New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 759947 link

Starred by 2 users
Status: Fixed
Owner:
rakina@chromium.org
Closed: Jan 2018
Cc:
kochi@chromium.org
hayato@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

elementFromPoint returns null when the element is a child of the host node

Project Member Reported by elkurin@google.com, Aug 29 2017 
Chrome Version: 60.0.3112.101 (Official Build) (64-bit)
OS: Linux

JS code:
http://jsbin.com/suqolojaca/1/edit?html,js,output (fallback contents)
http://jsbin.com/xocalecefa/1/edit?html,js,output (host children)

Expected result:
elementFromPoint(fallback content) returns the slot node.
elementFromPoint(host child) has to return the slot node.

Actual result:
elementFromPoint(fallback content) returns the slot node,
but elementFromPoint(host child) has to return null.
elementFromPoint(host child) is not working properly.

Comment 1 by kochi@chromium.org, Aug 29 2017

Cc: hayato@chromium.org
cc +hayato

Comment 2 by kochi@chromium.org, Aug 29 2017

Components: Blink>DOM>ShadowDOM

Comment 3 by elkurin@google.com, Aug 29 2017 

By offline discussion, the retargeting algorithm should be applied, so the result will be not the slot node nor null.
The expected result is the host node. (It should return the selected node itself if the host child is not text node.)

https://w3c.github.io/webcomponents/spec/shadow/#concept-shadow-including-inclusive-ancestor
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 11 2017

Labels: Hotlist-Recharge-BouncingOwner
Owner: ----
Status: Untriaged (was: Started)
The assigned owner "elkurin@google.com" is not able to receive e-mails, please re-triage.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by kochi@chromium.org, Oct 12 2017

Owner: kochi@chromium.org
Status: Assigned (was: Untriaged)

Comment 6 by kochi@chromium.org, Nov 29 2017

Owner: rakina@chromium.org
Rakina, would you work on this?

Comment 7 by rakina@chromium.org, Nov 30 2017

Labels: -Hotlist-Recharge-BouncingOwner
Status: Started (was: Assigned)
Project Member

Comment 8 by bugdroid1@chromium.org, Jan 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dd944882a245a5117b50cb417138d92f32d931d6

commit dd944882a245a5117b50cb417138d92f32d931d6
Author: Rakina Zata Amni <rakina@chromium.org>
Date: Tue Jan 23 03:28:05 2018

Fix retargeting of result in elementFromPoint and elementsFromPoint

Currently elementFromPoint and elementsFromPoint are not per spec, and it may
return null incorrectly. This change adds retargeting of the result with
respect to the context object, and adds some tests that are similar to
elementFromPoint tests in WebKit, but with some corrected cases:
https://git.webkit.org/?p=WebKit-https.git;a=blob;f=LayoutTests/fast/shadow-dom/DocumentOrShadowRoot-prototype-elementFromPoint.html;h=a8dc4da2430713521b9ba77c742db10397a8e638;hb=HEAD

Spec:
https://w3c.github.io/webcomponents/spec/shadow/#extensions-to-the-documentorshadowroot-mixin

Bug:  759947 
Change-Id: I6aece5e9cc826124772c6ce13c806865055b2b9b
Reviewed-on: https://chromium-review.googlesource.com/808446
Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Hayato Ito <hayato@chromium.org>
Reviewed-by: Takayoshi Kochi <kochi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531139}
[add] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/LayoutTests/external/wpt/shadow-dom/DocumentOrShadowRoot-prototype-elementFromPoint.html
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot-expected.txt
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot.html
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint-expected.txt
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint.html
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/Source/core/dom/TreeScope.cpp
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/Source/core/dom/TreeScope.h
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/Source/devtools/front_end/devtools_compatibility.js
[modify] https://crrev.com/dd944882a245a5117b50cb417138d92f32d931d6/third_party/WebKit/Source/devtools/front_end/dom_extension/DOMExtension.js

Comment 9 by rakina@chromium.org, Jan 23 2018

Status: Fixed (was: Started)
Project Member

Comment 10 by bugdroid1@chromium.org, Jan 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/708d660d1ceac6bb5aeeb70e318f03c92bac8693

commit 708d660d1ceac6bb5aeeb70e318f03c92bac8693
Author: Takashi Sakamoto <tasak@google.com>
Date: Tue Jan 23 08:06:40 2018

Revert "Fix retargeting of result in elementFromPoint and elementsFromPoint"

This reverts commit dd944882a245a5117b50cb417138d92f32d931d6.

