Backed out 4 changesets (bug 1505887, bug 1509989) for failing crashtests on tests/layout/style/crashtests/1509989.html on a CLOSED TREE.
authorRazvan Maries <rmaries@mozilla.com>
Tue, 27 Nov 2018 14:10:30 +0200
changeset 507504 dc298299ebadd4b20eb58ea1ee6404b416eed422
parent 507503 6c94d53b486c1140051607b71bf66c0e014c605c
child 507505 8221df0f4e50bbdebe7cd65c1b3adf799a1aa6a6
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1505887, 1509989
milestone65.0a1
backs outdc6c022e9fe127bd0d32e25e3206f79e3d0d954c
490a99122a7fc04ad0ec6bf9e32036c36b92d631
7b9afff4ff11f683d9a5e46ae92d80d6e9e7add3
15da6e919d804d770219f720fb93b7c2d42e5f10
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 4 changesets (bug 1505887, bug 1509989) for failing crashtests on tests/layout/style/crashtests/1509989.html on a CLOSED TREE. Backed out changeset dc6c022e9fe1 (bug 1509989) Backed out changeset 490a99122a7f (bug 1505887) Backed out changeset 7b9afff4ff11 (bug 1505887) Backed out changeset 15da6e919d80 (bug 1505887)
dom/base/FragmentOrElement.cpp
dom/base/ShadowRoot.h
dom/base/nsContentUtils.cpp
dom/base/nsContentUtils.h
dom/base/nsIContent.h
dom/base/nsINode.h
layout/style/crashtests/1509989.html
layout/style/crashtests/crashtests.list
--- a/dom/base/FragmentOrElement.cpp
+++ b/dom/base/FragmentOrElement.cpp
@@ -878,39 +878,42 @@ FragmentOrElement::GetChildren(uint32_t 
   AllChildrenIterator iter(this, aFilter);
   while (nsIContent* kid = iter.GetNextChild()) {
     list->AppendElement(kid);
   }
 
   return list.forget();
 }
 
-static nsINode*
-FindChromeAccessOnlySubtreeOwner(nsINode* aNode)
+static nsIContent*
+FindChromeAccessOnlySubtreeOwner(nsIContent* aContent)
 {
-  if (!aNode->ChromeOnlyAccess()) {
-    return aNode;
+  if (aContent->ChromeOnlyAccess()) {
+    bool chromeAccessOnly = false;
+    while (aContent && !chromeAccessOnly) {
+      chromeAccessOnly = aContent->IsRootOfChromeAccessOnlySubtree();
+      aContent = aContent->GetParent();
+    }
   }
-
-  while (aNode && !aNode->IsRootOfChromeAccessOnlySubtree()) {
-    aNode = aNode->GetParentNode();
-  }
-
-  return aNode ? aNode->GetParentOrHostNode() : nullptr;
+  return aContent;
 }
 
 already_AddRefed<nsINode>
 FindChromeAccessOnlySubtreeOwner(EventTarget* aTarget)
 {
   nsCOMPtr<nsINode> node = do_QueryInterface(aTarget);
   if (!node || !node->ChromeOnlyAccess()) {
     return node.forget();
   }
 
-  node = FindChromeAccessOnlySubtreeOwner(node);
+  if (!node->IsContent()) {
+    return nullptr;
+  }
+
+  node = FindChromeAccessOnlySubtreeOwner(node->AsContent());
   return node.forget();
 }
 
