summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-12-06 14:07:01 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-12-06 14:07:01 +0100
commit830818b6858d2dba93e971d7c77e41f4bc6a8bbd (patch)
tree7fe3b0f2005fa4070f0066544f7da39f9d9bf316
parentede803a81fb595e32cfe856077e1aec4cd163ce3 (diff)
downloaduxp-830818b6858d2dba93e971d7c77e41f4bc6a8bbd.tar.gz
Update identifier map entries and notify if they get removed.
This can happen through DestroyElementMaps() Based on work by Markus Stange and Edgar Chen.
-rw-r--r--dom/base/nsDocument.cpp35
-rw-r--r--dom/base/nsDocument.h5
-rw-r--r--dom/canvas/test/reftest/filters/liveness-document-open.html46
-rw-r--r--dom/canvas/test/reftest/filters/reftest.list1
4 files changed, 81 insertions, 6 deletions
diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
index 6b8e11db05..e2be6b6645 100644
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -395,6 +395,21 @@ nsIdentifierMapEntry::FireChangeCallbacks(Element* aOldElement,
}
}
+void
+nsIdentifierMapEntry::ClearAndNotify()
+{
+ Element* currentElement = mIdContentList.SafeElementAt(0);
+ mIdContentList.Clear();
+ if (currentElement) {
+ FireChangeCallbacks(currentElement, nullptr);
+ }
+ mNameContentList = nullptr;
+ if (mImageElement) {
+ SetImageElement(nullptr);
+ }
+ mChangeCallbacks = nullptr;
+}
+
namespace {
struct PositionComparator
@@ -1422,12 +1437,12 @@ nsDocument::~nsDocument()
delete mSubDocuments;
mSubDocuments = nullptr;
+ nsAutoScriptBlocker scriptBlocker;
+
// Destroy link map now so we don't waste time removing
// links one by one
DestroyElementMaps();
- nsAutoScriptBlocker scriptBlocker;
-
for (uint32_t indx = mChildren.ChildCount(); indx-- != 0; ) {
mChildren.ChildAt(indx)->UnbindFromTree();
mChildren.RemoveChildAt(indx);
@@ -1972,15 +1987,16 @@ nsDocument::ResetToURI(nsIURI *aURI, nsILoadGroup *aLoadGroup,
delete mSubDocuments;
mSubDocuments = nullptr;
- // Destroy link map now so we don't waste time removing
- // links one by one
- DestroyElementMaps();
-
bool oldVal = mInUnlinkOrDeletion;
mInUnlinkOrDeletion = true;
uint32_t count = mChildren.ChildCount();
{ // Scope for update
MOZ_AUTO_DOC_UPDATE(this, UPDATE_CONTENT_MODEL, true);
+
+ // Destroy link map now so we don't waste time removing
+ // links one by one
+ DestroyElementMaps();
+
for (int32_t i = int32_t(count) - 1; i >= 0; i--) {
nsCOMPtr<nsIContent> content = mChildren.ChildAt(i);
@@ -8955,7 +8971,14 @@ nsDocument::DestroyElementMaps()
mStyledLinksCleared = true;
#endif
mStyledLinks.Clear();
+
+ // Notify ID change listeners before clearing the identifier map.
+ for (auto iter = mIdentifierMap.Iter(); !iter.Done(); iter.Next()) {
+ iter.Get()->ClearAndNotify();
+ }
+
mIdentifierMap.Clear();
+
++mExpandoAndGeneration.generation;
}
diff --git a/dom/base/nsDocument.h b/dom/base/nsDocument.h
index 2b29b98fa5..ac600eb433 100644
--- a/dom/base/nsDocument.h
+++ b/dom/base/nsDocument.h
@@ -216,6 +216,11 @@ public:
void RemoveContentChangeCallback(nsIDocument::IDTargetObserver aCallback,
void* aData, bool aForImage);
+ /**
+ * Remove all elements and notify change listeners.
+ */
+ void ClearAndNotify();
+
void Traverse(nsCycleCollectionTraversalCallback* aCallback);
struct ChangeCallback {
diff --git a/dom/canvas/test/reftest/filters/liveness-document-open.html b/dom/canvas/test/reftest/filters/liveness-document-open.html
new file mode 100644
index 0000000000..b3d76e550a
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/liveness-document-open.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<title>canvas filters: remove referenced filter element through document.open()</title>
+
+<body onload="loaded()">
+
+<canvas id="canvas" width="10" height="10"></canvas>
+
+<svg height="0">
+ <filter id="filter">
+ <feFlood flood-color="red"/>
+ </filter>
+</svg>
+
+<script>
+
+function loaded() {
+ var ctx = document.getElementById('canvas').getContext('2d');
+
+ ctx.filter = 'url(#filter)';
+ ctx.fillRect(0, 0, 10, 10); // do a draw first to work around bug 1287316
+
+ document.open();
+
+ // The document.open() call removed #filter from the document. So the filter
+ // reference should now be invalid, and the rect should be drawn without a
+ // filter applied, resulting in black.
+ ctx.fillRect(0, 0, 10, 10);
+
+ try {
+ var data = ctx.getImageData(0, 0, 1, 1).data;
+ if (data[0] == 0 && data[1] == 0 && data[2] == 0 && data[3] == 255) {
+ // Successfully painted black.
+ document.write('PASS');
+ } else {
+ // Painted something else, like red.
+ document.write('FAIL');
+ }
+ } catch (e) {
+ document.write('getImageData failed');
+ }
+ document.close();
+}
+
+</script>
diff --git a/dom/canvas/test/reftest/filters/reftest.list b/dom/canvas/test/reftest/filters/reftest.list
index 9830307159..f5d671e4dc 100644
--- a/dom/canvas/test/reftest/filters/reftest.list
+++ b/dom/canvas/test/reftest/filters/reftest.list
@@ -6,6 +6,7 @@ default-preferences pref(canvas.filters.enabled,true)
fuzzy-if(azureSkia,1,1500) == global-alpha.html global-alpha-ref.html
== global-composite-operation.html global-composite-operation-ref.html
== liveness.html ref.html
+== liveness-document-open.html data:text/html,PASS
== multiple-drop-shadows.html shadow-ref.html
== shadow.html shadow-ref.html
== subregion-fill-paint.html subregion-ref.html