[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9

ap at apple.com ap at apple.com
Thu Feb 4 21:36:57 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit 9bc2624e7bc2652a8504f53818f04c0e1fbb178e
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Feb 2 18:00:55 2010 +0000

            Reviewed by Darin Adler.
    
            https://bugs.webkit.org/show_bug.cgi?id=34076
            <rdar://problem/7594601> Crash in mangleme in WebCore::Element::getAttribute
    
            Test: fast/forms/misplaced-img-form-registration.html
    
            * html/HTMLFormElement.cpp:
            (WebCore::HTMLFormElement::registerImgElement): Assert that the same image isn't added
            to vector again.
            (WebCore::HTMLFormElement::removeImgElement): Similarly, assert that we're removing something
            that's actually registered.
    
            * html/HTMLImageElement.cpp: (WebCore::HTMLImageElement::~HTMLImageElement): If parser fails
            to insert the image element, then there will be no removed from tree notification either,
            need to unregister right away.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@54242 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index d86d0cc..bde2fcc 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-02-02  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=34076
+        <rdar://problem/7594601> Crash in mangleme in WebCore::Element::getAttribute
+
+        * fast/forms/misplaced-img-form-registration-expected.txt: Added.
+        * fast/forms/misplaced-img-form-registration.html: Added.
+
 2010-02-02  Adam Roben  <aroben at apple.com>
 
         Stop skipping some tests that were failing due to buggy versions of
diff --git a/LayoutTests/fast/forms/misplaced-img-form-registration-expected.txt b/LayoutTests/fast/forms/misplaced-img-form-registration-expected.txt
new file mode 100644
index 0000000..617b22e
--- /dev/null
+++ b/LayoutTests/fast/forms/misplaced-img-form-registration-expected.txt
@@ -0,0 +1,5 @@
+Test for bug 34488: Crash in mangleme in WebCore::Element::getAttribute.
+
+Pass if no crash or assertion failure.
+
+
diff --git a/LayoutTests/fast/forms/misplaced-img-form-registration.html b/LayoutTests/fast/forms/misplaced-img-form-registration.html
new file mode 100644
index 0000000..04fdc98
--- /dev/null
+++ b/LayoutTests/fast/forms/misplaced-img-form-registration.html
@@ -0,0 +1,7 @@
+<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=34488">bug 34488</a>: Crash in mangleme in WebCore::Element::getAttribute.</p>
+<p>Pass if no crash or assertion failure.</p>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<FORM><SELECT><IMG>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 413a76f..fe3e76e 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-02-02  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=34076
+        <rdar://problem/7594601> Crash in mangleme in WebCore::Element::getAttribute
+
+        Test: fast/forms/misplaced-img-form-registration.html
+
+        * html/HTMLFormElement.cpp:
+        (WebCore::HTMLFormElement::registerImgElement): Assert that the same image isn't added
+        to vector again.
+        (WebCore::HTMLFormElement::removeImgElement): Similarly, assert that we're removing something
+        that's actually registered.
+
+        * html/HTMLImageElement.cpp: (WebCore::HTMLImageElement::~HTMLImageElement): If parser fails
+        to insert the image element, then there will be no removed from tree notification either,
+        need to unregister right away.
+
 2010-02-02  Alexander Pavlov  <apavlov at chromium.org>
 
         Reviewed by Pavel Feldman.
diff --git a/WebCore/html/HTMLFormElement.cpp b/WebCore/html/HTMLFormElement.cpp
index bf25bf6..2f88894 100644
--- a/WebCore/html/HTMLFormElement.cpp
+++ b/WebCore/html/HTMLFormElement.cpp
@@ -524,11 +524,13 @@ bool HTMLFormElement::isURLAttribute(Attribute* attr) const
 
 void HTMLFormElement::registerImgElement(HTMLImageElement* e)
 {
+    ASSERT(imgElements.find(e) == notFound);
     imgElements.append(e);
 }
 
 void HTMLFormElement::removeImgElement(HTMLImageElement* e)
 {
+    ASSERT(imgElements.find(e) != notFound);
     removeFromVector(imgElements, e);
 }
 
diff --git a/WebCore/html/HTMLImageElement.cpp b/WebCore/html/HTMLImageElement.cpp
index 34646ad..4592461 100644
--- a/WebCore/html/HTMLImageElement.cpp
+++ b/WebCore/html/HTMLImageElement.cpp
@@ -54,6 +54,8 @@ HTMLImageElement::HTMLImageElement(const QualifiedName& tagName, Document* doc,
 
 HTMLImageElement::~HTMLImageElement()
 {
+    if (m_form)
+        m_form->removeImgElement(this);
 }
 
 bool HTMLImageElement::mapToEntry(const QualifiedName& attrName, MappedAttributeEntry& result) const

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list