[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
abarth at webkit.org
abarth at webkit.org
Wed Dec 22 11:23:49 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit fc3ee84769f15faa6fbbf3a9462f9129ebddd0e3
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jul 21 20:23:37 2010 +0000
2010-07-21 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
Fix the last tree HTML5 tree builder crashes
https://bugs.webkit.org/show_bug.cgi?id=42773
This patch changes the internal representation of a bookmark to handle
the case where one of the adjecent entries in the list of active
formatting elements is actually a marker.
After this patch, the bookmarking mechanism isn't as general, but it
works for the cases we need in the adoption agency.
Also, after this patch, there aren't any more known crashers in the
HTML5 tree builder. :)
* html/HTMLFormattingElementList.cpp:
(WebCore::HTMLFormattingElementList::bookmarkFor):
(WebCore::HTMLFormattingElementList::swapTo):
* html/HTMLFormattingElementList.h:
(WebCore::HTMLFormattingElementList::Bookmark::Bookmark):
(WebCore::HTMLFormattingElementList::Bookmark::moveToAfter):
(WebCore::HTMLFormattingElementList::Bookmark::hasBeenMoved):
(WebCore::HTMLFormattingElementList::Bookmark::mark):
(WebCore::HTMLFormattingElementList::first):
* html/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63851 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4017101..971779e 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,32 @@
+2010-07-21 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Fix the last tree HTML5 tree builder crashes
+ https://bugs.webkit.org/show_bug.cgi?id=42773
+
+ This patch changes the internal representation of a bookmark to handle
+ the case where one of the adjecent entries in the list of active
+ formatting elements is actually a marker.
+
+ After this patch, the bookmarking mechanism isn't as general, but it
+ works for the cases we need in the adoption agency.
+
+ Also, after this patch, there aren't any more known crashers in the
+ HTML5 tree builder. :)
+
+ * html/HTMLFormattingElementList.cpp:
+ (WebCore::HTMLFormattingElementList::bookmarkFor):
+ (WebCore::HTMLFormattingElementList::swapTo):
+ * html/HTMLFormattingElementList.h:
+ (WebCore::HTMLFormattingElementList::Bookmark::Bookmark):
+ (WebCore::HTMLFormattingElementList::Bookmark::moveToAfter):
+ (WebCore::HTMLFormattingElementList::Bookmark::hasBeenMoved):
+ (WebCore::HTMLFormattingElementList::Bookmark::mark):
+ (WebCore::HTMLFormattingElementList::first):
+ * html/HTMLTreeBuilder.cpp:
+ (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
+
2010-07-21 Tony Gentilcore <tonyg at chromium.org>
Unreviewed build fix.
diff --git a/WebCore/html/HTMLFormattingElementList.cpp b/WebCore/html/HTMLFormattingElementList.cpp
index 316b0bf..22bf03e 100644
--- a/WebCore/html/HTMLFormattingElementList.cpp
+++ b/WebCore/html/HTMLFormattingElementList.cpp
@@ -70,36 +70,22 @@ HTMLFormattingElementList::Bookmark HTMLFormattingElementList::bookmarkFor(Eleme
{
size_t index = m_entries.reverseFind(element);
ASSERT(index != notFound);
- Element* elementBefore = (index > 1) ? m_entries[index - 1].element() : 0;
- Element* elementAfter = (index < m_entries.size() - 1) ? m_entries[index + 1].element() : 0;
- return Bookmark(elementBefore, elementAfter);
+ return Bookmark(&at(index));
}
-void HTMLFormattingElementList::insertAt(Element* element, const Bookmark& bookmark)
+void HTMLFormattingElementList::swapTo(Element* oldElement, Element* newElement, const Bookmark& bookmark)
{
- size_t beforeIndex = notFound;
- if (bookmark.elementBefore()) {
- beforeIndex = m_entries.reverseFind(bookmark.elementBefore());
- ASSERT(beforeIndex != notFound);
- }
- size_t afterIndex = notFound;
- if (bookmark.elementAfter()) {
- afterIndex = m_entries.reverseFind(bookmark.elementAfter());
- ASSERT(afterIndex != notFound);
- }
-
- if (!bookmark.elementBefore()) {
- if (bookmark.elementAfter())
- ASSERT(!afterIndex);
- m_entries.prepend(element);
- } else {
- if (bookmark.elementAfter()) {
- // Bookmarks are not general purpose. They're only for the Adoption
- // Agency. Assume the bookmarked element was already removed.
