Title: [124507] branches/safari-536.26-branch
- Revision
- 124507
- Author
- [email protected]
- Date
- 2012-08-02 15:01:58 -0700 (Thu, 02 Aug 2012)
Log Message
Merged r118703. <rdar://problem/11968262>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124506 => 124507)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-02 21:59:47 UTC (rev 124506)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-02 22:01:58 UTC (rev 124507)
@@ -1,5 +1,22 @@
2012-08-02 Lucas Forschler <[email protected]>
+ Merge 118703
+
+ 2012-05-28 Yong Li <[email protected]>
+
+ Crash on incomplete :not().
+ https://bugs.webkit.org/show_bug.cgi?id=86673
+
+ Reviewed by Antti Koivisto.
+
+ Add a test case that makes CSS parser create incomplete
+ :not selector.
+
+ * fast/css/crash-on-incomplete-not.html: Added.
+ * fast/css/crash-on-incomplete-not-expected.txt: Added.
+
+2012-08-02 Lucas Forschler <[email protected]>
+
Merge 118592
2012-05-25 Abhishek Arya <[email protected]>
Copied: branches/safari-536.26-branch/LayoutTests/fast/css/crash-on-incomplete-not-expected.txt (from rev 118703, trunk/LayoutTests/fast/css/crash-on-incomplete-not-expected.txt) (0 => 124507)
--- branches/safari-536.26-branch/LayoutTests/fast/css/crash-on-incomplete-not-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/css/crash-on-incomplete-not-expected.txt 2012-08-02 22:01:58 UTC (rev 124507)
@@ -0,0 +1 @@
+PASS without crash.
Copied: branches/safari-536.26-branch/LayoutTests/fast/css/crash-on-incomplete-not.html (from rev 118703, trunk/LayoutTests/fast/css/crash-on-incomplete-not.html) (0 => 124507)
--- branches/safari-536.26-branch/LayoutTests/fast/css/crash-on-incomplete-not.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/css/crash-on-incomplete-not.html 2012-08-02 22:01:58 UTC (rev 124507)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<style id="m"></style>
+</head>
+<body>
+<script>
+ var g = ":not\\( .title{}";
+ var me = document.getElementById("m");
+ window.setTimeout(runTest,0);
+ function runTest(){
+ me.textContent=g;
+ if (window.layoutTestController) {
+ layoutTestController.notifyDone();
+ }
+ }
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+</script>
+<p>PASS without crash.</p>
+</body>
+</html>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124506 => 124507)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-08-02 21:59:47 UTC (rev 124506)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-08-02 22:01:58 UTC (rev 124507)
@@ -1,5 +1,26 @@
2012-08-02 Lucas Forschler <[email protected]>
+ Merge 118703
+
+ 2012-05-28 Yong Li <[email protected]>
+
+ Crash on incomplete :not().
+ https://bugs.webkit.org/show_bug.cgi?id=86673
+
+ Reviewed by Antti Koivisto.
+
+ Add back null-checks for incomplete :not() class
+ which were dropped by r81845.
+
+ * css/CSSSelector.cpp:
+ (WebCore::CSSSelector::specificityForOneSelector):
+ (WebCore::CSSSelector::selectorText):
+ * css/SelectorChecker.cpp:
+ (WebCore::SelectorChecker::checkOneSelector):
+ (WebCore::SelectorChecker::determineLinkMatchType):
+
+2012-08-02 Lucas Forschler <[email protected]>
+
Merge 118592
2012-05-25 Abhishek Arya <[email protected]>
Modified: branches/safari-536.26-branch/Source/WebCore/css/CSSSelector.cpp (124506 => 124507)
--- branches/safari-536.26-branch/Source/WebCore/css/CSSSelector.cpp 2012-08-02 21:59:47 UTC (rev 124506)
+++ branches/safari-536.26-branch/Source/WebCore/css/CSSSelector.cpp 2012-08-02 22:01:58 UTC (rev 124507)
@@ -81,10 +81,9 @@
case End:
// FIXME: PsuedoAny should base the specificity on the sub-selectors.
// See http://lists.w3.org/Archives/Public/www-style/2010Sep/0530.html
- if (pseudoType() == PseudoNot) {
- ASSERT(selectorList());
+ if (pseudoType() == PseudoNot && selectorList())
s += selectorList()->first()->specificityForOneSelector();
- } else
+ else
s += 0x100;
case None:
break;
@@ -544,8 +543,8 @@
switch (cs->pseudoType()) {
case PseudoNot:
- ASSERT(cs->selectorList());
- str += cs->selectorList()->first()->selectorText();
+ if (CSSSelectorList* selectorList = cs->selectorList())
+ str += selectorList->first()->selectorText();
str += ")";
break;
case PseudoLang:
Modified: branches/safari-536.26-branch/Source/WebCore/css/SelectorChecker.cpp (124506 => 124507)
--- branches/safari-536.26-branch/Source/WebCore/css/SelectorChecker.cpp 2012-08-02 21:59:47 UTC (rev 124506)
+++ branches/safari-536.26-branch/Source/WebCore/css/SelectorChecker.cpp 2012-08-02 22:01:58 UTC (rev 124507)
@@ -729,10 +729,15 @@
if (selector->m_match == CSSSelector::PseudoClass) {
// Handle :not up front.
if (selector->pseudoType() == CSSSelector::PseudoNot) {
- ASSERT(selector->selectorList());
+ CSSSelectorList* selectorList = selector->selectorList();
+
+ // FIXME: We probably should fix the parser and make it never produce :not rules with missing selector list.
+ if (!selectorList)
+ return false;
+
SelectorCheckingContext subContext(context);
subContext.isSubSelector = true;
- for (subContext.selector = selector->selectorList()->first(); subContext.selector; subContext.selector = subContext.selector->tagHistory()) {
+ for (subContext.selector = selectorList->first(); subContext.selector; subContext.selector = subContext.selector->tagHistory()) {
// :not cannot nest. I don't really know why this is a
// restriction in CSS3, but it is, so let's honor it.
// the parser enforces that this never occurs
@@ -1321,13 +1326,19 @@
for (; selector; selector = selector->tagHistory()) {
switch (selector->pseudoType()) {
case CSSSelector::PseudoNot:
- // :not(:visited) is equivalent to :link. Parser enforces that :not can't nest.
- for (CSSSelector* subSelector = selector->selectorList()->first(); subSelector; subSelector = subSelector->tagHistory()) {
- CSSSelector::PseudoType subType = subSelector->pseudoType();
- if (subType == CSSSelector::PseudoVisited)
- linkMatchType &= ~SelectorChecker::MatchVisited;
- else if (subType == CSSSelector::PseudoLink)
- linkMatchType &= ~SelectorChecker::MatchLink;
+ {
+ // :not(:visited) is equivalent to :link. Parser enforces that :not can't nest.
+ CSSSelectorList* selectorList = selector->selectorList();
+ if (!selectorList)
+ break;
+
+ for (CSSSelector* subSelector = selectorList->first(); subSelector; subSelector = subSelector->tagHistory()) {
+ CSSSelector::PseudoType subType = subSelector->pseudoType();
+ if (subType == CSSSelector::PseudoVisited)
+ linkMatchType &= ~SelectorChecker::MatchVisited;
+ else if (subType == CSSSelector::PseudoLink)
+ linkMatchType &= ~SelectorChecker::MatchLink;
+ }
}
break;
case CSSSelector::PseudoLink:
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
