Diff
Modified: trunk/LayoutTests/ChangeLog (121453 => 121454)
--- trunk/LayoutTests/ChangeLog 2012-06-28 19:45:09 UTC (rev 121453)
+++ trunk/LayoutTests/ChangeLog 2012-06-28 19:48:29 UTC (rev 121454)
@@ -1,3 +1,15 @@
+2012-06-28 Ryosuke Niwa <[email protected]>
+
+ REGRESSION(r121232): named properties on document and window may return wrong object
+ https://bugs.webkit.org/show_bug.cgi?id=90133
+
+ Reviewed by Andreas Kling.
+
+ Add a regression test.
+
+ * fast/dom/HTMLDocument/named-item-multiple-match-expected.txt: Added.
+ * fast/dom/HTMLDocument/named-item-multiple-match.html: Added.
+
2012-06-28 Zeev Lieber <[email protected]>
[Skia] Computing the resampling mode ignores scale applied to the canvas
Added: trunk/LayoutTests/fast/dom/HTMLDocument/named-item-multiple-match-expected.txt (0 => 121454)
--- trunk/LayoutTests/fast/dom/HTMLDocument/named-item-multiple-match-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLDocument/named-item-multiple-match-expected.txt 2012-06-28 19:48:29 UTC (rev 121454)
@@ -0,0 +1,11 @@
+PASS collection = window.someName; collection.length is 2
+PASS collection[0].title is "first"
+PASS collection[1].title is "second"
+PASS collection[1]; window.someName is collection
+PASS collection = document.someName; collection.length is 2
+PASS collection[0].title is "first"
+PASS collection[1].title is "second"
+PASS collection[1]; document.someName is collection
+Tests that the named item created for an image with an ID is correctly removed. The test passes, if you see a "PASS" message in the div below.
+
+
Added: trunk/LayoutTests/fast/dom/HTMLDocument/named-item-multiple-match.html (0 => 121454)
--- trunk/LayoutTests/fast/dom/HTMLDocument/named-item-multiple-match.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLDocument/named-item-multiple-match.html 2012-06-28 19:48:29 UTC (rev 121454)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>
+Tests that the named item created for an image with an ID is correctly removed.
+The test passes, if you see a "PASS" message in the div below.
+</p>
+<form name="someName" title="first"></form>
+<form name="someName" title="second"></form>
+<script src=""
+<script>
+
+var collection;
+shouldBe('collection = window.someName; collection.length', '2');
+shouldBe('collection[0].title', '"first"');
+shouldBe('collection[1].title', '"second"');
+shouldBe('collection[1]; window.someName', 'collection');
+
+shouldBe('collection = document.someName; collection.length', '2');
+shouldBe('collection[0].title', '"first"');
+shouldBe('collection[1].title', '"second"');
+shouldBe('collection[1]; document.someName', 'collection');
+
+</script>
+</body>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (121453 => 121454)
--- trunk/Source/WebCore/ChangeLog 2012-06-28 19:45:09 UTC (rev 121453)
+++ trunk/Source/WebCore/ChangeLog 2012-06-28 19:48:29 UTC (rev 121454)
@@ -1,3 +1,24 @@
+2012-06-28 Ryosuke Niwa <[email protected]>
+
+ REGRESSION(r121232): named properties on document and window may return wrong object
+ https://bugs.webkit.org/show_bug.cgi?id=90133
+
+ Reviewed by Andreas Kling.
+
+ Fixed the bug. Also replaced hasAnyItem by isEmpty (hasAnyItem() is equivalent to !isEmpty()).
+
+ Test: fast/dom/HTMLDocument/named-item-multiple-match.html
+
+ * bindings/js/JSHTMLDocumentCustom.cpp:
+ (WebCore::JSHTMLDocument::nameGetter):
+ * bindings/v8/custom/V8DOMWindowCustom.cpp:
+ (WebCore::V8DOMWindow::namedPropertyGetter):
+ * bindings/v8/custom/V8HTMLDocumentCustom.cpp:
+ (WebCore::V8HTMLDocument::GetNamedProperty):
+ * html/HTMLCollection.h:
+ (WebCore::HTMLCollection::isEmpty):
+ (WebCore::HTMLCollection::hasExactlyOneItem):
+
2012-06-28 Zeev Lieber <[email protected]>
[Skia] Computing the resampling mode ignores scale applied to the canvas
Modified: trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp (121453 => 121454)
--- trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2012-06-28 19:45:09 UTC (rev 121453)
+++ trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2012-06-28 19:48:29 UTC (rev 121454)
@@ -64,7 +64,7 @@
HTMLCollection* collection = document->documentNamedItems(propertyNameToAtomicString(propertyName));
- if (!collection->hasAnyItem())
+ if (collection->isEmpty())
return jsUndefined();
if (collection->hasExactlyOneItem()) {
Modified: trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (121453 => 121454)
--- trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-06-28 19:45:09 UTC (rev 121453)
+++ trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-06-28 19:48:29 UTC (rev 121454)
@@ -521,7 +521,7 @@
if (doc && doc->isHTMLDocument()) {
if (static_cast<HTMLDocument*>(doc)->hasNamedItem(propName.impl()) || doc->hasElementWithId(propName.impl())) {
HTMLCollection* items = doc->windowNamedItems(propName);
- if (items->hasAnyItem()) {
+ if (!items->isEmpty()) {
if (items->hasExactlyOneItem())
return toV8(items->item(0), info.GetIsolate());
return toV8(items, info.GetIsolate());
Modified: trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp (121453 => 121454)
--- trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp 2012-06-28 19:45:09 UTC (rev 121453)
+++ trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp 2012-06-28 19:48:29 UTC (rev 121454)
@@ -85,7 +85,7 @@
return v8::Handle<v8::Value>();
HTMLCollection* items = htmlDocument->documentNamedItems(key);
- if (!items->hasAnyItem())
+ if (items->isEmpty())
return v8::Handle<v8::Value>();
if (items->hasExactlyOneItem()) {
Modified: trunk/Source/WebCore/html/HTMLCollection.h (121453 => 121454)
--- trunk/Source/WebCore/html/HTMLCollection.h 2012-06-28 19:45:09 UTC (rev 121453)
+++ trunk/Source/WebCore/html/HTMLCollection.h 2012-06-28 19:48:29 UTC (rev 121454)
@@ -53,15 +53,21 @@
// Non-DOM API
bool hasNamedItem(const AtomicString& name) const;
void namedItems(const AtomicString& name, Vector<RefPtr<Node> >&) const;
- bool hasAnyItem() const
+ bool isEmpty() const
{
invalidateCacheIfNeeded();
- return (m_cache.hasLength && m_cache.length) || m_cache.current || item(0);
+ if (m_cache.hasLength)
+ return !m_cache.length;
+ return !m_cache.current && !item(0);
}
bool hasExactlyOneItem() const
{
invalidateCacheIfNeeded();
- return (m_cache.hasLength && m_cache.length == 1) || (m_cache.current && !itemAfter(m_cache.current)) || (item(0) && !item(1));
+ if (m_cache.hasLength)
+ return m_cache.length == 1;
+ if (m_cache.current)
+ return !m_cache.position && !item(1);
+ return item(0) && !item(1);
}
Node* base() const { return m_base; }
