Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

HTMLSlotElement::insertedInto() creates SlotAssignment wrongly for a v0 shadow tree
because it does *not* check the type of the shadow root.

As a result, the entry for the slot would not be removed from the SlotAssignment
when the slot is removed from the shadow tree because HTMLSlotElement::removedFrom()
*does* check the type of the shadow root correctly.

This violates the assumption that a slot in an entry is always in a shadow root,
and hit the DCHECK, and causes a crash in a release build.

This CL fixes this unintentional wrong behavior.

BUG=634506
Committed: https://crrev.com/b43d492d6fdd6c44cade1de7c976c402d440a665
Cr-Commit-Position: refs/heads/master@{#412184}

[hayato, 2016-08-16 05:57:09]

The CQ bit was checked by hayato@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-08-16 05:57:21]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[hayato, 2016-08-16 06:05:36]

Description was changed from

==========
Fix a crash: SlotAssignment is unintentionally crated for v0 shadow trees

BUG=634506
==========

to

==========
Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

HTMLSlotElement::insertedInto() creates SlotAssignment wrongly for a v0 shadow
tree
because it does *not* check the type of the shadow root.

As a result, the entry for the slot would not be removed from the SlotAssignment
when the slot is removed from the shadow tree because
HTMLSlotElement::removedFrom()
*does* check the type of the shadow root correctly.

This violates the assumption that a slot in an entry is always in a shadow root,
and hit the DCHECK, and causes a crash in the release build.

This CL fixes this unintentional wrong behavior.

BUG=634506
==========

[hayato, 2016-08-16 06:06:21]

Description was changed from

==========
Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

HTMLSlotElement::insertedInto() creates SlotAssignment wrongly for a v0 shadow
tree
because it does *not* check the type of the shadow root.

As a result, the entry for the slot would not be removed from the SlotAssignment
when the slot is removed from the shadow tree because
HTMLSlotElement::removedFrom()
*does* check the type of the shadow root correctly.

This violates the assumption that a slot in an entry is always in a shadow root,
and hit the DCHECK, and causes a crash in the release build.

This CL fixes this unintentional wrong behavior.

BUG=634506
==========

to

==========
Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

HTMLSlotElement::insertedInto() creates SlotAssignment wrongly for a v0 shadow
tree
because it does *not* check the type of the shadow root.

As a result, the entry for the slot would not be removed from the SlotAssignment
when the slot is removed from the shadow tree because
HTMLSlotElement::removedFrom()
*does* check the type of the shadow root correctly.

This violates the assumption that a slot in an entry is always in a shadow root,
and hit the DCHECK, and causes a crash in a release build.

This CL fixes this unintentional wrong behavior.

BUG=634506
==========

[hayato, 2016-08-16 06:06:52]

hayato@chromium.org changed reviewers:
+ kochi@chromium.org

[hayato, 2016-08-16 06:06:53]

PTAL

[kochi, 2016-08-16 06:41:05]

LGTM

[hayato, 2016-08-16 06:50:41]

The CQ bit was unchecked by hayato@chromium.org

[hayato, 2016-08-16 06:50:44]

The CQ bit was checked by hayato@chromium.org

[commit-bot: I haz the power, 2016-08-16 06:50:56]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-08-16 07:17:57]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2016-08-16 07:20:30]

Description was changed from

==========
Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

HTMLSlotElement::insertedInto() creates SlotAssignment wrongly for a v0 shadow
tree
because it does *not* check the type of the shadow root.

As a result, the entry for the slot would not be removed from the SlotAssignment
when the slot is removed from the shadow tree because
HTMLSlotElement::removedFrom()
*does* check the type of the shadow root correctly.

This violates the assumption that a slot in an entry is always in a shadow root,
and hit the DCHECK, and causes a crash in a release build.

This CL fixes this unintentional wrong behavior.

BUG=634506
==========

to

==========
Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

HTMLSlotElement::insertedInto() creates SlotAssignment wrongly for a v0 shadow
tree
because it does *not* check the type of the shadow root.

As a result, the entry for the slot would not be removed from the SlotAssignment
when the slot is removed from the shadow tree because
HTMLSlotElement::removedFrom()
*does* check the type of the shadow root correctly.

This violates the assumption that a slot in an entry is always in a shadow root,
and hit the DCHECK, and causes a crash in a release build.

This CL fixes this unintentional wrong behavior.

BUG=634506

Committed: https://crrev.com/b43d492d6fdd6c44cade1de7c976c402d440a665
Cr-Commit-Position: refs/heads/master@{#412184}
==========

[commit-bot: I haz the power, 2016-08-16 07:20:31]

Patchset 1 (id:??) landed as
https://crrev.com/b43d492d6fdd6c44cade1de7c976c402d440a665
Cr-Commit-Position: refs/heads/master@{#412184}