[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
tkent at chromium.org
tkent at chromium.org
Sun Feb 20 22:53:58 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit d408e11e7dc97d28ce8819ffa181ca84d02ab594
Author: tkent at chromium.org <tkent at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 13 03:48:42 2011 +0000
2011-01-12 Kenichi Ishibashi <bashi at google.com>
Reviewed by Kent Tamura.
M_formElementsWithFormAttribute not cleared when Node is moved to another document.
https://bugs.webkit.org/show_bug.cgi?id=51418
Calls unregisterFormElementWithFormAttribute() when form associated elements
are moved to another document.
Test: fast/forms/change-form-element-document-crash.html
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::willMoveToNewOwnerDocument): Added.
* html/FormAssociatedElement.h: Added willMoveToNewOwnerDocument().
* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::willMoveToNewOwnerDocument): Added.
* html/HTMLFormControlElement.h: Added willMoveToNewOwnerDocument().
* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::willMoveToNewOwnerDocument): Added.
* html/HTMLObjectElement.h: Added willMoveToNewOwnerDocument().
* html/HTMLPlugInImageElement.h: Moves willMoveToNewOwnerDocument() to protected.
2011-01-12 Kenichi Ishibashi <bashi at google.com>
Reviewed by Kent Tamura.
M_formElementsWithFormAttribute not cleared when Node is moved to another document.
https://bugs.webkit.org/show_bug.cgi?id=51418
Added test for crash when moving form elements from one document to another.
* fast/forms/change-form-element-document-crash-expected.txt: Added.
* fast/forms/change-form-element-document-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75675 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b974c31..c93aa41 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2011-01-12 Kenichi Ishibashi <bashi at google.com>
+
+ Reviewed by Kent Tamura.
+
+ M_formElementsWithFormAttribute not cleared when Node is moved to another document.
+ https://bugs.webkit.org/show_bug.cgi?id=51418
+
+ Added test for crash when moving form elements from one document to another.
+
+ * fast/forms/change-form-element-document-crash-expected.txt: Added.
+ * fast/forms/change-form-element-document-crash.html: Added.
+
2011-01-12 Justin Schuh <jschuh at chromium.org>
Unreviewed chromium test expectations fix.
diff --git a/LayoutTests/fast/forms/change-form-element-document-crash-expected.txt b/LayoutTests/fast/forms/change-form-element-document-crash-expected.txt
new file mode 100644
index 0000000..a9509e6
--- /dev/null
+++ b/LayoutTests/fast/forms/change-form-element-document-crash-expected.txt
@@ -0,0 +1,3 @@
+This page is a test case for Bug 51418. WebKit should not crash when this page is loaded.
+
+PASS
diff --git a/LayoutTests/fast/forms/change-form-element-document-crash.html b/LayoutTests/fast/forms/change-form-element-document-crash.html
new file mode 100644
index 0000000..4925401
--- /dev/null
+++ b/LayoutTests/fast/forms/change-form-element-document-crash.html
@@ -0,0 +1,41 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function gc() {
+ if (window.GCController)
+ return GCController.collect();
+
+ for (var i = 0; i < 10000; i++)
+ var s = new String("abc");
+}
+
+function crash_test(element_name) {
+ var element = document.createElement(element_name);
+ element.setAttribute('form', '1');
+ var container = document.createElement('div');
+ container.appendChild(element);
+ document.implementation.createDocument().adoptNode(container);
+ container.removeChild(element);
+ delete element;
+ gc();
+ var form = document.createElement('form');
+ form.setAttribute('id', '2');
+ document.body.appendChild(form)
+}
+
+function test() {
+ crash_test('input');
+ crash_test('object');
+ document.body.innerHTML += "PASS";
+}
+</script>
+</head>
+<body onload="test()">
+<p>
+This page is a test case for <a href="https://bugs.webkit.org/show_bug.cgi?id=51418">Bug 51418</a>. WebKit should not crash when this page is loaded.
+</p>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 0598c3a..ac31934 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2011-01-12 Kenichi Ishibashi <bashi at google.com>
+
+ Reviewed by Kent Tamura.
+
+ M_formElementsWithFormAttribute not cleared when Node is moved to another document.
+ https://bugs.webkit.org/show_bug.cgi?id=51418
+
+ Calls unregisterFormElementWithFormAttribute() when form associated elements
+ are moved to another document.
+
+ Test: fast/forms/change-form-element-document-crash.html
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::willMoveToNewOwnerDocument): Added.
+ * html/FormAssociatedElement.h: Added willMoveToNewOwnerDocument().
+ * html/HTMLFormControlElement.cpp:
+ (WebCore::HTMLFormControlElement::willMoveToNewOwnerDocument): Added.
+ * html/HTMLFormControlElement.h: Added willMoveToNewOwnerDocument().
+ * html/HTMLObjectElement.cpp:
+ (WebCore::HTMLObjectElement::willMoveToNewOwnerDocument): Added.
+ * html/HTMLObjectElement.h: Added willMoveToNewOwnerDocument().
+ * html/HTMLPlugInImageElement.h: Moves willMoveToNewOwnerDocument() to protected.
