[webkit-changes] [212504] branches/safari-603-branch

Thu, 16 Feb 2017 16:56:35 -0800

Title: [212504] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/LayoutTests/ChangeLog (212503 => 212504)


--- branches/safari-603-branch/LayoutTests/ChangeLog	2017-02-17 00:56:51 UTC (rev 212503)
+++ branches/safari-603-branch/LayoutTests/ChangeLog	2017-02-17 00:56:54 UTC (rev 212504)
@@ -1,5 +1,22 @@
 2017-02-16  Matthew Hanson  <[email protected]>
 
+        Merge r212214. rdar://problem/30451581
+
+    2017-02-12  Ryosuke Niwa  <[email protected]>
+
+            REGRESSION (r179497): Crash inside setAttributeNode
+            https://bugs.webkit.org/show_bug.cgi?id=168161
+            <rdar://problem/30451581>
+
+            Reviewed by Andreas Kling.
+
+            Added a regression test.
+
+            * fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt: Added.
+            * fast/dom/Attr/make-unique-element-data-while-replacing-attr.html: Added.
+
+2017-02-16  Matthew Hanson  <[email protected]>
+
         Merge r212172. rdar://problem/30476807
 
     2017-02-10  Simon Fraser  <[email protected]>

Added: branches/safari-603-branch/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt (0 => 212504)


--- branches/safari-603-branch/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt	2017-02-17 00:56:54 UTC (rev 212504)
@@ -0,0 +1,10 @@
+Test making the element data unique while replacing an Attr node.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS element.getAttribute("width") is "b"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: branches/safari-603-branch/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html (0 => 212504)


--- branches/safari-603-branch/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html	2017-02-17 00:56:54 UTC (rev 212504)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+
+description('Test making the element data unique while replacing an Attr node.');
+
+let element = document.createElement('div');
+element.setAttribute('foo', 'bar');
+
+let oldAttr = document.createAttributeNS('http://www.w3.org/XML/1998/namespace', 'width');
+oldAttr.value = 'a';
+element.setAttributeNode(oldAttr);
+
+element.addEventListener('DOMSubtreeModified', () => { element.cloneNode(); }, true);
+
+let newAttr = document.createAttributeNS('http://www.w3.org/1999/xhtml','width');
+newAttr.value = 'b';
+element.setAttributeNode(newAttr);
+
+shouldBeEqualToString('element.getAttribute("width")', 'b');
+
+</script>		
+</body>
+</html>

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (212503 => 212504)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-02-17 00:56:51 UTC (rev 212503)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-02-17 00:56:54 UTC (rev 212504)
@@ -1,5 +1,28 @@
 2017-02-16  Matthew Hanson  <[email protected]>
 
+        Merge r212214. rdar://problem/30451581
+
+    2017-02-12  Ryosuke Niwa  <[email protected]>
+
+            REGRESSION (r179497): Crash inside setAttributeNode
+            https://bugs.webkit.org/show_bug.cgi?id=168161
+            <rdar://problem/30451581>
+
+            Reviewed by Andreas Kling.
+
+            The bug was caused by setAttributeNode calling setAttributeInternal with the same element data as the one used
+            to call removeAttributeInternal despite of the fact removeAttributeInternal could have invoked arbitrary scripts
+            and mutated element's m_elementData.
+
+            Fixed the bug by calling with setAttributeInternal with the result of new invocation of ensureUniqueElementData().
+
+            Test: fast/dom/Attr/make-unique-element-data-while-replacing-attr.html
+
+            * dom/Element.cpp:
+            (WebCore::Element::setAttributeNode):
+
+2017-02-16  Matthew Hanson  <[email protected]>
+
         Merge r212174. rdar://problem/29904368
 
     2017-02-10  Daniel Bates  <[email protected]>

Modified: branches/safari-603-branch/Source/WebCore/dom/Element.cpp (212503 => 212504)


--- branches/safari-603-branch/Source/WebCore/dom/Element.cpp	2017-02-17 00:56:51 UTC (rev 212503)
+++ branches/safari-603-branch/Source/WebCore/dom/Element.cpp	2017-02-17 00:56:54 UTC (rev 212504)
@@ -2149,7 +2149,7 @@
             setAttributeInternal(existingAttributeIndex, attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute);
         else {
             removeAttributeInternal(existingAttributeIndex, NotInSynchronizationOfLazyAttribute);
-            setAttributeInternal(elementData.findAttributeIndexByName(attrNode.qualifiedName()), attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute);
+            setAttributeInternal(ensureUniqueElementData().findAttributeIndexByName(attrNode.qualifiedName()), attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute);
         }
     }
     if (attrNode.ownerElement() != this) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to