angler-fishThe Vulnerability History Project

Call insertedInto or removedFrom before childrenChanged

      We must notify nodes that they were removed before calling childrenChanged
because childrenChanged could run script. If don't then the script can remove
the parent and then Element::removedFrom doesn't think the parent is
inTreeScope or inDocument so it'll fail to clean up the TreeScope hash maps
like the id map.

I tried this once before for a different reason in:
https://src.chromium.org/viewvc/blink?revision=175732&view=revision
but that got rolled out because it caused crashes http://crbug.com/382160

By looking at the code it appears that the reason for this is that
m_element in the WebPluginContainerImpl is a raw ptr, and so nothing is
keeping the element alive inside the UpdateSuspendScope. In this patch
I didn't remove the NodeVector, a future patch will attempt to do that.

Unfortunately even when I did remove the NodeVector I couldn't reproduce
the crashes mentioned in the bug, but by code inspection and the crash
stacks it appears to be the situation I described.

BUG=387389

Review URL: https://codereview.chromium.org/418133003

git-svn-id: svn://svn.chromium.org/blink/trunk@178976 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Karla the Camel 2014-07-26 05:11:41 UTC
commit 8ab43b75fe8656338d1647fe954b03204adf3c13
Chromium Fix CVE-2014-3169
third_party/WebKit/LayoutTests/fast/dom/script-remove-child-id-map-expected.txt
-10
third_party/WebKit/LayoutTests/fast/dom/script-remove-child-id-map.html
-30
third_party/WebKit/Source/core/dom/ContainerNode.cpp
+22 -31
third_party/WebKit/Source/core/dom/ContainerNode.h
+1 -1
third_party/WebKit/Source/core/html/HTMLOptionElement.cpp
+1 -3
expand_less