Clear slot's assigned nodes when it's inserted and assigned nodes are dirty
Between when a host element with its shadow root gets orphaned and when it gets connected again, its slot assignment can become dirty by some DOM mutation of its host children, but slots still hold stale assigned nodes. When a detached host child becomes an ancestor of the shadow host, unless those cached assigned nodes are cleared, it can make a cycle during DetachLayoutTree() traverses down to those cached nodes. See the case (cyclic-detach-crash2.html) for details. Bug: 847056, 845770 Change-Id: I44d3c118c9810ad3847fa24d630b7ddb9f9d2e50 Reviewed-on: https://chromium-review.googlesource.com/1100718Reviewed-by:Hayato Ito <hayato@chromium.org> Reviewed-by:
Rune Lillesveen <futhark@chromium.org> Commit-Queue: Takayoshi Kochi <kochi@chromium.org> Cr-Commit-Position: refs/heads/master@{#567636}
Showing
Please register or sign in to comment