<third_party/WebKit> Cherry-pick fix for CVE-2015-6777

Fix an optimisation in ContainerNode::notifyNodeInsertedInternal

[email protected]
BUG=544020

Review URL: https://codereview.chromium.org/1420653003

Change-Id: I397ca8da475d34fa599ad297334e59eaaab7d920
Cr-Commit-Position: refs/heads/master@{#355240}
Reviewed-by: Michael Brüning <[email protected]>

Author: carewolf

chromium/third_party/WebKit/Source/core/dom/ContainerNode.cpp

@@ -799,8 +799,8 @@ void ContainerNode::notifyNodeInsertedInternal(Node& root, NodeVector& postInser
 
     for (Node& node : NodeTraversal::inclusiveDescendantsOf(root)) {
         // As an optimization we don't notify leaf nodes when when inserting
-        // into detached subtrees.
-        if (!inDocument() && !node.isContainerNode())
+        // into detached subtrees that are not in a shadow tree.
+        if (!inDocument() && !isInShadowTree() && !node.isContainerNode())
             continue;
         if (Node::InsertionShouldCallDidNotifySubtreeInsertions == node.insertedInto(this))
             postInsertionNotificationTargets.append(&node);

chromium/third_party/WebKit/Source/core/dom/Element.h

@@ -775,7 +775,7 @@ inline Node::InsertionNotificationRequest Node::insertedInto(ContainerNode* inse
 {
     ASSERT(!childNeedsStyleInvalidation());
     ASSERT(!needsStyleInvalidation());
-    ASSERT(insertionPoint->inDocument() || isContainerNode());
+    ASSERT(insertionPoint->inDocument() || insertionPoint->isInShadowTree() || isContainerNode());
     if (insertionPoint->inDocument())
         setFlag(InDocumentFlag);
     if (parentOrShadowHostNode()->isInShadowTree())