Skip to site navigation (Press enter)

[webkit-changes] [92913] branches/safari-534.51-branch

lforschler Thu, 11 Aug 2011 21:11:50 -0700

Title: [92913] branches/safari-534.51-branch

Revision: 92913
Author: [email protected]
Date: 2011-08-11 21:11:41 -0700 (Thu, 11 Aug 2011)

Log Message

Merge r88434.


Modified Paths

branches/safari-534.51-branch/LayoutTests/ChangeLog
branches/safari-534.51-branch/Source/WebCore/ChangeLog
branches/safari-534.51-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp


Added Paths

branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear-expected.txt
branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear.html

Diff

Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (92912 => 92913)


--- branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-08-12 04:10:00 UTC (rev 92912)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-08-12 04:11:41 UTC (rev 92913)
@@ -1,5 +1,19 @@
 2011-08-11  Lucas Forschler  <[email protected]>
 
+    Merged 88434
+
+    2011-06-09  Adam Barth  <[email protected]>
+
+            Reviewed by Eric Seidel.
+
+            Running script from attach can remove elements from the stack of open elements
+            https://bugs.webkit.org/show_bug.cgi?id=62160
+
+            * fast/parser/document-write-onload-clear-expected.txt: Added.
+            * fast/parser/document-write-onload-clear.html: Added.
+
+2011-08-11  Lucas Forschler  <[email protected]>
+
     Merged 87863
 
     2011-06-01  Abhishek Arya  <[email protected]>

Copied: branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear-expected.txt (from rev 88434, trunk/LayoutTests/fast/parser/document-write-onload-clear-expected.txt) (0 => 92913)


--- branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear-expected.txt	                        (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear-expected.txt	2011-08-12 04:11:41 UTC (rev 92913)
@@ -0,0 +1,2 @@
+PASS
+

Copied: branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear.html (from rev 88434, trunk/LayoutTests/fast/parser/document-write-onload-clear.html) (0 => 92913)


--- branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear.html	                        (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/parser/document-write-onload-clear.html	2011-08-12 04:11:41 UTC (rev 92913)
@@ -0,0 +1,5 @@
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<iframe _onload_="document.write('<p>FAIL<iframe _onload_=&quot;document.write(\'<p>\')&quot;></iframe><script>document.body.innerHTML = \'PASS\';</script>');document.close();"></iframe>

Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (92912 => 92913)


--- branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-08-12 04:10:00 UTC (rev 92912)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-08-12 04:11:41 UTC (rev 92913)
@@ -1,5 +1,26 @@
 2011-08-11  Lucas Forschler  <[email protected]>
 
+    Merged 88434
+
+    2011-06-09  Adam Barth  <[email protected]>
+
+            Reviewed by Eric Seidel.
+
+            Running script from attach can remove elements from the stack of open elements
+            https://bugs.webkit.org/show_bug.cgi?id=62160
+
+            When the tree build runs script synchronously, that script can remove
+            arbitrary elements from the stack of open elements.  We need to hold a
+            reference to |parent| in attach instead of rely upon the reference in
+            the stack of open elements.
+
+            Test: fast/parser/document-write-onload-clear.html
+
+            * html/parser/HTMLConstructionSite.cpp:
+            (WebCore::HTMLConstructionSite::attach):
+
+2011-08-11  Lucas Forschler  <[email protected]>
+
     Merged 87875
 
     2011-06-01  Abhishek Arya  <[email protected]>

Modified: branches/safari-534.51-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp (92912 => 92913)


--- branches/safari-534.51-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2011-08-12 04:10:00 UTC (rev 92912)
+++ branches/safari-534.51-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2011-08-12 04:11:41 UTC (rev 92913)
@@ -82,13 +82,14 @@
 } // namespace
 
 template<typename ChildType>
-PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild)
+PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild)
 {
     RefPtr<ChildType> child = prpChild;
+    RefPtr<ContainerNode> parent = rawParent;
 
     // FIXME: It's confusing that HTMLConstructionSite::attach does the magic
     // redirection to the foster parent but HTMLConstructionSite::attachAtSite
-    // doesn't.  It feels like we're missing a concept somehow.
+    // doesn't. It feels like we're missing a concept somehow.
     if (shouldFosterParent()) {
         fosterParent(child.get());
         ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached());
@@ -102,11 +103,6 @@
     if (!child->parentNode())
         return child.release();
 
-    // It's slightly unfortunate that we need to hold a reference to child
-    // here to call attach().  We should investigate whether we can rely on
-    // |parent| to hold a ref at this point.  In the common case (at least
-    // for elements), however, we'll get to use this ref in the stack of
-    // open elements.
     if (parent->attached() && !child->attached())
         child->attach();
     return child.release();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes