bug report for this, or do you think it's OK as-is?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170115/f45f5d94/attachment.html>

More information about the webkit-unassigned mailing list