merge_pr_60669
DOM: Fix connected subframe count during moveBefore()
Before this CL: In HTMLFrameOwnerElement::RemovedFrom(), when an
element was removed during a state-preserving atomic move
(moveBefore()), we decremented the connected subframe count on the frame
owner element itself and on all ancestors starting from
insertion_point (the old, connected parent of the newly-disconnected
subtree).
Whe moving an ancestor of an iframe, this caused a bookkeeping problem:
- Intermediate nodes between the iframe and the insertion point never
had their subframe counts decremented; - When InsertedInto() later runs, the subframe counts on all nodes
starting at the iframe's parent up to the root get re-incremented.
This means that intermediate nodes between the iframe and the insertion
point have their counts "re-incremented" after never being decremented.
This causes the page's subframe count to by desynchronized from reality,
causing a DCHECK() in CheckFrameCountConsistency() during the next
operation that invokes that path, such as the child frame disconnector.
After this CL: We updated the increment logic in InsertedInto() to
mirror that in RemovedFrom(). Specifically, we now increment the
connected subframe count on the frame owner element itself and on all
ancestors starting from insertion_point (the new parent of the
attached subtree). This leaves the subframe counts of any intermediate
nodes within the moved subtree completely untouched and accurate.
See https://crrev.com/c/7882216 for a previous attempt.
R=jarhar, nrosenthal
Bug: 517345069
Change-Id: I3d2f1d9641cfde9b57246fa4c7932da35b7c2588
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7950701
Reviewed-by: Joey Arhar jarhar@chromium.org
Commit-Queue: Dominic Farolino dom@chromium.org
Cr-Commit-Position: refs/heads/main@{#1647915}