[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf

beidson at apple.com beidson at apple.com
Tue Jan 5 23:45:21 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit 7c8811a4e92ae4af6b2e8f6a8ec498eb31628196
Author: beidson at apple.com <beidson at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Dec 9 00:08:24 2009 +0000

    Navigating to a cached page can result in accessing a destroyed HTMLInputElement.
    <rdar://problem/6856662> and https://webkit.org/b/32293
    
    Reviewed by Darin Adler.
    
    WebCore:
    
    Test: fast/loader/input-element-page-cache-crash.html
    
    * html/HTMLInputElement.cpp:
    (WebCore::HTMLInputElement::parseMappedAttribute): Make sure to unregister for the activation
      callback after the new m_autocomplete setting has been stored so the unregistration actually
      takes place.
    
    LayoutTests:
    
    * fast/loader/input-element-page-cache-crash-expected.txt: Added.
    * fast/loader/input-element-page-cache-crash.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51877 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 34a6b77..24d349b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-12-08  Brady Eidson  <beidson at apple.com>
+
+        Reviewed by Darin Adler.
+
+        Navigating to a cached page can result in accessing a destroyed HTMLInputElement.
+        <rdar://problem/6856662> and https://webkit.org/b/32293
+
+        * fast/loader/input-element-page-cache-crash-expected.txt: Added.
+        * fast/loader/input-element-page-cache-crash.html: Added.
+
 2009-12-08  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Not reviewed. Skip fast/repaint/block-selection-gap-in-table-cell.html (generates new result) to turn Qt/Gtk builds green again.
diff --git a/LayoutTests/fast/loader/input-element-page-cache-crash-expected.txt b/LayoutTests/fast/loader/input-element-page-cache-crash-expected.txt
new file mode 100644
index 0000000..2ab5e35
--- /dev/null
+++ b/LayoutTests/fast/loader/input-element-page-cache-crash-expected.txt
@@ -0,0 +1,6 @@
+This test has an input element that starts out with autocomplete=off.
+It then changes autocomplete to on.
+It then removes the element so it is destroyed.
+It then navigates to a new page, placing the current page in the page cache.
+Finally it returns to the original page.
+
diff --git a/LayoutTests/fast/loader/input-element-page-cache-crash.html b/LayoutTests/fast/loader/input-element-page-cache-crash.html
new file mode 100644
index 0000000..ee69355
--- /dev/null
+++ b/LayoutTests/fast/loader/input-element-page-cache-crash.html
@@ -0,0 +1,43 @@
+<html>
+<head>
+<script>
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+}
+
+function runTest()
+{
+    var input = document.getElementById("testinput");
+    input.setAttribute("autocomplete", "on");
+    input.parentNode.removeChild(input);
+    
+    window.location = "data:text/html,<script>history.back();</scrip" + "t>";
+}
+
+function pageHidden()
+{
+    window.finishTest = true;
+}
+
+function pageShown()
+{
+    if (window.layoutTestController && window.finishTest)
+        layoutTestController.notifyDone();
+}
+
+</script>    
+</head>
+
+<body onload="runTest();" onpagehide="pageHidden();" onpageshow="pageShown();">
+<pre>This test has an input element that starts out with autocomplete=off.
+It then changes autocomplete to on.
+It then removes the element so it is destroyed.
+It then navigates to a new page, placing the current page in the page cache.
+Finally it returns to the original page.</pre>
+<form>
+<input id="testinput" autocomplete="off">
+</form>
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 50b6333..0644488 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2009-12-08  Brady Eidson  <beidson at apple.com>
+
+        Reviewed by Darin Adler.
+
+        Navigating to a cached page can result in accessing a destroyed HTMLInputElement.
+        <rdar://problem/6856662> and https://webkit.org/b/32293
+
+        Test: fast/loader/input-element-page-cache-crash.html
+
+        * html/HTMLInputElement.cpp:
+        (WebCore::HTMLInputElement::parseMappedAttribute): Make sure to unregister for the activation
+          callback after the new m_autocomplete setting has been stored so the unregistration actually
+          takes place.
+
 2009-12-08  Dmitry Titov  <dimich at chromium.org>
 
         Rubber-stamped by David Levin.
diff --git a/WebCore/html/HTMLInputElement.cpp b/WebCore/html/HTMLInputElement.cpp
index 13dbbb0..a00a731 100644
--- a/WebCore/html/HTMLInputElement.cpp
+++ b/WebCore/html/HTMLInputElement.cpp
@@ -850,12 +850,15 @@ void HTMLInputElement::parseMappedAttribute(MappedAttribute *attr)
             m_autocomplete = Off;
             registerForActivationCallbackIfNeeded();
         } else {
-            if (m_autocomplete == Off)
-                unregisterForActivationCallbackIfNeeded();
+            bool needsToUnregister = m_autocomplete == Off;
+
             if (attr->isEmpty())
                 m_autocomplete = Uninitialized;
             else
                 m_autocomplete = On;
+
+            if (needsToUnregister)
+                unregisterForActivationCallbackIfNeeded();
         }
     } else if (attr->name() == typeAttr) {
         setInputType(attr->value());

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list