WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot
https://bugs.webkit.org/show_bug.cgi?id=206335
Reviewed by Antti Koivisto.
Delay the widget hierarchy updates until we're done attaching a shadow root.
Otherwise, WK1 would retry to update the focus synchronously.
* dom/Element.cpp:
(WebCore::Element::addShadowRoot):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254700 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index a74d590..7bb9bb8 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2020-01-16 Ryosuke Niwa <rniwa@webkit.org>
+
+ WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot
+ https://bugs.webkit.org/show_bug.cgi?id=206335
+
+ Reviewed by Antti Koivisto.
+
+ Delay the widget hierarchy updates until we're done attaching a shadow root.
+ Otherwise, WK1 would retry to update the focus synchronously.
+
+ * dom/Element.cpp:
+ (WebCore::Element::addShadowRoot):
+
2020-01-16 Chris Lord <clord@igalia.com>
REGRESSION (r254291): [ Catalina wk2 Debug ] Flaky ASSERT on fast/images/animated-image-loop-count.html
diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp
index b84297e..ff98eee 100644
--- a/Source/WebCore/dom/Element.cpp
+++ b/Source/WebCore/dom/Element.cpp
@@ -2279,6 +2279,7 @@
ShadowRoot& shadowRoot = newShadowRoot;
{
+ WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
ScriptDisallowedScope::InMainThread scriptDisallowedScope;
if (renderer())
RenderTreeUpdater::tearDownRenderers(*this);
