[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

Thu Apr 8 02:18:39 UTC 2010

The following commit has been merged in the webkit-1.2 branch:
commit cfa72bdaafe3995b1f22e2f3e7c395027ad95329
Author: dglazkov at chromium.org <dglazkov at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Mar 10 16:56:35 2010 +0000

    Add one more parent check during node removal.
    https://bugs.webkit.org/show_bug.cgi?id=35818
    
    Reviewed by Sam Weinig.
    
    WebCore:
    
    Test: fast/dom/Node/mutation-blur.html
    
    * dom/ContainerNode.cpp:
    (WebCore::ContainerNode::removeChild): Added check.
    
    LayoutTests:
    
    * fast/dom/Node/mutation-blur-expected.txt: Added.
    * fast/dom/Node/mutation-blur.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@55783 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3bdbbca..f1c4010 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-03-05  Dimitri Glazkov  <dglazkov at chromium.org>
+
+        Reviewed by Sam Weinig.
+
+        Add one more parent check during node removal.
+        https://bugs.webkit.org/show_bug.cgi?id=35818
+
+        * fast/dom/Node/mutation-blur-expected.txt: Added.
+        * fast/dom/Node/mutation-blur.html: Added.
+
 2010-03-10  Csaba Osztrogonác  <ossy at webkit.org>
 
         [Qt] fast/multicol/hit-test-above-or-below.html fails
diff --git a/LayoutTests/fast/dom/Node/mutation-blur-expected.txt b/LayoutTests/fast/dom/Node/mutation-blur-expected.txt
new file mode 100644
index 0000000..d33e8bf
--- /dev/null
+++ b/LayoutTests/fast/dom/Node/mutation-blur-expected.txt
@@ -0,0 +1,4 @@
+Tests for proper handling of DOM changes during a blur event. If the test doesn't crash, it passed.
+
+
+
diff --git a/LayoutTests/fast/dom/Node/mutation-blur.html b/LayoutTests/fast/dom/Node/mutation-blur.html
new file mode 100644
index 0000000..173409e
--- /dev/null
+++ b/LayoutTests/fast/dom/Node/mutation-blur.html
@@ -0,0 +1,73 @@
+<html>
+<head>
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+
+    var container1;
+    var container2;
+    var elem;
+
+    function handler2()
+    {
+        container2.appendChild(elem);
+    }
+
+    function onload()
+    {
+        container1 = document.getElementById("newcontainer1");
+        container2 = document.getElementById("newcontainer2");
+
+        if (!window.eventSender)
+            return;
+
+        var rect = document.getElementById("trigger").getBoundingClientRect();
+        eventSender.mouseMoveTo(rect.left + rect.width / 2, rect.top + rect.height / 2);
+        eventSender.mouseDown();
+        eventSender.mouseUp();
+    }
+
+    function onpress()
+    {
+        elem = document.getElementById("subcontainer1");
+        document.getElementById("sub1").focus();
+
+        try {
+            container1.appendChild(elem);
+            container1.removeChild(elem);
+            elem = null;
+        }
+        catch (e) { }
+
+        // Force GC.
+        if (this.GCController)
+            GCController.collect();
+        else {
+            for (var i = 0; i < 10000; ++i) {
+                ({ });
+            }
+        }
+
+        document.body.removeChild(container2);
+
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+
+    }
+
+</script>
+</head>
+<body onload="onload()">
+<p>Tests for proper handling of DOM changes during a blur event. If the test doesn't crash, it passed.
+<div id="subcontainer1">
+    <textarea id="sub1" onblur="handler2()"></textarea>
+</div>
+
+<input id="trigger" type="button" name="Press" value="press" onclick="onpress()">
+<div id="newcontainer1"></div>
+<div id="newcontainer2"></div>
+
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e462379..c502886 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-03-05  Dimitri Glazkov  <dglazkov at chromium.org>
+
+        Reviewed by Sam Weinig.
+
+        Add one more parent check during node removal.
+        https://bugs.webkit.org/show_bug.cgi?id=35818
+
+        Test: fast/dom/Node/mutation-blur.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::removeChild): Added check.
+
 2010-03-10  Pavel Feldman  <pfeldman at chromium.org>
 
         Not reviewed: added missing quote into localized strings.
diff --git a/WebCore/dom/ContainerNode.cpp b/WebCore/dom/ContainerNode.cpp
index 145dd0a..fb2852f 100644
--- a/WebCore/dom/ContainerNode.cpp
+++ b/WebCore/dom/ContainerNode.cpp
@@ -341,6 +341,13 @@ bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec)
 
     document()->removeFocusedNodeOfSubtree(child.get());
     
+    // Events fired when blurring currently focused node might have moved this
+    // child into a different parent.
+    if (child->parentNode() != this) {
+        ec = NOT_FOUND_ERR;
+        return false;
+    }
+
     // FIXME: After sending the mutation events, "this" could be destroyed.
     // We can prevent that by doing a "ref", but first we have to make sure
     // that no callers call with ref count == 0 and parent = 0 (as of this

-- 
WebKit Debian packaging

