Diff
Modified: trunk/LayoutTests/ChangeLog (110448 => 110449)
--- trunk/LayoutTests/ChangeLog 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/LayoutTests/ChangeLog 2012-03-12 18:38:12 UTC (rev 110449)
@@ -1,3 +1,14 @@
+2012-03-12 Ryosuke Niwa <[email protected]>
+
+ REGRESSION(r109285): Crash in WebCore::Document::nodeChildrenWillBeRemoved
+ https://bugs.webkit.org/show_bug.cgi?id=80578
+
+ Reviewed by Andreas Kling.
+
+ * fast/regions/select-in-region-crash-expected.txt: Rebaselined.
+ * svg/css/style-change-crash-expected.txt: Added.
+ * svg/css/style-change-crash.html: Added.
+
2012-03-12 Sadrul Habib Chowdhury <[email protected]>
Touch event handler count is not updated when adding handlers to the window.
Modified: trunk/LayoutTests/fast/regions/select-in-region-crash-expected.txt (110448 => 110449)
--- trunk/LayoutTests/fast/regions/select-in-region-crash-expected.txt 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/LayoutTests/fast/regions/select-in-region-crash-expected.txt 2012-03-12 18:38:12 UTC (rev 110449)
@@ -3,4 +3,3 @@
This test PASSES if it does not CRASH or ASSERT.
-
Added: trunk/LayoutTests/svg/css/style-change-crash-expected.txt (0 => 110449)
--- trunk/LayoutTests/svg/css/style-change-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/css/style-change-crash-expected.txt 2012-03-12 18:38:12 UTC (rev 110449)
@@ -0,0 +1,3 @@
+ALERT: PASS. WebKit didn't crash
+
+
Added: trunk/LayoutTests/svg/css/style-change-crash.html (0 => 110449)
--- trunk/LayoutTests/svg/css/style-change-crash.html (rev 0)
+++ trunk/LayoutTests/svg/css/style-change-crash.html 2012-03-12 18:38:12 UTC (rev 110449)
@@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <g>
+ <rect id="rect"/>
+ </g>
+ <br/>
+<script>
+
+function write_br() {
+ document.write("<br/>");
+ GCController.collect();
+}
+
+document.body.offsetHeight;
+window.addEventListener("DOMSubtreeModified", write_br);
+document.getElementById("rect").style.WebkitWrap="both 2147483519";
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ alert("PASS. WebKit didn't crash");
+} else
+ alert("This test requires GCController.");
+
+</script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (110448 => 110449)
--- trunk/Source/WebCore/ChangeLog 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/Source/WebCore/ChangeLog 2012-03-12 18:38:12 UTC (rev 110449)
@@ -1,3 +1,25 @@
+2012-03-12 Ryosuke Niwa <[email protected]>
+
+ REGRESSION(r109285): Crash in WebCore::Document::nodeChildrenWillBeRemoved
+ https://bugs.webkit.org/show_bug.cgi?id=80578
+
+ Reviewed by Andreas Kling.
+
+ Test: svg/css/style-change-crash.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::setAttribute):
+ (WebCore::Element::setAttributeInternal):
+ * dom/Element.h:
+ (Element):
+ * dom/ElementAttributeData.cpp:
+ (WebCore::ElementAttributeData::addAttribute):
+ (WebCore::ElementAttributeData::removeAttribute):
+ * dom/ElementAttributeData.h:
+ (ElementAttributeData):
+ * dom/StyledElement.cpp:
+ (WebCore::StyledElement::updateStyleAttribute):
+
2012-03-12 Sadrul Habib Chowdhury <[email protected]>
Touch event handler count is not updated when adding handlers to the window.
Modified: trunk/Source/WebCore/dom/Element.cpp (110448 => 110449)
--- trunk/Source/WebCore/dom/Element.cpp 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/Source/WebCore/dom/Element.cpp 2012-03-12 18:38:12 UTC (rev 110449)
@@ -632,29 +632,29 @@
size_t index = ensureUpdatedAttributeData()->getAttributeItemIndex(localName, false);
const QualifiedName& qName = index != notFound ? attributeItem(index)->name() : QualifiedName(nullAtom, localName, nullAtom);
- setAttributeInternal(index, qName, value);
+ setAttributeInternal(index, qName, value, NotInUpdateStyleAttribute);
}
-void Element::setAttribute(const QualifiedName& name, const AtomicString& value, bool notifyChanged)
+void Element::setAttribute(const QualifiedName& name, const AtomicString& value, EInUpdateStyleAttribute inUpdateStyleAttribute)
{
- setAttributeInternal(ensureUpdatedAttributeData()->getAttributeItemIndex(name), name, value, notifyChanged);
+ setAttributeInternal(ensureUpdatedAttributeData()->getAttributeItemIndex(name), name, value, inUpdateStyleAttribute);
}
-inline void Element::setAttributeInternal(size_t index, const QualifiedName& name, const AtomicString& value, bool notifyChanged)
+inline void Element::setAttributeInternal(size_t index, const QualifiedName& name, const AtomicString& value, EInUpdateStyleAttribute inUpdateStyleAttribute)
{
Attribute* old = index != notFound ? m_attributeData->attributeItem(index) : 0;
if (value.isNull()) {
if (old)
- m_attributeData->removeAttribute(index, this);
+ m_attributeData->removeAttribute(index, this, inUpdateStyleAttribute);
return;
}
if (!old) {
- m_attributeData->addAttribute(Attribute::create(name, value), this);
+ m_attributeData->addAttribute(Attribute::create(name, value), this, inUpdateStyleAttribute);
return;
}
- if (notifyChanged)
+ if (inUpdateStyleAttribute == NotInUpdateStyleAttribute)
willModifyAttribute(name, old ? old->value() : nullAtom, value);
if (Attr* attrNode = old->attr())
@@ -662,7 +662,7 @@
else
old->setValue(value);
- if (notifyChanged)
+ if (inUpdateStyleAttribute == NotInUpdateStyleAttribute)
didModifyAttribute(old);
}
Modified: trunk/Source/WebCore/dom/Element.h (110448 => 110449)
--- trunk/Source/WebCore/dom/Element.h 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/Source/WebCore/dom/Element.h 2012-03-12 18:38:12 UTC (rev 110449)
@@ -113,7 +113,7 @@
bool hasAttribute(const QualifiedName&) const;
const AtomicString& getAttribute(const QualifiedName&) const;
- void setAttribute(const QualifiedName&, const AtomicString& value, bool notifyChanged = true);
+ void setAttribute(const QualifiedName&, const AtomicString& value, EInUpdateStyleAttribute = NotInUpdateStyleAttribute);
void removeAttribute(const QualifiedName&);
// Typed getters and setters for language bindings.
