[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

inferno at chromium.org inferno at chromium.org
Sun Feb 20 22:47:49 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 080d1c6f3c6264d1a8ba25ce3b6879ea9a6f7475
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jan 11 19:24:36 2011 +0000

    2011-01-11  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            RefPtr text node in setOuterText since calling appendData
            on a text node can fire away dom event listener which might
            remove the text node from underneath.
            https://bugs.webkit.org/show_bug.cgi?id=52163
    
            Test: fast/dom/text-node-append-data-remove-crash.html
    
            * html/HTMLElement.cpp:
            (WebCore::HTMLElement::setOuterText):
    2011-01-11  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Tests that calling append data on a text node which removes its
            sibling text node does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=52163
    
            * fast/dom/text-node-append-data-remove-crash-expected.txt: Added.
            * fast/dom/text-node-append-data-remove-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75519 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index bf371f6..3c3af67 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2011-01-11  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Tests that calling append data on a text node which removes its
+        sibling text node does not result in crash.
+        https://bugs.webkit.org/show_bug.cgi?id=52163
+
+        * fast/dom/text-node-append-data-remove-crash-expected.txt: Added.
+        * fast/dom/text-node-append-data-remove-crash.html: Added.
+
 2011-01-11  Stephen White  <senorblanco at chromium.org>
 
         Unreviewed; chromium-gpu test expectations update.
diff --git a/LayoutTests/fast/dom/text-node-append-data-remove-crash-expected.txt b/LayoutTests/fast/dom/text-node-append-data-remove-crash-expected.txt
new file mode 100644
index 0000000..b1b3ec6
--- /dev/null
+++ b/LayoutTests/fast/dom/text-node-append-data-remove-crash-expected.txt
@@ -0,0 +1 @@
+PASS, threw an exception as expected - Error: HIERARCHY_REQUEST_ERR: DOM Exception 3
diff --git a/LayoutTests/fast/dom/text-node-append-data-remove-crash.html b/LayoutTests/fast/dom/text-node-append-data-remove-crash.html
new file mode 100644
index 0000000..61c60bd
--- /dev/null
+++ b/LayoutTests/fast/dom/text-node-append-data-remove-crash.html
@@ -0,0 +1,50 @@
+<html>
+<body onload="runTest()">
+<script>
+var count = 0;
+if (window.layoutTestController)
+{
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{   
+    try {
+       divBlock.addEventListener("DOMCharacterDataModified", eventListener, false);
+       pBlock.outerText = "text";
+    }
+    catch (exception) {
+       divBlock.innerHTML = "PASS, threw an exception as expected - " + exception;
+       if (window.layoutTestController)
+           layoutTestController.notifyDone();
+   }
+}
+
+function eventListener()
+{
+    count += 1;
+    if (count < 2)
+        return;
+    var range = document.createRange();
+    range.setStart(divBlock, 0);
+    range.setEnd(divBlock, divBlock.childNodes.length - 1);
+    range.deleteContents();
+    gc();
+}
+
+function gc()
+{
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+        var s = new String("");
+    }
+}
+</script>
+<div id="divBlock">
+<br/>textnode1<p id="pBlock"></p>textnode2<br/>
+</div>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index a54415a..7d62252 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2011-01-11  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        RefPtr text node in setOuterText since calling appendData
+        on a text node can fire away dom event listener which might
+        remove the text node from underneath.
+        https://bugs.webkit.org/show_bug.cgi?id=52163
+
+        Test: fast/dom/text-node-append-data-remove-crash.html
+
+        * html/HTMLElement.cpp:
+        (WebCore::HTMLElement::setOuterText):
+
 2011-01-11  Carlos Garcia Campos  <cgarcia at igalia.com>
 
         Reviewed by Martin Robinson.
diff --git a/Source/WebCore/html/HTMLElement.cpp b/Source/WebCore/html/HTMLElement.cpp
index a504f75..e489a3d 100644
--- a/Source/WebCore/html/HTMLElement.cpp
+++ b/Source/WebCore/html/HTMLElement.cpp
@@ -477,7 +477,7 @@ void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
     // Is previous node a text node? If so, merge into it.
     Node* prev = t->previousSibling();
     if (prev && prev->isTextNode()) {
-        Text* textPrev = static_cast<Text*>(prev);
+        RefPtr<Text> textPrev = static_cast<Text*>(prev);
         textPrev->appendData(t->data(), ec);
         if (ec)
             return;
@@ -490,7 +490,7 @@ void HTMLElement::setOuterText(const String &text, ExceptionCode& ec)
     // Is next node a text node? If so, merge it in.
     Node* next = t->nextSibling();
     if (next && next->isTextNode()) {
-        Text* textNext = static_cast<Text*>(next);
+        RefPtr<Text> textNext = static_cast<Text*>(next);
         t->appendData(textNext->data(), ec);
         if (ec)
             return;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list