From d0faf28efdb60034f1b34ea91fa707899e3dbf52 Mon Sep 17 00:00:00 2001 From: Dominic Farolino Date: Fri, 17 Jan 2025 09:19:48 -0800 Subject: [PATCH] DOM: Fix moveBefore null parent crash Before this CL, we didn't early-return from `Node::moveBefore()` when `insertBefore()` threw an error due to an invalid node hierarchy. This wasn't necessary until we introduced the `MovedFrom()` hook, since there was no significant code after the `insertBefore()` call. But once we introduced that hook, we didn't add the early-return before calling the hook, which caused this crash. R=masonf, nrosenthal Bug: 40150299, 388934346 Change-Id: Ie5f7401ed5097b7f64097daa557f315a9889664f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6179644 Commit-Queue: Dominic Farolino Reviewed-by: Noam Rosenthal Cr-Commit-Position: refs/heads/main@{#1407973} --- dom/nodes/moveBefore/tentative/Node-moveBefore.html | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dom/nodes/moveBefore/tentative/Node-moveBefore.html b/dom/nodes/moveBefore/tentative/Node-moveBefore.html index c25fee4ae603cd..6ea8cfeb5e0f49 100644 --- a/dom/nodes/moveBefore/tentative/Node-moveBefore.html +++ b/dom/nodes/moveBefore/tentative/Node-moveBefore.html @@ -329,4 +329,14 @@ await Promise.resolve(); assert_array_equals(reactions, []); }, "No custom element callbacks are run during disconnected moveBefore()"); + +// This is a regression test for a Chromium crash: https://crbug.com/388934346. +test(t => { + // This test caused a crash in Chromium because after the detection of invalid + // /node hierarchy, and throwing the JS error, we did not return from native + // code, and continued to operate on the node tree on bad assumptions. + const outer = document.createElement('div'); + const div = outer.appendChild(document.createElement('div')); + assert_throws_dom("HIERARCHY_REQUEST_ERR", () => div.moveBefore(outer, null)); +}, "Invalid node hierarchy with null old parent does not crash");