Disallow non-slotable nodes in slot.assign()
slot.assign() will happily accept nodes which aren't "slotable" according to Node::IsSlotable(), which ends up creating flat tree node data in those nodes. Later, we have a DCHECK which effectively says that if the node isn't slotable, then it shouldn't have flat tree node data. This patch disallows non-slotable nodes in slot.assign() which prevents the problematic situation from happening. Fixed: 1240783 Change-Id: Iec1d94319d73e0730cad06848109f1172e6b72ef Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3114977 Commit-Queue: Joey Arhar <jarhar@chromium.org> Reviewed-by: Mason Freed <masonf@chromium.org> Cr-Commit-Position: refs/heads/main@{#914978}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
2d76e58569
commit
a3411e58dc
third_party/blink
renderer
core
web_tests
external
wpt
@ -174,6 +174,15 @@ void HTMLSlotElement::assign(HeapVector<Member<Node>> nodes,
|
||||
UseCounter::Count(GetDocument(), WebFeature::kSlotAssignNode);
|
||||
if (nodes.IsEmpty() && manually_assigned_nodes_.IsEmpty())
|
||||
return;
|
||||
for (auto& node : nodes) {
|
||||
if (!node->IsSlotable()) {
|
||||
exception_state.ThrowDOMException(
|
||||
DOMExceptionCode::kInvalidNodeTypeError,
|
||||
"The type of node provided is not slotable: '" + node->nodeName() +
|
||||
"'");
|
||||
return;
|
||||
}
|
||||
}
|
||||
HeapLinkedHashSet<WeakMember<Node>> old_manually_assigned_nodes(
|
||||
manually_assigned_nodes_);
|
||||
HeapLinkedHashSet<WeakMember<Node>> nodes_set;
|
||||
|
15
third_party/blink/web_tests/external/wpt/shadow-dom/imperative-slot-assign-not-slotable-crash.html
vendored
Normal file
15
third_party/blink/web_tests/external/wpt/shadow-dom/imperative-slot-assign-not-slotable-crash.html
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
<!DOCTYPE html>
|
||||
<link rel=author href="mailto:jarhar@chromium.org">
|
||||
<link rel=help href="https://crbug.com/1240783">
|
||||
|
||||
<p>This test passes if it does not crash.</p>
|
||||
|
||||
<slot id=slot>
|
||||
<object id=object>
|
||||
<script>
|
||||
onload = () => {
|
||||
const nonSlotable = document.createProcessingInstruction(undefined, undefined);
|
||||
document.getElementById('slot').assign(nonSlotable);
|
||||
document.getElementById('object').appendChild(nonSlotable);
|
||||
}
|
||||
</script>
|
Reference in New Issue
Block a user