+
2011-01-12 Ryosuke Niwa <rniwa at webkit.org>
Reviewed by Eric Seidel.
diff --git a/Source/WebCore/html/FormAssociatedElement.cpp b/Source/WebCore/html/FormAssociatedElement.cpp
index a97c0e2..df74f4e 100644
--- a/Source/WebCore/html/FormAssociatedElement.cpp
+++ b/Source/WebCore/html/FormAssociatedElement.cpp
@@ -52,6 +52,13 @@ ValidityState* FormAssociatedElement::validity()
return m_validityState.get();
}
+void FormAssociatedElement::willMoveToNewOwnerDocument()
+{
+ HTMLElement* element = toHTMLElement(this);
+ if (element->fastHasAttribute(formAttr))
+ element->document()->unregisterFormElementWithFormAttribute(this);
+}
+
void FormAssociatedElement::insertedIntoTree()
{
HTMLElement* element = toHTMLElement(this);
diff --git a/Source/WebCore/html/FormAssociatedElement.h b/Source/WebCore/html/FormAssociatedElement.h
index 3c8c6e1..873bdf4 100644
--- a/Source/WebCore/html/FormAssociatedElement.h
+++ b/Source/WebCore/html/FormAssociatedElement.h
@@ -63,6 +63,8 @@ protected:
void insertedIntoTree();
void removedFromTree();
+ void willMoveToNewOwnerDocument();
+
void setForm(HTMLFormElement* form) { m_form = form; }
void removeFromForm();
void formAttributeChanged();
diff --git a/Source/WebCore/html/HTMLFormControlElement.cpp b/Source/WebCore/html/HTMLFormControlElement.cpp
index 8556c1e..714311e 100644
--- a/Source/WebCore/html/HTMLFormControlElement.cpp
+++ b/Source/WebCore/html/HTMLFormControlElement.cpp
@@ -144,6 +144,12 @@ void HTMLFormControlElement::attach()
focus();
}
+void HTMLFormControlElement::willMoveToNewOwnerDocument()
+{
+ FormAssociatedElement::willMoveToNewOwnerDocument();
+ HTMLElement::willMoveToNewOwnerDocument();
+}
+
void HTMLFormControlElement::insertedIntoTree(bool deep)
{
FormAssociatedElement::insertedIntoTree();
diff --git a/Source/WebCore/html/HTMLFormControlElement.h b/Source/WebCore/html/HTMLFormControlElement.h
index e5d741b..8403b84 100644
--- a/Source/WebCore/html/HTMLFormControlElement.h
+++ b/Source/WebCore/html/HTMLFormControlElement.h
@@ -109,6 +109,7 @@ protected:
virtual void attach();
virtual void insertedIntoTree(bool deep);
virtual void removedFromTree(bool deep);
+ virtual void willMoveToNewOwnerDocument();
virtual bool isKeyboardFocusable(KeyboardEvent*) const;
virtual bool isMouseFocusable() const;
diff --git a/Source/WebCore/html/HTMLObjectElement.cpp b/Source/WebCore/html/HTMLObjectElement.cpp
index 2c6e6de..a1dde1a 100644
--- a/Source/WebCore/html/HTMLObjectElement.cpp
+++ b/Source/WebCore/html/HTMLObjectElement.cpp
@@ -479,6 +479,12 @@ void HTMLObjectElement::addSubresourceAttributeURLs(ListHashSet<KURL>& urls) con
addSubresourceURL(urls, document()->completeURL(useMap));
}
+void HTMLObjectElement::willMoveToNewOwnerDocument()
+{
+ FormAssociatedElement::willMoveToNewOwnerDocument();
+ HTMLPlugInImageElement::willMoveToNewOwnerDocument();
+}
+
void HTMLObjectElement::insertedIntoTree(bool deep)
{
FormAssociatedElement::insertedIntoTree();
diff --git a/Source/WebCore/html/HTMLObjectElement.h b/Source/WebCore/html/HTMLObjectElement.h
index d5797ff..ff773f1 100644
--- a/Source/WebCore/html/HTMLObjectElement.h
+++ b/Source/WebCore/html/HTMLObjectElement.h
@@ -73,6 +73,7 @@ private:
virtual bool rendererIsNeeded(RenderStyle*);
virtual void insertedIntoDocument();
virtual void removedFromDocument();
+ virtual void willMoveToNewOwnerDocument();
virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0);
diff --git a/Source/WebCore/html/HTMLPlugInImageElement.h b/Source/WebCore/html/HTMLPlugInImageElement.h
index 377fd99..f394d40 100644
--- a/Source/WebCore/html/HTMLPlugInImageElement.h
+++ b/Source/WebCore/html/HTMLPlugInImageElement.h
@@ -58,12 +58,13 @@ protected:
bool allowedToLoadFrameURL(const String& url);
bool wouldLoadAsNetscapePlugin(const String& url, const String& serviceType);
+ virtual void willMoveToNewOwnerDocument();
+
private:
virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
virtual void recalcStyle(StyleChange);
virtual void finishParsingChildren();
- virtual void willMoveToNewOwnerDocument();
void updateWidgetIfNecessary();
virtual bool useFallbackContent() const { return false; }
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list