Don't update fragment anchor during DOM operations.

We tried to update the fragment anchor position immediately when all script blocking sheets are removed. As part of that update we do a style and layout update. The last script blocking sheet may be removed as part of removing a style element from the DOM. Updating style and layout in the middle of a DOM operation is not safe. Instead, update the fragment anchor position during the next safe lifecycle update. The crash was caused by Document still pointing to a documentElement being removed while updating the style and layout tree, but its parent pointer had already been set to null. Bug: 771088 Change-Id: Iaaaeece23d795c2e41d31b9fb97fc795eb2b8305 Reviewed-on: https://chromium-review.googlesource.com/698305 Commit-Queue: Rune Lillesveen <rune@opera.com> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#506854}

Don't update fragment anchor during DOM operations.
We tried to update the fragment anchor position immediately when all script blocking sheets are removed. As part of that update we do a style and layout update. The last script blocking sheet may be removed as part of removing a style element from the DOM. Updating style and layout in the middle of a DOM operation is not safe. Instead, update the fragment anchor position during the next safe lifecycle update. The crash was caused by Document still pointing to a documentElement being removed while updating the style and layout tree, but its parent pointer had already been set to null. Bug: 771088 Change-Id: Iaaaeece23d795c2e41d31b9fb97fc795eb2b8305 Reviewed-on: https://chromium-review.googlesource.com/698305 Commit-Queue: Rune Lillesveen <rune@opera.com> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#506854}
396316b0 · Rune Lillesveen · Commit Bot · 679ae771 · 396316b0 · 396316b0
Commit 396316b0 authored Oct 05, 2017 by Rune Lillesveen Committed by Commit Bot Oct 05, 2017
2 changed files
--- a/third_party/WebKit/LayoutTests/fast/css/synchronous-hash-update-crash.html
+++ b/third_party/WebKit/LayoutTests/fast/css/synchronous-hash-update-crash.html
+<!DOCTYPE html>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<script>
+  test(() => {
+    var s = document.createElement("style");
+    s.appendChild(document.createTextNode('@import url(dummy.css);'));
+    document.head.insertBefore(s, null);
+    var d = document.createElement("div");
+    d.setAttribute("id", "x");
+    document.head.appendChild(d);
+    location.hash= "#x";
+    document.documentElement.remove();
+    document.appendChild(document.createElement("html"));
+  }, "This test should not crash.");
+</script>
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -2369,6 +2369,9 @@ void Document::UpdateStyleAndLayout() {
  if (frame_view->NeedsLayout())
    frame_view->UpdateLayout();
+  if (goto_anchor_needed_after_stylesheets_load_)
+    frame_view->ProcessUrlFragment(url_);
  if (Lifecycle().GetState() < DocumentLifecycle::kLayoutClean)
    Lifecycle().AdvanceTo(DocumentLifecycle::kLayoutClean);
@@ -3888,9 +3891,6 @@ void Document::DidLoadAllScriptBlockingResources() {
    // For non-HTML there is no body so resume as soon as the sheets are loaded.
    BeginLifecycleUpdatesIfRenderingReady();
  }
-  if (goto_anchor_needed_after_stylesheets_load_ && View())
-    View()->ProcessUrlFragment(url_);
 }
 void Document::ExecuteScriptsWaitingForResources() {