 void
 nsIContent::GetEventTargetParent(EventChainPreVisitor& aVisitor)
 {
   //FIXME! Document how this event retargeting works, Bug 329124.
   aVisitor.mCanHandle = true;
@@ -943,19 +946,19 @@ nsIContent::GetEventTargetParent(EventCh
       // target is descendant of an element which is anonymous for events,
       // we may want to stop event propagation.
       // If this is the original target, aVisitor.mRelatedTargetIsInAnon
       // must be updated.
       if (isAnonForEvents || aVisitor.mRelatedTargetIsInAnon ||
           (aVisitor.mEvent->mOriginalTarget == this &&
            (aVisitor.mRelatedTargetIsInAnon =
             relatedTarget->ChromeOnlyAccess()))) {
-        nsINode* anonOwner = FindChromeAccessOnlySubtreeOwner(this);
+        nsIContent* anonOwner = FindChromeAccessOnlySubtreeOwner(this);
         if (anonOwner) {
-          nsINode* anonOwnerRelated =
+          nsIContent* anonOwnerRelated =
             FindChromeAccessOnlySubtreeOwner(relatedTarget);
           if (anonOwnerRelated) {
             // Note, anonOwnerRelated may still be inside some other
             // native anonymous subtree. The case where anonOwner is still
             // inside native anonymous subtree will be handled when event
             // propagates up in the DOM tree.
             while (anonOwner != anonOwnerRelated &&
                    anonOwnerRelated->ChromeOnlyAccess()) {
--- a/dom/base/ShadowRoot.h
+++ b/dom/base/ShadowRoot.h
@@ -206,18 +206,16 @@ public:
 
   bool IsUAWidget() const
   {
     return mIsUAWidget;
   }
 
   void SetIsUAWidget()
   {
-    MOZ_ASSERT(!HasChildren());
-    SetFlags(NODE_IS_ROOT_OF_CHROME_ONLY_ACCESS | NODE_CHROME_ONLY_ACCESS);
     mIsUAWidget = true;
   }
 
   void GetEventTargetParent(EventChainPreVisitor& aVisitor) override;
 
   // nsIRadioGroupContainer
   NS_IMETHOD WalkRadioGroup(const nsAString& aName,
                             nsIRadioVisitor* aVisitor,
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -2088,28 +2088,19 @@ nsContentUtils::CanCallerAccess(nsIPrinc
 
   // The subject doesn't subsume aPrincipal. Allow access only if the subject
   // is chrome.
   return IsCallerChrome();
 }
 
 // static
 bool
-nsContentUtils::CanCallerAccess(const nsINode* aNode)
-{
-  nsIPrincipal* subject = SubjectPrincipal();
-  if (IsSystemPrincipal(subject)) {
-    return true;
-  }
-
-  if (aNode->ChromeOnlyAccess()) {
-    return false;
-  }
-
-  return CanCallerAccess(subject, aNode->NodePrincipal());
+nsContentUtils::CanCallerAccess(nsINode* aNode)
+{
+  return CanCallerAccess(SubjectPrincipal(), aNode->NodePrincipal());
 }
 
 // static
 bool
 nsContentUtils::CanCallerAccess(nsPIDOMWindowInner* aWindow)
 {
   nsCOMPtr<nsIScriptObjectPrincipal> scriptObject = do_QueryInterface(aWindow);
   NS_ENSURE_TRUE(scriptObject, false);
--- a/dom/base/nsContentUtils.h
+++ b/dom/base/nsContentUtils.h
@@ -629,17 +629,17 @@ public:
 
   /**
    * Checks whether two nodes come from the same origin.
    */
   static nsresult CheckSameOrigin(const nsINode* aTrustedNode,
                                   const nsINode* unTrustedNode);
 
   // Check if the (JS) caller can access aNode.
-  static bool CanCallerAccess(const nsINode* aNode);
+  static bool CanCallerAccess(nsINode* aNode);
 
   // Check if the (JS) caller can access aWindow.
   // aWindow can be either outer or inner window.
   static bool CanCallerAccess(nsPIDOMWindowInner* aWindow);
 
   // Check if the principal is chrome or an addon with the permission.
   static bool PrincipalHasPermission(nsIPrincipal* aPrincipal, const nsAtom* aPerm);
 
