angler-fishThe Vulnerability History Project

Fix inconsistent frame detach behavior of ContainerNode::parserRemoveChild.

      Before this CL, ContainerNode::parserRemoveChild didn't detach descendent
<frame>s like ContainerNode::removeChild did.
ContainerNode::parserRemoveChild is called from document parsers for reparenting,
and this may leave the <frame>s in broken state.

This CL fixes the issue by issuing ChildFrameDisconnector from parserRemoveChild.

Node::updateAncestorConnectedSubframeCountForRemoval is removed,
as the decrement is now issued from HTMLFrameOwnerElement::clearContentFrame
called from fromChildFrameDisconnector.

Rebaselined:
fast/parser/adoption-agency-crash-01.html
fast/parser/adoption-agency-crash-03.html
- The iframes parser removed shouldn't be invoked onload handler anyway.

BUG=456518

Review URL: https://codereview.chromium.org/948793003

git-svn-id: svn://svn.chromium.org/blink/trunk@190980 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Darrell the Humboldt Penguin 2015-02-27 07:11:07 UTC
commit 74928e8fa2a5033dfd69584dc8a8321191fc44a4
Chromium Fix CVE-2015-1235
third_party/WebKit/LayoutTests/fast/css/stylesheet-candidate-nodes-crash-expected.txt
-6
third_party/WebKit/LayoutTests/fast/frames/reparented-iframe-cleared-contentWindow-expected.txt
-5
third_party/WebKit/LayoutTests/fast/frames/reparented-iframe-cleared-contentWindow.html
-17
third_party/WebKit/LayoutTests/fast/parser/adoption-agency-crash-01-expected.txt
+1 -1
third_party/WebKit/LayoutTests/fast/parser/adoption-agency-crash-03-expected.txt
+2 -1
third_party/WebKit/Source/core/dom/ContainerNode.cpp
+1 -2
third_party/WebKit/Source/core/dom/Node.cpp
+11
third_party/WebKit/Source/core/dom/Node.h
+1
expand_less