Title: [108878] trunk
- Revision
- 108878
- Author
- [email protected]
- Date
- 2012-02-24 18:01:52 -0800 (Fri, 24 Feb 2012)
Log Message
Regression(r107477): Crash in StaticNodeList::itemWithName.
https://bugs.webkit.org/show_bug.cgi?id=79532
Reviewed by Andreas Kling.
Source/WebCore:
Make sure that node is an element node before checking its id attribute.
Test: fast/mutation/mutation-callback-non-element-crash.html
* dom/StaticNodeList.cpp:
(WebCore::StaticNodeList::itemWithName):
LayoutTests:
* fast/mutation/mutation-callback-non-element-crash-expected.txt: Added.
* fast/mutation/mutation-callback-non-element-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (108877 => 108878)
--- trunk/LayoutTests/ChangeLog 2012-02-25 01:56:53 UTC (rev 108877)
+++ trunk/LayoutTests/ChangeLog 2012-02-25 02:01:52 UTC (rev 108878)
@@ -1,5 +1,15 @@
2012-02-24 Abhishek Arya <[email protected]>
+ Regression(r107477): Crash in StaticNodeList::itemWithName.
+ https://bugs.webkit.org/show_bug.cgi?id=79532
+
+ Reviewed by Andreas Kling.
+
+ * fast/mutation/mutation-callback-non-element-crash-expected.txt: Added.
+ * fast/mutation/mutation-callback-non-element-crash.html: Added.
+
+2012-02-24 Abhishek Arya <[email protected]>
+
Positioned objects not cleared when moving children
to clone block in multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=78416
Added: trunk/LayoutTests/fast/mutation/mutation-callback-non-element-crash-expected.txt (0 => 108878)
--- trunk/LayoutTests/fast/mutation/mutation-callback-non-element-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/mutation/mutation-callback-non-element-crash-expected.txt 2012-02-25 02:01:52 UTC (rev 108878)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash
Added: trunk/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html (0 => 108878)
--- trunk/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html (rev 0)
+++ trunk/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html 2012-02-25 02:01:52 UTC (rev 108878)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function mutationCallback(mutations, observer) {
+ mutations[0].addedNodes[-1];
+}
+
+var mutationObserver = new WebKitMutationObserver(mutationCallback);
+mutationObserver.observe(document.body, {childList: true});
+document.body.appendChild(document.createTextNode("PASS. WebKit didn't crash"));
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (108877 => 108878)
--- trunk/Source/WebCore/ChangeLog 2012-02-25 01:56:53 UTC (rev 108877)
+++ trunk/Source/WebCore/ChangeLog 2012-02-25 02:01:52 UTC (rev 108878)
@@ -1,3 +1,17 @@
+2012-02-24 Abhishek Arya <[email protected]>
+
+ Regression(r107477): Crash in StaticNodeList::itemWithName.
+ https://bugs.webkit.org/show_bug.cgi?id=79532
+
+ Reviewed by Andreas Kling.
+
+ Make sure that node is an element node before checking its id attribute.
+
+ Test: fast/mutation/mutation-callback-non-element-crash.html
+
+ * dom/StaticNodeList.cpp:
+ (WebCore::StaticNodeList::itemWithName):
+
2012-02-24 Tony Chang <[email protected]>
More refactoring in RenderFlexibleBox
Modified: trunk/Source/WebCore/dom/StaticNodeList.cpp (108877 => 108878)
--- trunk/Source/WebCore/dom/StaticNodeList.cpp 2012-02-25 01:56:53 UTC (rev 108877)
+++ trunk/Source/WebCore/dom/StaticNodeList.cpp 2012-02-25 02:01:52 UTC (rev 108878)
@@ -50,7 +50,7 @@
size_t length = m_nodes.size();
for (size_t i = 0; i < length; ++i) {
Node* node = m_nodes[i].get();
- if (static_cast<Element*>(node)->getIdAttribute() == elementId)
+ if (node->isElementNode() && toElement(node)->getIdAttribute() == elementId)
return node;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
