0

Disallow non-slotable nodes in slot.assign()

slot.assign() will happily accept nodes which aren't "slotable"
according to Node::IsSlotable(), which ends up creating flat tree node
data in those nodes. Later, we have a DCHECK which effectively says that
if the node isn't slotable, then it shouldn't have flat tree node data.

This patch disallows non-slotable nodes in slot.assign() which prevents
the problematic situation from happening.

Fixed: 1240783
Change-Id: Iec1d94319d73e0730cad06848109f1172e6b72ef
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3114977
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Reviewed-by: Mason Freed <masonf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#914978}
This commit is contained in:
Joey Arhar
2021-08-25 00:09:47 +00:00
committed by Chromium LUCI CQ
parent 2d76e58569
commit a3411e58dc
2 changed files with 24 additions and 0 deletions
third_party/blink
renderer
web_tests

@ -174,6 +174,15 @@ void HTMLSlotElement::assign(HeapVector<Member<Node>> nodes,
UseCounter::Count(GetDocument(), WebFeature::kSlotAssignNode);
if (nodes.IsEmpty() && manually_assigned_nodes_.IsEmpty())
return;
for (auto& node : nodes) {
if (!node->IsSlotable()) {
exception_state.ThrowDOMException(
DOMExceptionCode::kInvalidNodeTypeError,
"The type of node provided is not slotable: '" + node->nodeName() +
"'");
return;
}
}
HeapLinkedHashSet<WeakMember<Node>> old_manually_assigned_nodes(
manually_assigned_nodes_);
HeapLinkedHashSet<WeakMember<Node>> nodes_set;

@ -0,0 +1,15 @@
<!DOCTYPE html>
<link rel=author href="mailto:jarhar@chromium.org">
<link rel=help href="https://crbug.com/1240783">
<p>This test passes if it does not crash.</p>
<slot id=slot>
<object id=object>
<script>
onload = () => {
const nonSlotable = document.createProcessingInstruction(undefined, undefined);
document.getElementById('slot').assign(nonSlotable);
document.getElementById('object').appendChild(nonSlotable);
}
</script>