File: move-node-local-root.html

package info (click to toggle)
thunderbird 1%3A143.0.1-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 4,703,968 kB
  • sloc: cpp: 7,770,492; javascript: 5,943,842; ansic: 3,918,754; python: 1,418,263; xml: 653,354; asm: 474,045; java: 183,079; sh: 111,238; makefile: 20,410; perl: 14,359; objc: 13,059; yacc: 4,583; pascal: 3,405; lex: 1,720; ruby: 999; exp: 762; sql: 715; awk: 580; php: 436; lisp: 430; sed: 69; csh: 10
file content (61 lines) | stat: -rw-r--r-- 2,777 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
<!DOCTYPE html>
<title>Node moves to another document</title>
<link rel="author" title="Dominic Farolino" href="mailto:dom@chromium.org">
<link rel="help" href="https://crbug.com/40277823">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>

<body>
<button id=button></button>
<script>
// This is a regression test for a Chromium crash: https://crbug.com/40277823.
// The test is reproducible by:
//   1. Creating a node with an event listener for an event type that the
//      compositor cares about; `touchmove` in this case.
//   2. Adopting that node into a tree with a *different* local root (i.e., a
//      tree where the root is a local frame, different from this document, with
//      a remote parent).
//   3. Maintaining a reference to the node that now exists in a different local
//      frame root.
//   4. Add a same-type event listener to the document that used to host the
//      now-adopted node. This fails an assertion in the event handler
//      registry's consistency checker, which is mistakenly holding a reference
//      to the node that is now hosted in a different local frame root, which
//      the checker does not expect.
promise_test(async t => {
  const crossOriginChild = document.createElement('iframe');
  const crossOriginChildURL = new URL('resources/cross-origin-middle-frame.html', get_host_info().HTTP_REMOTE_ORIGIN + location.pathname);
  crossOriginChild.src = crossOriginChildURL;

  const grandchildLoadPromise = new Promise(resolve => {
    window.onmessage = e => {
      if (e.data === 'grandchild loaded') {
        resolve();
      }
    }
  });
  document.body.append(crossOriginChild);
  await grandchildLoadPromise;

  const sameOriginGrandchild = window.frames[0][0];
  assert_not_equals(sameOriginGrandchild.document, null,
      "same-origin grandchild frame exists");

  button.addEventListener('touchmove', e => {});

  // This is important because before https://crbug.com/40277823 was fixed, it
  // would prevent the garbage collector from removing `button` from this
  // document's event handler registry. As long as it's still (incorrectly) in
  // the registry when we add the `touchmove` event handler is added to this
  // document later (post-adoption), the registry's consistency checker would
  // crash, asserting that the still-tracked event target is rooted at its *old*
  // local frame root.
  window.buttonHolder = button;

  sameOriginGrandchild.document.adoptNode(button);
  // This below would previously cause the Chromium crash.
  document.body.addEventListener('touchmove', e => {});
}, "Event handler-bearing node moved across local roots in the same tab/page");
</script>
</body>