[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

Gustavo Noronha Silva gns at gnome.org
Thu Apr 8 02:24:50 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit a45d11ba16f3873ef049574fbe90540efb714168
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Apr 1 05:02:43 2010 +0000

    2010-03-31  MORITA Hajime  <morrita at google.com>
    
            Reviewed by Darin Adler.
    
            Crash when writing into a detached TITLE element
            https://bugs.webkit.org/show_bug.cgi?id=25567
    
            * fast/dom/title-content-write-set-expected.txt: Added.
            * fast/dom/title-content-write-set.html: Added.
    2010-03-31  MORITA Hajime  <morrita at google.com>
    
            Reviewed by Darin Adler.
    
            Crash when writing into a detached TITLE element
            https://bugs.webkit.org/show_bug.cgi?id=25567
    
            Document::setTitle() invoked HTMLTitleElement::setText(), which
            contains DOM tree modification, even when setTitle() is called
            from HTMLTitleElement::childrenChanged().  Fix to skip setText()
            when setTitle() is called childrenChanged() to avoid cascading
            DOM mutations between Document and HTMLTitleElement.
    
            Test: fast/dom/title-content-write-set.html
    
            * dom/Document.cpp:
            (WebCore::Document::setTitle):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56895 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 12eede5..50c81d9 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-03-31  MORITA Hajime  <morrita at google.com>
+
+        Reviewed by Darin Adler.
+
+        Crash when writing into a detached TITLE element
+        https://bugs.webkit.org/show_bug.cgi?id=25567
+
+        * fast/dom/title-content-write-set-expected.txt: Added.
+        * fast/dom/title-content-write-set.html: Added.
+
 2010-03-31  Geoffrey Garen  <ggaren at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/dom/title-content-write-set-expected.txt b/LayoutTests/fast/dom/title-content-write-set-expected.txt
new file mode 100644
index 0000000..a4a83e4
--- /dev/null
+++ b/LayoutTests/fast/dom/title-content-write-set-expected.txt
@@ -0,0 +1,5 @@
+Test for Bug 25567
+
+Test if document.title is given from both DOM and document.write() without any crash.
+
+PASS
diff --git a/LayoutTests/fast/dom/title-content-write-set.html b/LayoutTests/fast/dom/title-content-write-set.html
new file mode 100644
index 0000000..bf4d5fe
--- /dev/null
+++ b/LayoutTests/fast/dom/title-content-write-set.html
@@ -0,0 +1,27 @@
+<html>
+<head>
+<SCRIPT>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+document.write("<title>");
+document.title = "Property";
+document.write("Written");
+
+function test()
+{
+   var expected = "PropertyWritten";
+   if (document.title == expected)
+       document.getElementById("console").innerHTML = "PASS";
+   else
+       document.getElementById("console").innerHTML = ("FAIL:" + document.title + "!=" + expected);
+}
+</SCRIPT>
+</head>
+<body onload="test()">
+<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=25567">Bug 25567</a></p>
+<p>
+Test if document.title is given from both DOM and document.write() without any crash.
+</p>
+<pre id="console"></pre>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index afd7c7d..1751845 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-03-31  MORITA Hajime  <morrita at google.com>
+        
+        Reviewed by Darin Adler.
+
+        Crash when writing into a detached TITLE element
+        https://bugs.webkit.org/show_bug.cgi?id=25567
+        
+        Document::setTitle() invoked HTMLTitleElement::setText(), which
+        contains DOM tree modification, even when setTitle() is called
+        from HTMLTitleElement::childrenChanged().  Fix to skip setText()
+        when setTitle() is called childrenChanged() to avoid cascading
+        DOM mutations between Document and HTMLTitleElement.
+
+        Test: fast/dom/title-content-write-set.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::setTitle):
+
 2010-03-31  Geoffrey Garen  <ggaren at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index b57ffaf..8f74120 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -1197,7 +1197,7 @@ void Document::setTitle(const String& title, Element* titleElement)
     m_rawTitle = title;
     updateTitle();
 
-    if (m_titleSetExplicitly && m_titleElement && m_titleElement->hasTagName(titleTag))
+    if (m_titleSetExplicitly && m_titleElement && m_titleElement->hasTagName(titleTag) && !titleElement)
         static_cast<HTMLTitleElement*>(m_titleElement.get())->setText(m_title);
 }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list