[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9
ap at apple.com
ap at apple.com
Thu Feb 4 21:27:31 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit e0cbb12708f38d6ab878fec4369afc2abf2774df
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Jan 25 20:07:44 2010 +0000
Reviewed by Geoffrey Garen.
https://bugs.webkit.org/show_bug.cgi?id=34076
An image remains accessible via form.property syntax after being removed from document.
Tests: fast/forms/removed-image-as-property.html
fast/forms/reparented-image-as-property.html
* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::~HTMLImageElement): This is called during GC - not a good time
to make observable changes to DOM.
(WebCore::HTMLImageElement::insertedIntoTree): This is the right place to do any work that
depends on connectedness to some ancestor. We still allow for m_form to be set via constructor,
which happens during parsing.
(WebCore::HTMLImageElement::removedFromTree): Ditto.
* html/HTMLImageElement.h: Added removedFromTree/insertedIntoTree, moved removedFromDocument
and insertedIntoDocument to private section, as they shouldn't be called directly.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53812 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a10cff3..2d617a8 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-01-25 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Geoffrey Garen.
+
+ https://bugs.webkit.org/show_bug.cgi?id=34076
+ An image remains accessible via form.property syntax after being removed from document.
+
+ * fast/forms/removed-image-as-property-expected.txt: Added.
+ * fast/forms/removed-image-as-property.html: Added.
+ * fast/forms/reparented-image-as-property-expected.txt: Added.
+ * fast/forms/reparented-image-as-property.html: Added.
+
2010-01-25 Yury Semikhatsky <yurys at chromium.org>
Unreviewed. Add new inspector test added in r53807 to skip
diff --git a/LayoutTests/fast/forms/removed-image-as-property-expected.txt b/LayoutTests/fast/forms/removed-image-as-property-expected.txt
new file mode 100644
index 0000000..a24627c
--- /dev/null
+++ b/LayoutTests/fast/forms/removed-image-as-property-expected.txt
@@ -0,0 +1,4 @@
+Test that an image isn't accessible via form.property syntax after being removed from document.
+
+PASS
+
diff --git a/LayoutTests/fast/forms/removed-image-as-property.html b/LayoutTests/fast/forms/removed-image-as-property.html
new file mode 100644
index 0000000..194031b
--- /dev/null
+++ b/LayoutTests/fast/forms/removed-image-as-property.html
@@ -0,0 +1,40 @@
+<body onload="test()">
+<p>Test that an image isn't accessible via form.property syntax after being removed from document.</p>
+<div>Testing...</div>
+<form className="a">
+<img src="" id="i">
+</form>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function gc()
+{
+ if (window.GCController)
+ return GCController.collect();
+
+ for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+ var s = new String("abc");
+ }
+}
+
+function test()
+{
+ var f = document.getElementsByTagName("form")[0];
+ f.removeChild(document.getElementsByTagName("img")[0]);
+ f.foobar;
+ setTimeout(function() {
+ gc();
+ try {
+ f.i.nodeName;
+ document.getElementsByTagName("div")[0].innerHTML = "FAIL";
+ } catch (ex) {
+ document.getElementsByTagName("div")[0].innerHTML = "PASS";
+ }
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+}
+</script>
diff --git a/LayoutTests/fast/forms/reparented-image-as-property-expected.txt b/LayoutTests/fast/forms/reparented-image-as-property-expected.txt
new file mode 100644
index 0000000..aebfef6
--- /dev/null
+++ b/LayoutTests/fast/forms/reparented-image-as-property-expected.txt
@@ -0,0 +1,7 @@
+Test access to images inside forms as form element propertyies. Expected results match IE, because its behavior makes much more sense than Firefox one.
+
+PASS: 'document.forms[0].foo' is 'undefined'.
+PASS: 'document.forms[1].foo' is 'imgFoo'.
+PASS: 'document.forms[0].bar' is 'undefined'.