Reason for revert: 
This causes WebKit Linux Trusty ASAN buildbot failure.
https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/8618

23:46:29.565 3877   ==1==ERROR: AddressSanitizer: use-after-poison on address 0x7ead60c0dbf0 at pc 0x00000dca937a bp 0x7ffd86b90c10 sp 0x7ffd86b90c08
23:46:29.565 3877   READ of size 8 at 0x7ead60c0dbf0 thread T0 (content_shell)
23:46:29.565 3877       #0 0xdca9379 in operator==<const blink::TreeScope, const blink::TreeScope> third_party/WebKit/Source/platform/heap/Member.h:128:27
23:46:29.565 3877       #1 0xdca9379 in blink::TreeScope::Retarget(blink::Element const&) const third_party/WebKit/Source/core/dom/TreeScope.cpp:393:0
23:46:29.565 3877       #2 0xdca8894 in blink::TreeScope::HitTestPointInternal(blink::Node*) const third_party/WebKit/Source/core/dom/TreeScope.cpp:267:10
23:46:29.565 3877       #3 0xdca8325 in HitTestPoint third_party/WebKit/Source/core/dom/TreeScope.cpp:254:10
23:46:29.566 3877       #4 0xdca8325 in blink::TreeScope::ElementFromPoint(double, double) const third_party/WebKit/Source/core/dom/TreeScope.cpp:245:0
23:46:29.566 3877       #5 0xc9353a7 in elementFromPoint third_party/WebKit/Source/core/dom/DocumentOrShadowRoot.h:38:23



Original change's description:
> Fix retargeting of result in elementFromPoint and elementsFromPoint
> 
> Currently elementFromPoint and elementsFromPoint are not per spec, and it may
> return null incorrectly. This change adds retargeting of the result with
> respect to the context object, and adds some tests that are similar to
> elementFromPoint tests in WebKit, but with some corrected cases:
> https://git.webkit.org/?p=WebKit-https.git;a=blob;f=LayoutTests/fast/shadow-dom/DocumentOrShadowRoot-prototype-elementFromPoint.html;h=a8dc4da2430713521b9ba77c742db10397a8e638;hb=HEAD
> 
> Spec:
> https://w3c.github.io/webcomponents/spec/shadow/#extensions-to-the-documentorshadowroot-mixin
> 
> Bug:  759947 
> Change-Id: I6aece5e9cc826124772c6ce13c806865055b2b9b
> Reviewed-on: https://chromium-review.googlesource.com/808446
> Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
> Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
> Reviewed-by: Hayato Ito <hayato@chromium.org>
> Reviewed-by: Takayoshi Kochi <kochi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#531139}

TBR=kochi@chromium.org,dgozman@chromium.org,hayato@chromium.org,pfeldman@chromium.org,rakina@chromium.org

Change-Id: Id62abd371d93627d3178b63ca189cecfe9ff44d4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  759947 
Reviewed-on: https://chromium-review.googlesource.com/880264
Reviewed-by: Takashi Sakamoto <tasak@google.com>
Commit-Queue: Takashi Sakamoto <tasak@google.com>
Cr-Commit-Position: refs/heads/master@{#531178}
[delete] https://crrev.com/eac28c5dbcd529536aae75575e33204fb6935cf4/third_party/WebKit/LayoutTests/external/wpt/shadow-dom/DocumentOrShadowRoot-prototype-elementFromPoint.html
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot-expected.txt
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot.html
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint-expected.txt
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint.html
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/Source/core/dom/TreeScope.cpp
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/Source/core/dom/TreeScope.h
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/Source/devtools/front_end/devtools_compatibility.js
[modify] https://crrev.com/708d660d1ceac6bb5aeeb70e318f03c92bac8693/third_party/WebKit/Source/devtools/front_end/dom_extension/DOMExtension.js
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 25 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bb3517a95aa758711ac11927e8f8ebf44f6a272b

commit bb3517a95aa758711ac11927e8f8ebf44f6a272b
Author: Rakina Zata Amni <rakina@chromium.org>
Date: Thu Jan 25 07:29:30 2018

Revert "Revert "Fix retargeting of result in elementFromPoint and elementsFromPoint""

crrev.com/c/808446 is reverted because of failure in ASAN Buildbot
Revert CL Link: crrev.com/c/880264
Failure link: https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/8618

The failure is accessing *target_ancestor_iterator when it is out of bounds.
Link: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=393
as there were no bound checks for target_ancestor_iterator. It wasn't caught
by layout tests because it's still returning the correct results, because
it doesn't crash when getting *target_ancestor_iterator when it's out of bound.
It just stops the while-loop and returned at
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=398
Also, since the ASAN buildbot is not done before the CL is merged, this wasn't
caught by trybots prior to committing.

The fix is just adding a bound check for target_ancestor_riterator here:
https://chromium-review.googlesource.com/c/chromium/src/+/880741/2..3/third_party/WebKit/Source/core/dom/TreeScope.cpp
I have confirmed by using ASAN locally that it is fixed now.
Before the fix, running the failing tests with ASAN build fails.


Bug:  759947 , 805039 
Change-Id: I9934af8131f285045e0eb80923f190b6d88cef7d
Reviewed-on: https://chromium-review.googlesource.com/880741
Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Hayato Ito <hayato@chromium.org>
Reviewed-by: Takayoshi Kochi <kochi@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531839}
[add] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/external/wpt/shadow-dom/DocumentOrShadowRoot-prototype-elementFromPoint.html
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot-expected.txt
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot.html
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint-expected.txt
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint.html
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/core/dom/TreeScope.cpp
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/core/dom/TreeScope.h
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/devtools/front_end/devtools_compatibility.js
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/devtools/front_end/dom_extension/DOMExtension.js

Sign in to add a comment