Title: [111940] releases/WebKitGTK/webkit-1.8
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (111939 => 111940)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-03-24 00:30:59 UTC (rev 111939)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-03-24 00:32:02 UTC (rev 111940)
@@ -1,3 +1,13 @@
+2012-03-23 Abhishek Arya <[email protected]>
+
+ Regression(r107477): Crash in StaticNodeList::itemWithName.
+ https://bugs.webkit.org/show_bug.cgi?id=79532
+
+ Reviewed by Andreas Kling.
+
+ * fast/mutation/mutation-callback-non-element-crash-expected.txt: Added.
+ * fast/mutation/mutation-callback-non-element-crash.html: Added.
+
2012-03-23 Ryosuke Niwa <[email protected]>
REGRESSION(r99076): WebKit pastes the trailing newline into a single-line text field
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash-expected.txt (0 => 111940)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash-expected.txt 2012-03-24 00:32:02 UTC (rev 111940)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html (0 => 111940)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html 2012-03-24 00:32:02 UTC (rev 111940)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function mutationCallback(mutations, observer) {
+ mutations[0].addedNodes[-1];
+}
+
+var mutationObserver = new WebKitMutationObserver(mutationCallback);
+mutationObserver.observe(document.body, {childList: true});
+document.body.appendChild(document.createTextNode("PASS. WebKit didn't crash"));
+</script>
+</body>
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/mutation/mutation-callback-non-element-crash.html
___________________________________________________________________
Added: svn:executable
Added: svn:eol-style
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (111939 => 111940)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-03-24 00:30:59 UTC (rev 111939)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-03-24 00:32:02 UTC (rev 111940)
@@ -1,3 +1,17 @@
+2012-03-23 Abhishek Arya <[email protected]>
+
+ Regression(r107477): Crash in StaticNodeList::itemWithName.
+ https://bugs.webkit.org/show_bug.cgi?id=79532
+
+ Reviewed by Andreas Kling.
+
+ Make sure that node is an element node before checking its id attribute.
+
+ Test: fast/mutation/mutation-callback-non-element-crash.html
+
+ * dom/StaticNodeList.cpp:
+ (WebCore::StaticNodeList::itemWithName):
+
2012-03-23 Ryosuke Niwa <[email protected]>
REGRESSION(r99076): WebKit pastes the trailing newline into a single-line text field
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/StaticNodeList.cpp (111939 => 111940)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/StaticNodeList.cpp 2012-03-24 00:30:59 UTC (rev 111939)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/StaticNodeList.cpp 2012-03-24 00:32:02 UTC (rev 111940)
@@ -50,7 +50,7 @@
size_t length = m_nodes.size();
for (size_t i = 0; i < length; ++i) {
Node* node = m_nodes[i].get();
- if (static_cast<Element*>(node)->getIdAttribute() == elementId)
+ if (node->isElementNode() && toElement(node)->getIdAttribute() == elementId)
return node;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
