[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

commit-queue at webkit.org commit-queue at webkit.org
Wed Dec 22 18:39:21 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit ad6622b5b894bfe7a8351a04d12e8a493a64dd92
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Dec 15 09:47:12 2010 +0000

    2010-12-15  Emil Eklund  <eae at chromium.org>
    
            Reviewed by Adam Barth.
    
            Added test for infinite loop in ContainerNode::willRemoveChildren.
            https://bugs.webkit.org/show_bug.cgi?id=51079
    
            * fast/dom/containerNode-expected.txt: Added.
            * fast/dom/containerNode.html: Added.
    2010-12-15  Emil Eklund  <eae at chromium.org>
    
            Reviewed by Adam Barth.
    
            Change ContainerNode::willRemoveChildren to not fire mutation events for children
            added as a result of a mutation event, thereby avoiding an infinite loop.
            https://bugs.webkit.org/show_bug.cgi?id=51079
    
            Test: fast/dom/containerNode.html
    
            * dom/ContainerNode.cpp:
            (WebCore::willRemoveChildren): Don't fire mutation events for children added during a mutation event.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74101 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 9720dfa..d8cbe84 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-12-15  Emil Eklund  <eae at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Added test for infinite loop in ContainerNode::willRemoveChildren.
+        https://bugs.webkit.org/show_bug.cgi?id=51079
+
+        * fast/dom/containerNode-expected.txt: Added.
+        * fast/dom/containerNode.html: Added.
+
 2010-12-15  Csaba Osztrogonác  <ossy at webkit.org>
 
         Unreviewed.
diff --git a/LayoutTests/fast/dom/containerNode-expected.txt b/LayoutTests/fast/dom/containerNode-expected.txt
new file mode 100644
index 0000000..99515d4
--- /dev/null
+++ b/LayoutTests/fast/dom/containerNode-expected.txt
@@ -0,0 +1 @@
+PASS: No infinite loop.
diff --git a/LayoutTests/fast/dom/containerNode.html b/LayoutTests/fast/dom/containerNode.html
new file mode 100644
index 0000000..40f01bc
--- /dev/null
+++ b/LayoutTests/fast/dom/containerNode.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script type="text/javascript">
+        function log(msg)
+        {
+            document.body.appendChild(document.createTextNode(msg));
+        }
+
+        function appendItem(list, caption)
+        {
+            var item = document.createElement('li');
+            item.appendChild(document.createTextNode(caption));
+            list.appendChild(item);
+        }
+
+        function runTests()
+        {
+            if (window.layoutTestController)
+                layoutTestController.dumpAsText();
+
+            var fragment = document.createDocumentFragment();
+            var list = document.createElement('ul');
+            var i;
+            for (i = 0; i < 5; i++)
+                appendItem(list, 'item ' + i);
+                
+            fragment.appendChild(list);
+            document.addEventListener("DOMNodeRemoved", function() {
+                appendItem(list, 'item ' + i++);
+            }, false);
+
+            document.body.appendChild(fragment);
+            list.textContent = '';
+
+            if (list.childNodes.length == 0)
+                log('PASS: No infinite loop.')
+            else
+                log('FAIL: Has too many children.')
+        }
+    </script>
+</head>
+<body onload="runTests();">
+
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index fd852b2..9aa54c7 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-12-15  Emil Eklund  <eae at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Change ContainerNode::willRemoveChildren to not fire mutation events for children
+        added as a result of a mutation event, thereby avoiding an infinite loop.
+        https://bugs.webkit.org/show_bug.cgi?id=51079
+
+        Test: fast/dom/containerNode.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::willRemoveChildren): Don't fire mutation events for children added during a mutation event.
+
 2010-12-14  Dan Bernstein  <mitz at apple.com>
 
         Reviewed by Maciej Stachowiak.
diff --git a/WebCore/dom/ContainerNode.cpp b/WebCore/dom/ContainerNode.cpp
index 645768d..bc881c6 100644
--- a/WebCore/dom/ContainerNode.cpp
+++ b/WebCore/dom/ContainerNode.cpp
@@ -379,10 +379,14 @@ static void willRemoveChildren(ContainerNode* container)
     container->document()->nodeChildrenWillBeRemoved(container);
     container->document()->incDOMTreeVersion();
 
-    // FIXME: Adding new children from event handlers can cause an infinite loop here.
-    for (RefPtr<Node> child = container->firstChild(); child; child = child->nextSibling()) {
+    NodeVector children;
+    for (Node* n = container->firstChild(); n; n = n->nextSibling())
+        children.append(n);
+
+    for (NodeVector::const_iterator it = children.begin(); it != children.end(); it++) {
+        Node* child = it->get();
         // fire removed from document mutation events.
-        dispatchChildRemovalEvents(child.get());
+        dispatchChildRemovalEvents(child);
         child->willRemove();
     }
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list