[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

ap at apple.com ap at apple.com
Wed Dec 22 13:42:38 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 3f3f4a134c420f24f0ec56aa647448240ed6445b
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Sep 23 21:09:17 2010 +0000

            Reviewed by Darin Adler.
    
            https://bugs.webkit.org/show_bug.cgi?id=46326
            Crash when trying to create a NodeIterator rooted at a document-less DocumentType node
    
            Test: fast/dom/node-iterator-with-doctype-root.html
    
            * dom/Document.cpp: (WebCore::Document::detachNodeIterator): Added a comment explaining that
            attach/detach may not always be paired.
    
            * dom/NodeIterator.cpp:
            (WebCore::NodeIterator::NodeIterator): Don't try to register with the document if there is none.
            (WebCore::NodeIterator::~NodeIterator): Ditto.
            (WebCore::NodeIterator::detach): Ditto.
            (WebCore::NodeIterator::updateForNodeRemoval): There should be a document if we're getting a
            notification.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68195 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3101490..dddac75 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-09-23  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=46326
+        Crash when trying to create a NodeIterator rooted at a document-less DocumentType node
+
+        * fast/dom/node-iterator-with-doctype-root-expected.txt: Added.
+        * fast/dom/node-iterator-with-doctype-root.html: Added.
+
 2010-09-23  Mihai Parparita  <mihaip at chromium.org>
 
         Unreviewed chromium text_expectations.txt change.
diff --git a/LayoutTests/fast/dom/node-iterator-with-doctype-root-expected.txt b/LayoutTests/fast/dom/node-iterator-with-doctype-root-expected.txt
new file mode 100644
index 0000000..56da317
--- /dev/null
+++ b/LayoutTests/fast/dom/node-iterator-with-doctype-root-expected.txt
@@ -0,0 +1,17 @@
+NodeIterator rooted at a DocumentType node not yet associated with a document:
+PASS iter.referenceNode.ownerDocument is null
+PASS iter.nextNode() is dt
+PASS iter.nextNode() is null
+PASS iter.previousNode() is dt
+PASS iter.previousNode() is null
+
+NodeIterator rooted at a DocumentType node that becomes used by a document after the iterator has been created:
+PASS iter.nextNode() is dt
+PASS iter.previousNode() is dt
+..and after removing it from the document:
+PASS iter.nextNode() is dt
+PASS iter.previousNode() is dt
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/node-iterator-with-doctype-root.html b/LayoutTests/fast/dom/node-iterator-with-doctype-root.html
new file mode 100644
index 0000000..e9328cc
--- /dev/null
+++ b/LayoutTests/fast/dom/node-iterator-with-doctype-root.html
@@ -0,0 +1,35 @@
+<html>
+<head>
+<link rel="stylesheet" href="../js/resources/js-test-style.css">
+<script src="../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+var dt = document.implementation.createDocumentType("foo", "", "");
+var iter = document.createNodeIterator(dt, NodeFilter.SHOW_ALL, null, true);
+debug("NodeIterator rooted at a DocumentType node not yet associated with a document:");
+shouldBe('iter.referenceNode.ownerDocument', 'null');
+shouldBe('iter.nextNode()', 'dt');
+shouldBe('iter.nextNode()', 'null');
+shouldBe('iter.previousNode()', 'dt');
+shouldBe('iter.previousNode()', 'null');
+iter.detach();
+
+iter = document.createNodeIterator(dt, NodeFilter.SHOW_ALL, null, true);
+var d = document.implementation.createDocument(null, "doc", dt);
+debug("\nNodeIterator rooted at a DocumentType node that becomes used by a document after the iterator has been created:");
+shouldBe('iter.nextNode()', 'dt');
+shouldBe('iter.previousNode()', 'dt');
+debug("..and after removing it from the document:");
+d.removeChild(dt);
+shouldBe('iter.nextNode()', 'dt');
+shouldBe('iter.previousNode()', 'dt');
+iter.detach();
+
+var successfullyParsed = true;
+</script>
+<script src="../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 3866165..1604ab1 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-09-23  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=46326
+        Crash when trying to create a NodeIterator rooted at a document-less DocumentType node
+
+        Test: fast/dom/node-iterator-with-doctype-root.html
+
+        * dom/Document.cpp: (WebCore::Document::detachNodeIterator): Added a comment explaining that
+        attach/detach may not always be paired.
+
+        * dom/NodeIterator.cpp:
+        (WebCore::NodeIterator::NodeIterator): Don't try to register with the document if there is none.
+        (WebCore::NodeIterator::~NodeIterator): Ditto.
+        (WebCore::NodeIterator::detach): Ditto.
+        (WebCore::NodeIterator::updateForNodeRemoval): There should be a document if we're getting a
+        notification.
+
 2010-09-23  Patrick Gansterer  <paroga at webkit.org>
 
         Reviewed by Adam Roben.
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index 367fbf4..b9712e1 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -3214,6 +3214,8 @@ void Document::attachNodeIterator(NodeIterator* ni)
 
 void Document::detachNodeIterator(NodeIterator* ni)
 {
+    // The node iterator can be detached without having been attached if its root node didn't have a document
+    // when the iterator was created, but has it now.
     m_nodeIterators.remove(ni);
 }
 
diff --git a/WebCore/dom/NodeIterator.cpp b/WebCore/dom/NodeIterator.cpp
index af07f42..ce3103c 100644
--- a/WebCore/dom/NodeIterator.cpp
+++ b/WebCore/dom/NodeIterator.cpp
@@ -76,12 +76,16 @@ NodeIterator::NodeIterator(PassRefPtr<Node> rootNode, unsigned whatToShow, PassR
     , m_referenceNode(root(), true)
     , m_detached(false)
 {
-    root()->document()->attachNodeIterator(this);
+    // Document type nodes may have a null document. But since they can't have children, there is no need to listen for modifications to these.
+    ASSERT(root()->document() || root()->nodeType() == Node::DOCUMENT_TYPE_NODE);
+    if (Document* ownerDocument = root()->document())
+        ownerDocument->attachNodeIterator(this);
 }
 
 NodeIterator::~NodeIterator()
 {
-    root()->document()->detachNodeIterator(this);
+    if (Document* ownerDocument = root()->document())
+        ownerDocument->detachNodeIterator(this);
 }
 
 PassRefPtr<Node> NodeIterator::nextNode(ScriptState* state, ExceptionCode& ec)
@@ -144,7 +148,8 @@ PassRefPtr<Node> NodeIterator::previousNode(ScriptState* state, ExceptionCode& e
 
 void NodeIterator::detach()
 {
-    root()->document()->detachNodeIterator(this);
+    if (Document* ownerDocument = root()->document())
+        ownerDocument->detachNodeIterator(this);
     m_detached = true;
     m_referenceNode.node.clear();
 }
@@ -159,6 +164,7 @@ void NodeIterator::updateForNodeRemoval(Node* removedNode, NodePointer& referenc
 {
     ASSERT(!m_detached);
     ASSERT(removedNode);
+    ASSERT(root()->document());
     ASSERT(root()->document() == removedNode->document());
 
     // Iterator is not affected if the removed node is the reference node and is the root.

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list