[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
dbates at webkit.org
dbates at webkit.org
Wed Dec 22 14:21:10 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit c3c0399117bbde762c65fb2b8c232ae7d174c51c
Author: dbates at webkit.org <dbates at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Oct 6 23:52:56 2010 +0000
2010-10-06 Daniel Bates <dbates at rim.com>
Reviewed by Darin Adler.
ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
when <frameset> has CSS content property
https://bugs.webkit.org/show_bug.cgi?id=47314
Fixes an issue where sending a mouse event to an HTML Frameset Element that
whose content was replaced via the CSS content property causes an assertion
failure.
By default, HTMLFrameSetElement forwards mouse events to RenderFrameSet so as
to support resizing a frame within the set. When a <frameset> specifies an
image in its CSS content property we create a generic render object (RenderObject)
for the frame set instead of a RenderFrameSet object. The event handler code
in HTMLFrameSetElement calls WebCore::toRenderFrameSet() to cast its renderer
to type RenderFrameSet, which fails. To correct this, HTMLFrameSetElement
must check that its renderer is of type RenderFrameSet before casting to this type.
Test: fast/frames/crash-frameset-CSS-content-property.html
* html/HTMLFrameSetElement.cpp:
(WebCore::HTMLFrameSetElement::defaultEventHandler): Check that our renderer is
of type RenderFrameSet before casting it as such.
2010-10-06 Daniel Bates <dbates at rim.com>
Reviewed by Darin Adler.
ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
when <frameset> has CSS content property
https://bugs.webkit.org/show_bug.cgi?id=47314
Test to ensure that we don't crash when clicking on a <frameset> that specifies the CSS content property.
* fast/frames/crash-frameset-CSS-content-property-expected.txt: Added.
* fast/frames/crash-frameset-CSS-content-property.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69256 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6768eed..833038e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-06 Daniel Bates <dbates at rim.com>
+
+ Reviewed by Darin Adler.
+
+ ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
+ when <frameset> has CSS content property
+ https://bugs.webkit.org/show_bug.cgi?id=47314
+
+ Test to ensure that we don't crash when clicking on a <frameset> that specifies the CSS content property.
+
+ * fast/frames/crash-frameset-CSS-content-property-expected.txt: Added.
+ * fast/frames/crash-frameset-CSS-content-property.html: Added.
+
2010-10-06 Chris Fleizach <cfleizach at apple.com>
Unreviewed. Try to make test pass on GTK and QT.
diff --git a/LayoutTests/fast/frames/crash-frameset-CSS-content-property-expected.txt b/LayoutTests/fast/frames/crash-frameset-CSS-content-property-expected.txt
new file mode 100644
index 0000000..a057060
--- /dev/null
+++ b/LayoutTests/fast/frames/crash-frameset-CSS-content-property-expected.txt
@@ -0,0 +1 @@
+PASS, mouse event to <frameset> did not cause crash.
diff --git a/LayoutTests/fast/frames/crash-frameset-CSS-content-property.html b/LayoutTests/fast/frames/crash-frameset-CSS-content-property.html
new file mode 100644
index 0000000..b497b64
--- /dev/null
+++ b/LayoutTests/fast/frames/crash-frameset-CSS-content-property.html
@@ -0,0 +1,38 @@
+<html>
+<head>
+<title>WebKit Bug 47314</title>
+<script>
+function runTest()
+{
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var frameset = document.getElementById("frameset");
+ var mouseClick = document.createEvent("MouseEvent");
+ mouseClick.initEvent("click", true, true);
+ frameset.dispatchEvent(mouseClick);
+
+ if (!window.layoutTestController) {
+ // For some reason, when running this test by hand in release builds you must manually
+ // click on the not-found image placeholder to cause a crash. Hence, we don't replace
+ // the <frameset> and print a PASS message.
+ return;
+ }
+
+ // As per the definition of the body element in section 3.1.4 the HTML 5 spec.
+ // <http://www.w3.org/TR/html5/dom.html#the-body-element>, a document can either
+ // have a <frameset> or a <body>, but not both, and a frameset does not provide
+ // a means to print a PASS message. Therefore, we replace <frameset> with <body>.
+ var htmlElement = document.getElementsByTagName("html")[0];
+ htmlElement.replaceChild(document.createElement("body"), frameset);
+ document.body.appendChild(document.createTextNode("PASS, mouse event to <frameset> did not cause crash."));
+}
+
+window.onload = runTest;
+</script>
+</head>
+<!-- This tests that we don't crash when clicking on a <frameset> that specifies the CSS content property. -->
+<!-- This test PASSED if you see the word "PASS" on the page. Otherwise, it FAILED. -->
+<!-- Note: If you are running this test by hand in a release build then try clicking on the not-found image placeholder to cause a crash. -->
+<frameset id="frameset" style="content:url(click-to-crash.jpg)"></frameset>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 9da107a..eb1d2eb 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,29 @@
+2010-10-06 Daniel Bates <dbates at rim.com>
+
+ Reviewed by Darin Adler.
+
+ ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
+ when <frameset> has CSS content property
+ https://bugs.webkit.org/show_bug.cgi?id=47314
+
+ Fixes an issue where sending a mouse event to an HTML Frameset Element that
+ whose content was replaced via the CSS content property causes an assertion
+ failure.
+
+ By default, HTMLFrameSetElement forwards mouse events to RenderFrameSet so as
+ to support resizing a frame within the set. When a <frameset> specifies an
+ image in its CSS content property we create a generic render object (RenderObject)
+ for the frame set instead of a RenderFrameSet object. The event handler code
+ in HTMLFrameSetElement calls WebCore::toRenderFrameSet() to cast its renderer
+ to type RenderFrameSet, which fails. To correct this, HTMLFrameSetElement
+ must check that its renderer is of type RenderFrameSet before casting to this type.
+
+ Test: fast/frames/crash-frameset-CSS-content-property.html
+
+ * html/HTMLFrameSetElement.cpp:
+ (WebCore::HTMLFrameSetElement::defaultEventHandler): Check that our renderer is
+ of type RenderFrameSet before casting it as such.
+
2010-10-06 Albert J. Wong <ajwong at chromium.org>
Reviewed by Andreas Kling.
diff --git a/WebCore/html/HTMLFrameSetElement.cpp b/WebCore/html/HTMLFrameSetElement.cpp
index e1c5fd4..a2a3930 100644
--- a/WebCore/html/HTMLFrameSetElement.cpp
+++ b/WebCore/html/HTMLFrameSetElement.cpp
@@ -186,7 +186,7 @@ void HTMLFrameSetElement::attach()
void HTMLFrameSetElement::defaultEventHandler(Event* evt)
{
- if (evt->isMouseEvent() && !noresize && renderer()) {
+ if (evt->isMouseEvent() && !noresize && renderer() && renderer()->isFrameSet()) {
if (toRenderFrameSet(renderer())->userResize(static_cast<MouseEvent*>(evt))) {
evt->setDefaultHandled();
return;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list