@@ -429,7 +429,7 @@
virtual NodeType nodeType() const;
virtual bool childTypeAllowed(NodeType) const;
- void setAttributeInternal(size_t index, const QualifiedName&, const AtomicString& value, bool notifyChanged = true);
+ void setAttributeInternal(size_t index, const QualifiedName&, const AtomicString& value, EInUpdateStyleAttribute);
#ifndef NDEBUG
virtual void formatForDebugger(char* buffer, unsigned length) const;
Modified: trunk/Source/WebCore/dom/ElementAttributeData.cpp (110448 => 110449)
--- trunk/Source/WebCore/dom/ElementAttributeData.cpp 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/Source/WebCore/dom/ElementAttributeData.cpp 2012-03-12 18:38:12 UTC (rev 110449)
@@ -93,35 +93,35 @@
m_inlineStyleDecl = 0;
}
-void ElementAttributeData::addAttribute(PassRefPtr<Attribute> prpAttribute, Element* element)
+void ElementAttributeData::addAttribute(PassRefPtr<Attribute> prpAttribute, Element* element, EInUpdateStyleAttribute inUpdateStyleAttribute)
{
RefPtr<Attribute> attribute = prpAttribute;
- if (element)
+ if (element && inUpdateStyleAttribute == NotInUpdateStyleAttribute)
element->willModifyAttribute(attribute->name(), nullAtom, attribute->value());
m_attributes.append(attribute);
if (Attr* attr = attribute->attr())
attr->m_element = element;
- if (element)
+ if (element && inUpdateStyleAttribute == NotInUpdateStyleAttribute)
element->didModifyAttribute(attribute.get());
}
-void ElementAttributeData::removeAttribute(size_t index, Element* element)
+void ElementAttributeData::removeAttribute(size_t index, Element* element, EInUpdateStyleAttribute inUpdateStyleAttribute)
{
ASSERT(index < length());
RefPtr<Attribute> attribute = m_attributes[index];
- if (element)
+ if (element && inUpdateStyleAttribute == NotInUpdateStyleAttribute)
element->willRemoveAttribute(attribute->name(), attribute->value());
if (Attr* attr = attribute->attr())
attr->m_element = 0;
m_attributes.remove(index);
- if (element)
+ if (element && inUpdateStyleAttribute == NotInUpdateStyleAttribute)
element->didRemoveAttribute(attribute.get());
}
Modified: trunk/Source/WebCore/dom/ElementAttributeData.h (110448 => 110449)
--- trunk/Source/WebCore/dom/ElementAttributeData.h 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/Source/WebCore/dom/ElementAttributeData.h 2012-03-12 18:38:12 UTC (rev 110449)
@@ -80,6 +80,8 @@
append(newAttribute);
}
+enum EInUpdateStyleAttribute { NotInUpdateStyleAttribute, InUpdateStyleAttribute };
+
class ElementAttributeData {
public:
static PassOwnPtr<ElementAttributeData> create()
@@ -118,9 +120,9 @@
size_t getAttributeItemIndex(const String& name, bool shouldIgnoreAttributeCase) const;
// These functions do no error checking.
- void addAttribute(PassRefPtr<Attribute>, Element*);
+ void addAttribute(PassRefPtr<Attribute>, Element*, EInUpdateStyleAttribute = NotInUpdateStyleAttribute);
void removeAttribute(const QualifiedName&, Element*);
- void removeAttribute(size_t index, Element*);
+ void removeAttribute(size_t index, Element*, EInUpdateStyleAttribute = NotInUpdateStyleAttribute);
PassRefPtr<Attr> takeAttribute(size_t index, Element*);
bool hasID() const { return !m_idForStyleResolution.isNull(); }
Modified: trunk/Source/WebCore/dom/StyledElement.cpp (110448 => 110449)
--- trunk/Source/WebCore/dom/StyledElement.cpp 2012-03-12 18:28:40 UTC (rev 110448)
+++ trunk/Source/WebCore/dom/StyledElement.cpp 2012-03-12 18:38:12 UTC (rev 110449)
@@ -78,7 +78,7 @@
ASSERT(!isStyleAttributeValid());
setIsStyleAttributeValid();
if (const StylePropertySet* inlineStyle = this->inlineStyle())
- const_cast<StyledElement*>(this)->setAttribute(styleAttr, inlineStyle->asText(), /*notifyChanged*/ false);
+ const_cast<StyledElement*>(this)->setAttribute(styleAttr, inlineStyle->asText(), InUpdateStyleAttribute);
}
StyledElement::~StyledElement()
