[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

dbates at webkit.org dbates at webkit.org
Wed Dec 22 14:21:10 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit c3c0399117bbde762c65fb2b8c232ae7d174c51c
Author: dbates at webkit.org <dbates at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Oct 6 23:52:56 2010 +0000

    2010-10-06  Daniel Bates  <dbates at rim.com>
    
            Reviewed by Darin Adler.
    
            ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
            when <frameset> has CSS content property
            https://bugs.webkit.org/show_bug.cgi?id=47314
    
            Fixes an issue where sending a mouse event to an HTML Frameset Element that
            whose content was replaced via the CSS content property causes an assertion
            failure.
    
            By default, HTMLFrameSetElement forwards mouse events to RenderFrameSet so as
            to support resizing a frame within the set. When a <frameset> specifies an
            image in its CSS content property we create a generic render object (RenderObject)
            for the frame set instead of a RenderFrameSet object. The event handler code
            in HTMLFrameSetElement calls WebCore::toRenderFrameSet() to cast its renderer
            to type RenderFrameSet, which fails. To correct this, HTMLFrameSetElement
            must check that its renderer is of type RenderFrameSet before casting to this type.
    
            Test: fast/frames/crash-frameset-CSS-content-property.html
    
            * html/HTMLFrameSetElement.cpp:
            (WebCore::HTMLFrameSetElement::defaultEventHandler): Check that our renderer is
            of type RenderFrameSet before casting it as such.
    2010-10-06  Daniel Bates  <dbates at rim.com>
    
            Reviewed by Darin Adler.
    
            ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
            when <frameset> has CSS content property
            https://bugs.webkit.org/show_bug.cgi?id=47314
    
            Test to ensure that we don't crash when clicking on a <frameset> that specifies the CSS content property.
    
            * fast/frames/crash-frameset-CSS-content-property-expected.txt: Added.
            * fast/frames/crash-frameset-CSS-content-property.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69256 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6768eed..833038e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-06  Daniel Bates  <dbates at rim.com>
+
+        Reviewed by Darin Adler.
+
+        ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
+        when <frameset> has CSS content property
+        https://bugs.webkit.org/show_bug.cgi?id=47314
+
+        Test to ensure that we don't crash when clicking on a <frameset> that specifies the CSS content property.
+
+        * fast/frames/crash-frameset-CSS-content-property-expected.txt: Added.
+        * fast/frames/crash-frameset-CSS-content-property.html: Added.
+
 2010-10-06  Chris Fleizach  <cfleizach at apple.com>
 
         Unreviewed. Try to make test pass on GTK and QT.
diff --git a/LayoutTests/fast/frames/crash-frameset-CSS-content-property-expected.txt b/LayoutTests/fast/frames/crash-frameset-CSS-content-property-expected.txt
new file mode 100644
index 0000000..a057060
--- /dev/null
+++ b/LayoutTests/fast/frames/crash-frameset-CSS-content-property-expected.txt
@@ -0,0 +1 @@
+PASS, mouse event to <frameset> did not cause crash.
diff --git a/LayoutTests/fast/frames/crash-frameset-CSS-content-property.html b/LayoutTests/fast/frames/crash-frameset-CSS-content-property.html
new file mode 100644
index 0000000..b497b64
--- /dev/null
+++ b/LayoutTests/fast/frames/crash-frameset-CSS-content-property.html
@@ -0,0 +1,38 @@
+<html>
+<head>
+<title>WebKit Bug 47314</title>
+<script>
+function runTest()
+{
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    var frameset = document.getElementById("frameset");
+    var mouseClick = document.createEvent("MouseEvent");
+    mouseClick.initEvent("click", true, true);
+    frameset.dispatchEvent(mouseClick);
+
+    if (!window.layoutTestController) {
+        // For some reason, when running this test by hand in release builds you must manually
+        // click on the not-found image placeholder to cause a crash. Hence, we don't replace
+        // the <frameset> and print a PASS message.
+        return;
+    }
+
+    // As per the definition of the body element in section 3.1.4 the HTML 5 spec.
+    // <http://www.w3.org/TR/html5/dom.html#the-body-element>, a document can either
+    // have a <frameset> or a <body>, but not both, and a frameset does not provide
+    // a means to print a PASS message. Therefore, we replace <frameset> with <body>.
+    var htmlElement = document.getElementsByTagName("html")[0];
+    htmlElement.replaceChild(document.createElement("body"), frameset);
+    document.body.appendChild(document.createTextNode("PASS, mouse event to <frameset> did not cause crash."));
+}
+
+window.onload = runTest;
+</script>
+</head>
+<!-- This tests that we don't crash when clicking on a <frameset> that specifies the CSS content property. -->
+<!-- This test PASSED if you see the word "PASS" on the page. Otherwise, it FAILED. -->
+<!-- Note: If you are running this test by hand in a release build then try clicking on the not-found image placeholder to cause a crash. -->
+<frameset id="frameset" style="content:url(click-to-crash.jpg)"></frameset>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 9da107a..eb1d2eb 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,29 @@
+2010-10-06  Daniel Bates  <dbates at rim.com>
+
+        Reviewed by Darin Adler.
+
+        ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
+        when <frameset> has CSS content property
+        https://bugs.webkit.org/show_bug.cgi?id=47314
+
+        Fixes an issue where sending a mouse event to an HTML Frameset Element that
+        whose content was replaced via the CSS content property causes an assertion
+        failure.
+
+        By default, HTMLFrameSetElement forwards mouse events to RenderFrameSet so as
+        to support resizing a frame within the set. When a <frameset> specifies an
+        image in its CSS content property we create a generic render object (RenderObject)
+        for the frame set instead of a RenderFrameSet object. The event handler code
+        in HTMLFrameSetElement calls WebCore::toRenderFrameSet() to cast its renderer
+        to type RenderFrameSet, which fails. To correct this, HTMLFrameSetElement
+        must check that its renderer is of type RenderFrameSet before casting to this type.
+
+        Test: fast/frames/crash-frameset-CSS-content-property.html
+
+        * html/HTMLFrameSetElement.cpp:
+        (WebCore::HTMLFrameSetElement::defaultEventHandler): Check that our renderer is
+        of type RenderFrameSet before casting it as such.
+
 2010-10-06  Albert J. Wong  <ajwong at chromium.org>
 
         Reviewed by Andreas Kling.
diff --git a/WebCore/html/HTMLFrameSetElement.cpp b/WebCore/html/HTMLFrameSetElement.cpp
index e1c5fd4..a2a3930 100644
--- a/WebCore/html/HTMLFrameSetElement.cpp
+++ b/WebCore/html/HTMLFrameSetElement.cpp
@@ -186,7 +186,7 @@ void HTMLFrameSetElement::attach()
 
 void HTMLFrameSetElement::defaultEventHandler(Event* evt)
 {
-    if (evt->isMouseEvent() && !noresize && renderer()) {
+    if (evt->isMouseEvent() && !noresize && renderer() && renderer()->isFrameSet()) {
         if (toRenderFrameSet(renderer())->userResize(static_cast<MouseEvent*>(evt))) {
             evt->setDefaultHandled();
             return;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list