[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.2.2-27-g91dab87

Gustavo Noronha Silva gns at gnome.org
Thu Jul 15 21:13:29 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 37097fbb2df2dc617dff1ef92aa350e103f8ab49
Author: weinig at apple.com <weinig at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue May 11 00:08:33 2010 +0000

    WebCore: Fix for https://bugs.webkit.org/show_bug.cgi?id=38583
    <rdar://problem/7948784> Crash in Element::normalizeAttributes.
    
    Reviewed by Darin Adler.
    
    Test: fast/dom/Element/normalize-crash.html
    
    * dom/Element.cpp:
    (WebCore::Element::normalizeAttributes): Copy attributes to a vector
    before iterating.
    * dom/NamedAttrMap.cpp:
    (WebCore::NamedNodeMap::copyAttributesToVector): Added.
    * dom/NamedAttrMap.h:
    
    LayoutTests: Test for https://bugs.webkit.org/show_bug.cgi?id=38583
    <rdar://problem/7948784> Crash in Element::normalizeAttributes.
    
    Reviewed by Darin Adler.
    
    * fast/dom/Element/normalize-crash-expected.txt: Added.
    * fast/dom/Element/normalize-crash.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59109 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index fe8950f..75399d2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-05-10  Sam Weinig  <sam at webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Test for https://bugs.webkit.org/show_bug.cgi?id=38583
+        <rdar://problem/7948784> Crash in Element::normalizeAttributes.
+
+        * fast/dom/Element/normalize-crash-expected.txt: Added.
+        * fast/dom/Element/normalize-crash.html: Added.
+
 2010-05-10  Alexey Proskuryakov  <ap at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/dom/Element/normalize-crash-expected.txt b/LayoutTests/fast/dom/Element/normalize-crash-expected.txt
new file mode 100644
index 0000000..4900486
--- /dev/null
+++ b/LayoutTests/fast/dom/Element/normalize-crash-expected.txt
@@ -0,0 +1,3 @@
+This test passes if it does not crash.
+
+
diff --git a/LayoutTests/fast/dom/Element/normalize-crash.html b/LayoutTests/fast/dom/Element/normalize-crash.html
new file mode 100644
index 0000000..6eb8ef7
--- /dev/null
+++ b/LayoutTests/fast/dom/Element/normalize-crash.html
@@ -0,0 +1,26 @@
+<p>This test passes if it does not crash.</p>
+<div id="test1"></div>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var elem = document.getElementById("test1");
+
+function go()
+{
+    var str = "c";
+    for (var i = 0; i < 0x10000; i++)
+        var b = str + str;
+}
+
+function handler()
+{
+    elem.removeAttribute("b");
+    go();
+}
+
+elem.setAttribute("b", "a");
+elem.attributes[0].appendChild(document.createTextNode("hi"));
+elem.attributes[0].addEventListener("DOMSubtreeModified", handler,  false);
+elem.normalize();
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index eb5063b..68496e2 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2010-05-10  Sam Weinig  <sam at webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=38583
+        <rdar://problem/7948784> Crash in Element::normalizeAttributes.
+
+        Test: fast/dom/Element/normalize-crash.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::normalizeAttributes): Copy attributes to a vector
+        before iterating.
+        * dom/NamedAttrMap.cpp:
+        (WebCore::NamedNodeMap::copyAttributesToVector): Added.
+        * dom/NamedAttrMap.h:
+
 2010-05-10  Alexey Proskuryakov  <ap at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index 2c42187..c67119a 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -1430,9 +1430,15 @@ void Element::normalizeAttributes()
     NamedNodeMap* attrs = attributes(true);
     if (!attrs)
         return;
-    unsigned numAttrs = attrs->length();
-    for (unsigned i = 0; i < numAttrs; i++) {
-        if (Attr* attr = attrs->attributeItem(i)->attr())
+
+    if (attrs->isEmpty())
+        return;
+
+    Vector<RefPtr<Attribute> > attributeVector;
+    attrs->copyAttributesToVector(attributeVector);
+    size_t numAttrs = attributeVector.size();
+    for (size_t i = 0; i < numAttrs; ++i) {
+        if (Attr* attr = attributeVector[i]->attr())
             attr->normalize();
     }
 }
diff --git a/WebCore/dom/NamedAttrMap.cpp b/WebCore/dom/NamedAttrMap.cpp
index d8a6ba8..ee979cf 100644
--- a/WebCore/dom/NamedAttrMap.cpp
+++ b/WebCore/dom/NamedAttrMap.cpp
@@ -172,6 +172,11 @@ PassRefPtr<Node> NamedNodeMap::item(unsigned index) const
     return m_attributes[index]->createAttrIfNeeded(m_element);
 }
 
+void NamedNodeMap::copyAttributesToVector(Vector<RefPtr<Attribute> >& copy)
+{
+    copy = m_attributes;
+}
+
 Attribute* NamedNodeMap::getAttributeItemSlowCase(const String& name, bool shouldIgnoreAttributeCase) const
 {
     unsigned len = length();
diff --git a/WebCore/dom/NamedAttrMap.h b/WebCore/dom/NamedAttrMap.h
index d5136b5..e292576 100644
--- a/WebCore/dom/NamedAttrMap.h
+++ b/WebCore/dom/NamedAttrMap.h
@@ -72,6 +72,8 @@ public:
     Attribute* attributeItem(unsigned index) const { return m_attributes[index].get(); }
     Attribute* getAttributeItem(const QualifiedName&) const;
 
+    void copyAttributesToVector(Vector<RefPtr<Attribute> >&);
+
     void shrinkToLength() { m_attributes.shrinkCapacity(length()); }
     void reserveInitialCapacity(unsigned capacity) { m_attributes.reserveInitialCapacity(capacity); }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list