- ASSERT(beforeIndex + 1 == afterIndex);
- }
- m_entries.insert(beforeIndex + 1, element);
+ ASSERT(contains(oldElement));
+ ASSERT(!contains(newElement));
+ if (!bookmark.hasBeenMoved()) {
+ ASSERT(bookmark.mark()->element() == oldElement);
+ bookmark.mark()->replaceElement(newElement);
+ return;
}
+ size_t index = bookmark.mark() - first();
+ ASSERT(index < size());
+ m_entries.insert(index + 1, newElement);
+ remove(oldElement);
}
void HTMLFormattingElementList::append(Element* element)
diff --git a/WebCore/html/HTMLFormattingElementList.h b/WebCore/html/HTMLFormattingElementList.h
index 16e2f62..135163c 100644
--- a/WebCore/html/HTMLFormattingElementList.h
+++ b/WebCore/html/HTMLFormattingElementList.h
@@ -80,24 +80,24 @@ public:
class Bookmark {
public:
- Bookmark(Element* before, Element* after)
- : m_before(before)
- , m_after(after)
+ Bookmark(Entry* entry)
+ : m_hasBeenMoved(false)
+ , m_mark(entry)
{
}
- void moveToAfter(Element* before)
+ void moveToAfter(Entry* before)
{
- m_before = before;
- m_after = 0;
+ m_hasBeenMoved = true;
+ m_mark = before;
}
- Element* elementBefore() const { return m_before; }
- Element* elementAfter() const { return m_after; }
+ bool hasBeenMoved() const { return m_hasBeenMoved; }
+ Entry* mark() const { return m_mark; }
private:
- Element* m_before;
- Element* m_after;
+ bool m_hasBeenMoved;
+ Entry* m_mark;
};
bool isEmpty() const { return !size(); }
@@ -111,7 +111,7 @@ public:
void remove(Element*);
Bookmark bookmarkFor(Element*);
- void insertAt(Element*, const Bookmark&);
+ void swapTo(Element* oldElement, Element* newElement, const Bookmark&);
void appendMarker();
// clearToLastMarker also clears the marker (per the HTML5 spec).
@@ -125,6 +125,8 @@ public:
#endif
private:
+ Entry* first() { return &at(0); }
+
Vector<Entry> m_entries;
};
diff --git a/WebCore/html/HTMLTreeBuilder.cpp b/WebCore/html/HTMLTreeBuilder.cpp
index cc24339..93da3f7 100644
--- a/WebCore/html/HTMLTreeBuilder.cpp
+++ b/WebCore/html/HTMLTreeBuilder.cpp
@@ -1688,7 +1688,7 @@ void HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken& token)
// was replaced in 6.5.
// http://www.w3.org/Bugs/Public/show_bug.cgi?id=10096
if (lastNode == furthestBlock)
- bookmark.moveToAfter(node->element());
+ bookmark.moveToAfter(nodeEntry);
// 6.6
// Use appendChild instead of parserAddChild to handle possible reparenting.
ExceptionCode ec;
@@ -1725,8 +1725,7 @@ void HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken& token)
newElement->attach();
}
// 11
- m_tree.activeFormattingElements()->remove(formattingElement);
- m_tree.activeFormattingElements()->insertAt(newElement.get(), bookmark);
+ m_tree.activeFormattingElements()->swapTo(formattingElement, newElement.get(), bookmark);
// 12
m_tree.openElements()->remove(formattingElement);
m_tree.openElements()->insertAbove(newElement, furthestBlock);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list