diff options
| author | hayato <hayato@chromium.org> | 2016-01-18 23:56:56 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-01-19 07:58:23 +0000 |
| commit | 6c4a3343ce23b8c6d73b3de11c361435ee20c81a (patch) | |
| tree | d100b13d5efd017a66570abf82de4b42f749a80b | |
| parent | 1e43e0e845776971d80e264073f936f33532d0e3 (diff) | |
| download | chromium_src-6c4a3343ce23b8c6d73b3de11c361435ee20c81a.zip chromium_src-6c4a3343ce23b8c6d73b3de11c361435ee20c81a.tar.gz chromium_src-6c4a3343ce23b8c6d73b3de11c361435ee20c81a.tar.bz2 | |
Fix the crash caused by touching a removed shadow host
The root cause is similar to http://crbug.com/507413.
See also the comment of ShadowRoot:host() for details.
BUG=568470
Review URL: https://codereview.chromium.org/1600323003
Cr-Commit-Position: refs/heads/master@{#370080}
| -rw-r--r-- | third_party/WebKit/LayoutTests/fast/dom/shadow/content-element-change-select-attribute-after-deleted-crash.html | 23 | ||||
| -rw-r--r-- | third_party/WebKit/Source/core/html/HTMLContentElement.cpp | 6 |
2 files changed, 27 insertions, 2 deletions
diff --git a/third_party/WebKit/LayoutTests/fast/dom/shadow/content-element-change-select-attribute-after-deleted-crash.html b/third_party/WebKit/LayoutTests/fast/dom/shadow/content-element-change-select-attribute-after-deleted-crash.html new file mode 100644 index 0000000..f7ed27e --- /dev/null +++ b/third_party/WebKit/LayoutTests/fast/dom/shadow/content-element-change-select-attribute-after-deleted-crash.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<script src='../../../resources/testharness.js'></script> +<script src='../../../resources/testharnessreport.js'></script> +<div id=host1></div> +<script> +'use strict'; +const sr = host1.createShadowRoot(); +sr.innerHTML = '<div id="host2"></div>'; +const sr2 = sr.getElementById('host2').createShadowRoot(); +sr.innerHTML = null; +// TODO(hayato): Find a more reliable way to reproduce the crash. This is the only reliable way as of now. +// Using GCController.collect() does not reproduce the crash. +for (var i = 1; i < 20000; i++) { + "abc" + i; +} +const selectTest = async_test("Testing select attribute change"); +setTimeout(() => { + selectTest.step(() => { + sr2.appendChild(document.createElement('content')).select = 'foo'; + }); + selectTest.done(); +}, 0); +</script> diff --git a/third_party/WebKit/Source/core/html/HTMLContentElement.cpp b/third_party/WebKit/Source/core/html/HTMLContentElement.cpp index 36d42a5..77e434d 100644 --- a/third_party/WebKit/Source/core/html/HTMLContentElement.cpp +++ b/third_party/WebKit/Source/core/html/HTMLContentElement.cpp @@ -75,8 +75,10 @@ void HTMLContentElement::parseSelect() void HTMLContentElement::parseAttribute(const QualifiedName& name, const AtomicString& oldValue, const AtomicString& value) { if (name == selectAttr) { - if (ShadowRoot* root = containingShadowRoot()) - root->owner()->willAffectSelector(); + if (ShadowRoot* root = containingShadowRoot()) { + if (root->owner()) + root->owner()->willAffectSelector(); + } m_shouldParseSelect = true; m_select = value; } else { |