[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 18:17:58 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit fd8e006ebdc2c7e9ce05bd16c7d970640bedbd3a
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Dec 9 17:51:07 2010 +0000
2010-12-09 Abhishek Arya <inferno at chromium.org>
Reviewed by Dimitri Glazkov.
As part of r73559, I added the referenceNode check to validate whether the root
node of the iterator matches the node which is getting moved to other document.
referenceNode is initialized to root, however can get moved using previousNode
and nextNode methods, so it is required to use root directly.
https://bugs.webkit.org/show_bug.cgi?id=50764
Test: fast/dom/node-iterator-reference-node-moved-crash.html
* dom/Document.cpp:
(WebCore::Document::moveNodeIteratorsToNewDocument): change referenceNode to root.
2010-12-09 Abhishek Arya <inferno at chromium.org>
Reviewed by Dimitri Glazkov.
Tests that we do not crash when we move the referenceNode using node iterator
methods previousNode and nextNode.
https://bugs.webkit.org/show_bug.cgi?id=50764
* fast/dom/node-iterator-reference-node-moved-crash-expected.txt: Added.
* fast/dom/node-iterator-reference-node-moved-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73620 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 322de84..f2d0801 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-12-09 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Tests that we do not crash when we move the referenceNode using node iterator
+ methods previousNode and nextNode.
+ https://bugs.webkit.org/show_bug.cgi?id=50764
+
+ * fast/dom/node-iterator-reference-node-moved-crash-expected.txt: Added.
+ * fast/dom/node-iterator-reference-node-moved-crash.html: Added.
+
2010-12-09 Hans Wennborg <hans at chromium.org>
Reviewed by Jeremy Orlow.
diff --git a/LayoutTests/fast/dom/node-iterator-reference-node-moved-crash-expected.txt b/LayoutTests/fast/dom/node-iterator-reference-node-moved-crash-expected.txt
new file mode 100644
index 0000000..0383162
--- /dev/null
+++ b/LayoutTests/fast/dom/node-iterator-reference-node-moved-crash-expected.txt
@@ -0,0 +1 @@
+Test passes if it does not crash.
diff --git a/LayoutTests/fast/dom/node-iterator-reference-node-moved-crash.html b/LayoutTests/fast/dom/node-iterator-reference-node-moved-crash.html
new file mode 100644
index 0000000..a51ac4f
--- /dev/null
+++ b/LayoutTests/fast/dom/node-iterator-reference-node-moved-crash.html
@@ -0,0 +1,49 @@
+<html>
+ <head>
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ function gc()
+ {
+ if (window.GCController)
+ return GCController.collect();
+
+ for (var i = 0; i < 10000; i++) { // force garbage collection (FF requires about 9K allocations before a collect).
+ var s = new String("abc");
+ }
+ }
+
+ function runTest()
+ {
+ iteratorRoot = document.createElement();
+ element = iteratorRoot.appendChild(document.createElement());
+ element.appendChild(document.createElement());
+
+ iterator = document.createNodeIterator(iteratorRoot, -1);
+ iterator.nextNode(); iterator.nextNode(); iterator.nextNode();
+ iterator.previousNode();
+
+ iteratorRoot.removeChild(element);
+
+ otherDocument = document.implementation.createHTMLDocument();
+ otherDocument.body.appendChild(iteratorRoot);
+
+ delete iterator;
+ gc();
+ div = document.body.appendChild(document.createElement('div'));
+ document.body.removeChild(div);
+ gc();
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ </script>
+ </head>
+ <body onload="runTest()">
+ Test passes if it does not crash.
+ </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c5aae5e..5eba82a 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-12-09 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ As part of r73559, I added the referenceNode check to validate whether the root
+ node of the iterator matches the node which is getting moved to other document.
+ referenceNode is initialized to root, however can get moved using previousNode
+ and nextNode methods, so it is required to use root directly.
+ https://bugs.webkit.org/show_bug.cgi?id=50764
+
+ Test: fast/dom/node-iterator-reference-node-moved-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::moveNodeIteratorsToNewDocument): change referenceNode to root.
+
2010-12-08 Dimitri Glazkov <dglazkov at chromium.org>
Reviewed by Darin Adler.
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index 155546a..775a2ad 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -3308,7 +3308,7 @@ void Document::moveNodeIteratorsToNewDocument(Node* node, Document* newDocument)
HashSet<NodeIterator*> nodeIteratorsList = m_nodeIterators;
HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = nodeIteratorsList.end();
for (HashSet<NodeIterator*>::const_iterator it = nodeIteratorsList.begin(); it != nodeIteratorsEnd; ++it) {
- if ((*it)->referenceNode() == node) {
+ if ((*it)->root() == node) {
detachNodeIterator(*it);
newDocument->attachNodeIterator(*it);
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list