[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

inferno at chromium.org inferno at chromium.org
Wed Dec 22 18:13:23 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit b0f943fd85d5b4a6c4f9ad2cd320ca51b8aafe9e
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Dec 8 23:31:04 2010 +0000

    2010-12-08  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Detach node iterator and move to new document when node gets moved.
            https://bugs.webkit.org/show_bug.cgi?id=50697
    
            Test: fast/dom/node-iterator-document-moved-crash.html
    
            * dom/Document.cpp: Method that takes a node and new document as argument.
            It detaches the node iterators belonging to the current document and attaches
            them to the new document.
            (WebCore::Document::moveNodeIteratorsToNewDocument):
            * dom/Document.h: Function definition.
            * dom/Node.cpp: When node is moved to another document, call the function to move
            the iterators appropriately.
            (WebCore::Node::setDocument):
    2010-12-08  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Tests that we do not crash when node iterator gets moved across documents.
            https://bugs.webkit.org/show_bug.cgi?id=50697
    
            * fast/dom/node-iterator-document-moved-crash-expected.txt: Added.
            * fast/dom/node-iterator-document-moved-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73559 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7829f55..3798403 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-12-08  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Tests that we do not crash when node iterator gets moved across documents.
+        https://bugs.webkit.org/show_bug.cgi?id=50697
+
+        * fast/dom/node-iterator-document-moved-crash-expected.txt: Added.
+        * fast/dom/node-iterator-document-moved-crash.html: Added.
+
 2010-12-08  Ryosuke Niwa  <rniwa at webkit.org>
 
         Unreviewed Chromium rebaseline for r73548.
diff --git a/LayoutTests/fast/dom/node-iterator-document-moved-crash-expected.txt b/LayoutTests/fast/dom/node-iterator-document-moved-crash-expected.txt
new file mode 100644
index 0000000..a5960f0
--- /dev/null
+++ b/LayoutTests/fast/dom/node-iterator-document-moved-crash-expected.txt
@@ -0,0 +1 @@
+ Test passes if it does not crash.
diff --git a/LayoutTests/fast/dom/node-iterator-document-moved-crash.html b/LayoutTests/fast/dom/node-iterator-document-moved-crash.html
new file mode 100644
index 0000000..c9333da
--- /dev/null
+++ b/LayoutTests/fast/dom/node-iterator-document-moved-crash.html
@@ -0,0 +1,42 @@
+<html>
+    <head>
+        <script>
+            if (window.layoutTestController) {
+                layoutTestController.dumpAsText();
+                layoutTestController.waitUntilDone();
+            }
+            
+            function gc()
+            {
+                if (window.GCController)
+                    return GCController.collect();
+
+                for (var i = 0; i < 10000; i++) { // force garbage collection (FF requires about 9K allocations before a collect).
+                    var s = new String("abc");
+                }
+            }
+            
+            function runTest()
+            {
+                aElement = document.createElement('a');
+                divElement = document.createElement('div');
+                document.body.appendChild(divElement);
+                nodeIterator = win.document.createNodeIterator(aElement);
+                win.document.body.appendChild(aElement);
+
+                delete nodeIterator;
+                gc();
+                document.body.removeChild(divElement);
+                gc();
+                
+                if (window.layoutTestController)
+                    layoutTestController.notifyDone();
+            }
+        </script>
+    </head>
+    <body>
+        <iframe onload="this.onload = null; win = this.contentWindow; runTest();"></iframe>
+        Test passes if it does not crash.
+    </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 950fe82..1790261 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-12-08  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Detach node iterator and move to new document when node gets moved.
+        https://bugs.webkit.org/show_bug.cgi?id=50697
+
+        Test: fast/dom/node-iterator-document-moved-crash.html
+
+        * dom/Document.cpp: Method that takes a node and new document as argument.
+        It detaches the node iterators belonging to the current document and attaches
+        them to the new document.
+        (WebCore::Document::moveNodeIteratorsToNewDocument):
+        * dom/Document.h: Function definition.
+        * dom/Node.cpp: When node is moved to another document, call the function to move
+        the iterators appropriately.
+        (WebCore::Node::setDocument):
+
 2010-12-08  James Robinson  <jamesr at chromium.org>
 
         Reviewed by Kenneth Russell.
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index 00d32a6..155546a 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -3303,6 +3303,18 @@ void Document::detachNodeIterator(NodeIterator* ni)
     m_nodeIterators.remove(ni);
 }
 
+void Document::moveNodeIteratorsToNewDocument(Node* node, Document* newDocument)
+{
+    HashSet<NodeIterator*> nodeIteratorsList = m_nodeIterators;
+    HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = nodeIteratorsList.end();
+    for (HashSet<NodeIterator*>::const_iterator it = nodeIteratorsList.begin(); it != nodeIteratorsEnd; ++it) {
+        if ((*it)->referenceNode() == node) {
+            detachNodeIterator(*it);
+            newDocument->attachNodeIterator(*it);
+        }
+    }
+}
+
 void Document::nodeChildrenChanged(ContainerNode* container)
 {
     if (!disableRangeMutation(page())) {
diff --git a/WebCore/dom/Document.h b/WebCore/dom/Document.h
index 2d607c9..f1fe44c 100644
--- a/WebCore/dom/Document.h
+++ b/WebCore/dom/Document.h
@@ -684,6 +684,7 @@ public:
 
     void attachNodeIterator(NodeIterator*);
     void detachNodeIterator(NodeIterator*);
+    void moveNodeIteratorsToNewDocument(Node*, Document*);
 
     void attachRange(Range*);
     void detachRange(Range*);
diff --git a/WebCore/dom/Node.cpp b/WebCore/dom/Node.cpp
index d6ffc68..216d119 100644
--- a/WebCore/dom/Node.cpp
+++ b/WebCore/dom/Node.cpp
@@ -446,8 +446,10 @@ void Node::setDocument(Document* document)
         document->addNodeListCache();
     }
 
-    if (m_document)
+    if (m_document) {
+        m_document->moveNodeIteratorsToNewDocument(this, document);
         m_document->selfOnlyDeref();
+    }
 
     m_document = document;
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list