[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

eric at webkit.org eric at webkit.org
Wed Dec 22 15:29:02 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 74764b2dcfc4cd45e8b9474eaae84ce726415635
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Nov 4 17:31:36 2010 +0000

    2010-11-04  Eric Seidel  <eric at webkit.org>
    
            Reviewed by Gavin Barraclough.
    
            REGRESSION(49798): Crash in HTMLObjectElement::parseMappedAttribute
            https://bugs.webkit.org/show_bug.cgi?id=48789
    
            The contract for all String/AtomicString methods seems to be that it's
            safe to call them, even when the String is null (impl() returns 0).
            This contract was broken by r49798 (unintentionally) when optimizing
            for dromeo.
            This patch adds a null check to AtomicString::lower() fixing this
            crash and preventing future confusion.
    
            * wtf/text/AtomicString.cpp:
            (WTF::AtomicString::lower):
    2010-11-04  Eric Seidel  <eric at webkit.org>
    
            Reviewed by Gavin Barraclough.
    
            REGRESSION(49798): Crash in HTMLObjectElement::parseMappedAttribute
            https://bugs.webkit.org/show_bug.cgi?id=48789
    
            * fast/dom/HTMLObjectElement/set-type-to-null-crash-expected.txt: Added.
            * fast/dom/HTMLObjectElement/set-type-to-null-crash.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71345 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index aae828b..aad5d22 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-11-04  Eric Seidel  <eric at webkit.org>
+
+        Reviewed by Gavin Barraclough.
+
+        REGRESSION(49798): Crash in HTMLObjectElement::parseMappedAttribute
+        https://bugs.webkit.org/show_bug.cgi?id=48789
+
+        The contract for all String/AtomicString methods seems to be that it's
+        safe to call them, even when the String is null (impl() returns 0).
+        This contract was broken by r49798 (unintentionally) when optimizing
+        for dromeo.
+        This patch adds a null check to AtomicString::lower() fixing this
+        crash and preventing future confusion.
+
+        * wtf/text/AtomicString.cpp:
+        (WTF::AtomicString::lower):
+
 2010-11-04  Adam Barth  <abarth at webkit.org>
 
         Enabled ICCJPEG on Chromium Mac
diff --git a/JavaScriptCore/wtf/text/AtomicString.cpp b/JavaScriptCore/wtf/text/AtomicString.cpp
index c8140d6..7334271 100644
--- a/JavaScriptCore/wtf/text/AtomicString.cpp
+++ b/JavaScriptCore/wtf/text/AtomicString.cpp
@@ -295,6 +295,8 @@ AtomicString AtomicString::lower() const
 {
     // Note: This is a hot function in the Dromaeo benchmark.
     StringImpl* impl = this->impl();
+    if (UNLIKELY(!impl))
+        return *this;
     RefPtr<StringImpl> newImpl = impl->lower();
     if (LIKELY(newImpl == impl))
         return *this;
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5b33bff..7430949 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-04  Eric Seidel  <eric at webkit.org>
+
+        Reviewed by Gavin Barraclough.
+
+        REGRESSION(49798): Crash in HTMLObjectElement::parseMappedAttribute
+        https://bugs.webkit.org/show_bug.cgi?id=48789
+
+        * fast/dom/HTMLObjectElement/set-type-to-null-crash-expected.txt: Added.
+        * fast/dom/HTMLObjectElement/set-type-to-null-crash.html: Added.
+
 2010-11-03  Brian Weinstein  <bweinstein at apple.com>
 
         Reviewed by Brady Eidson.
diff --git a/LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash-expected.txt b/LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash-expected.txt
new file mode 100644
index 0000000..fa05666
--- /dev/null
+++ b/LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash-expected.txt
@@ -0,0 +1 @@
+ PASS - The test didn't crash.
diff --git a/LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash.html b/LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash.html
new file mode 100644
index 0000000..66653c8
--- /dev/null
+++ b/LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash.html
@@ -0,0 +1,8 @@
+<body onload="crash.type=null">
+<object type="" id="crash"></object>
+
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+PASS - The test didn't crash.

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list