--- a/dom/base/nsIContent.h
+++ b/dom/base/nsIContent.h
@@ -174,16 +174,36 @@ public:
    * @note calling this method with eAllButXBL will return children that are
    *  also in the eAllButXBL and eAllChildren child lists of other descendants
    *  of this node in the tree, but those other nodes cannot be reached from the
    *  eAllButXBL child list.
    */
   virtual already_AddRefed<nsINodeList> GetChildren(uint32_t aFilter) = 0;
 
   /**
+   * Get whether this content is C++-generated anonymous content
+   * @see nsIAnonymousContentCreator
+   * @return whether this content is anonymous
+   */
+  bool IsRootOfNativeAnonymousSubtree() const
+  {
+    NS_ASSERTION(!HasFlag(NODE_IS_NATIVE_ANONYMOUS_ROOT) ||
+                 (HasFlag(NODE_IS_ANONYMOUS_ROOT) &&
+                  HasFlag(NODE_IS_IN_NATIVE_ANONYMOUS_SUBTREE)),
+                 "Some flags seem to be missing!");
+    return HasFlag(NODE_IS_NATIVE_ANONYMOUS_ROOT);
+  }
+
+  bool IsRootOfChromeAccessOnlySubtree() const
+  {
+    return HasFlag(NODE_IS_NATIVE_ANONYMOUS_ROOT |
+                   NODE_IS_ROOT_OF_CHROME_ONLY_ACCESS);
+  }
+
+  /**
    * Makes this content anonymous
    * @see nsIAnonymousContentCreator
    */
   void SetIsNativeAnonymousRoot()
   {
     SetFlags(NODE_IS_ANONYMOUS_ROOT | NODE_IS_IN_NATIVE_ANONYMOUS_SUBTREE |
              NODE_IS_NATIVE_ANONYMOUS_ROOT);
   }
--- a/dom/base/nsINode.h
+++ b/dom/base/nsINode.h
@@ -1228,36 +1228,16 @@ public:
   }
 
   bool IsInShadowTree() const
   {
     return HasFlag(NODE_IS_IN_SHADOW_TREE);
   }
 
   /**
-   * Get whether this node is C++-generated anonymous content
-   * @see nsIAnonymousContentCreator
-   * @return whether this content is anonymous
-   */
-  bool IsRootOfNativeAnonymousSubtree() const
-  {
-    NS_ASSERTION(!HasFlag(NODE_IS_NATIVE_ANONYMOUS_ROOT) ||
-                 (HasFlag(NODE_IS_ANONYMOUS_ROOT) &&
-                  HasFlag(NODE_IS_IN_NATIVE_ANONYMOUS_SUBTREE)),
-                 "Some flags seem to be missing!");
-    return HasFlag(NODE_IS_NATIVE_ANONYMOUS_ROOT);
-  }
-
-  bool IsRootOfChromeAccessOnlySubtree() const
-  {
-    return HasFlag(NODE_IS_NATIVE_ANONYMOUS_ROOT |
-                   NODE_IS_ROOT_OF_CHROME_ONLY_ACCESS);
-  }
-
-  /**
    * Returns true if |this| node is the common ancestor of the start/end
    * nodes of a Range in a Selection or a descendant of such a common ancestor.
    * This node is definitely not selected when |false| is returned, but it may
    * or may not be selected when |true| is returned.
    */
   bool IsSelectionDescendant() const
   {
     return IsDescendantOfCommonAncestorForRangeInSelection() ||
deleted file mode 100644
--- a/layout/style/crashtests/1509989.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<script>
-function go() {
-  window.getSelection().getRangeAt(0).insertNode(a);
-}
-</script>
-<body onload=go()>
-<dl>
-<dd id="a">
-<video>
-</dd>
-<input type="number" autofocus="">
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -290,9 +290,8 @@ load 1457288.html
 load 1457985.html
 load 1468640.html
 load 1469076.html
 load 1475003.html
 load 1479681.html
 load 1488817.html
 load 1490012.html
 load 1502893.html
-load 1509989.html