+DONE
+
diff --git a/LayoutTests/fast/forms/reparented-image-as-property.html b/LayoutTests/fast/forms/reparented-image-as-property.html
new file mode 100644
index 0000000..4a37be9
--- /dev/null
+++ b/LayoutTests/fast/forms/reparented-image-as-property.html
@@ -0,0 +1,45 @@
+<body>
+<p>Test access to images inside forms as form element propertyies. Expected results match IE, because its behavior makes much more sense than Firefox one.</p>
+<div id="log"></div>
+<form><img id="bar"></form>
+<form></form>
+<div id="div"></div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function log(msg)
+{
+ document.getElementById("log").innerHTML += msg + "<br>";
+}
+function shouldBe(a, b)
+{
+ var result = eval(a);
+ log((result == eval(b)) ? ("PASS: '" + a + "' is '" + b + "'.") : ("FAIL: '" + a + "' should be '" + b + "', was '" + result + "'."));
+}
+
+try {
+ var imgFoo = document.createElement("img");
+ var imgBar = document.body.getElementsByTagName("img")[0];
+ var div = document.getElementById("div");
+ imgFoo.setAttribute("id", "foo");
+
+ document.forms[0].appendChild(imgFoo);
+ document.forms[0].appendChild(imgBar);
+
+ document.forms[1].appendChild(imgFoo);
+ shouldBe('document.forms[0].foo', 'undefined');
+ shouldBe('document.forms[1].foo', 'imgFoo');
+
+ document.forms[0].removeChild(imgBar);
+ shouldBe('document.forms[0].bar', 'undefined');
+
+ // Don't leave a broken image icon in test results.
+ document.forms[1].removeChild(imgFoo);
+
+ log("DONE");
+
+} catch (ex) {
+ log("FAIL: " + ex);
+}
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 3fb5596..e4654d6 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2010-01-25 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Geoffrey Garen.
+
+ https://bugs.webkit.org/show_bug.cgi?id=34076
+ An image remains accessible via form.property syntax after being removed from document.
+
+ Tests: fast/forms/removed-image-as-property.html
+ fast/forms/reparented-image-as-property.html
+
+ * html/HTMLImageElement.cpp:
+ (WebCore::HTMLImageElement::~HTMLImageElement): This is called during GC - not a good time
+ to make observable changes to DOM.
+ (WebCore::HTMLImageElement::insertedIntoTree): This is the right place to do any work that
+ depends on connectedness to some ancestor. We still allow for m_form to be set via constructor,
+ which happens during parsing.
+ (WebCore::HTMLImageElement::removedFromTree): Ditto.
+
+ * html/HTMLImageElement.h: Added removedFromTree/insertedIntoTree, moved removedFromDocument
+ and insertedIntoDocument to private section, as they shouldn't be called directly.
+
2010-01-25 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
diff --git a/WebCore/html/HTMLImageElement.cpp b/WebCore/html/HTMLImageElement.cpp
index 5a724db..a917758 100644
--- a/WebCore/html/HTMLImageElement.cpp
+++ b/WebCore/html/HTMLImageElement.cpp
@@ -54,8 +54,6 @@ HTMLImageElement::HTMLImageElement(const QualifiedName& tagName, Document* doc,
HTMLImageElement::~HTMLImageElement()
{
- if (m_form)
- m_form->removeImgElement(this);
}
bool HTMLImageElement::mapToEntry(const QualifiedName& attrName, MappedAttributeEntry& result) const
@@ -209,6 +207,40 @@ void HTMLImageElement::removedFromDocument()
HTMLElement::removedFromDocument();
}
+void HTMLImageElement::insertedIntoTree(bool deep)
+{
+ if (m_form) {
+ // m_form was set by constructor. In debug builds, check that it's an ancestor indeed.
+#ifndef NDEBUG
+ for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) {
+ ASSERT(ancestor);
+ if (ancestor->hasTagName(formTag)) {
+ ASSERT(m_form == static_cast<HTMLFormElement*>(ancestor));
+ break;
+ }
+ }
+#endif
+ } else {
+ for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) {
+ if (ancestor->hasTagName(formTag)) {
+ m_form = static_cast<HTMLFormElement*>(ancestor);
+ m_form->registerImgElement(this);
+ break;
+ }
+ }
+ }
+
+ HTMLElement::insertedIntoTree(deep);
+}
+
+void HTMLImageElement::removedFromTree(bool deep)
+{
+ if (m_form)
+ m_form->removeImgElement(this);
+ m_form = 0;
+ HTMLElement::removedFromTree(deep);
+}
+
int HTMLImageElement::width(bool ignorePendingStylesheets) const
{
if (!renderer()) {
diff --git a/WebCore/html/HTMLImageElement.h b/WebCore/html/HTMLImageElement.h
index f58574d..14e5fa3 100644
--- a/WebCore/html/HTMLImageElement.h
+++ b/WebCore/html/HTMLImageElement.h
@@ -45,8 +45,6 @@ public:
virtual void attach();
virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
- virtual void insertedIntoDocument();
- virtual void removedFromDocument();
virtual bool canStartSelection() const { return false; }
@@ -105,6 +103,11 @@ public:
virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
private:
+ virtual void insertedIntoDocument();
+ virtual void removedFromDocument();
+ virtual void insertedIntoTree(bool deep);
+ virtual void removedFromTree(bool deep);
+
HTMLImageLoader m_imageLoader;
String usemap;
bool ismap;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list