Skip to site navigation (Press enter)

[webkit-changes] [124509] branches/safari-536.26-branch

lforschler Thu, 02 Aug 2012 15:11:03 -0700

Title: [124509] branches/safari-536.26-branch

Revision: 124509
Author: [email protected]
Date: 2012-08-02 15:11:12 -0700 (Thu, 02 Aug 2012)

Log Message

Merged r119050.  <rdar://problem/11968276>


Modified Paths

branches/safari-536.26-branch/LayoutTests/ChangeLog
branches/safari-536.26-branch/Source/WebCore/ChangeLog
branches/safari-536.26-branch/Source/WebCore/dom/ContainerNode.cpp


Added Paths

branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash-expected.txt
branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash.html

Diff

Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124508 => 124509)


--- branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-08-02 22:05:02 UTC (rev 124508)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-08-02 22:11:12 UTC (rev 124509)
@@ -1,5 +1,19 @@
 2012-08-02  Lucas Forschler  <[email protected]>
 
+    Merge 119050
+
+    2012-05-30  Abhishek Arya  <[email protected]>
+
+            Crash in ContainerNode::parserAddChild.
+            https://bugs.webkit.org/show_bug.cgi?id=87903
+
+            Reviewed by Ryosuke Niwa.
+
+            * fast/dom/child-insertion-notify-crash-expected.txt: Added.
+            * fast/dom/child-insertion-notify-crash.html: Added.
+
+2012-08-02  Lucas Forschler  <[email protected]>
+
     Merge 118816
 
     2012-05-29  Abhishek Arya  <[email protected]>

Copied: branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash-expected.txt (from rev 119050, trunk/LayoutTests/fast/dom/child-insertion-notify-crash-expected.txt) (0 => 124509)


--- branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash-expected.txt	2012-08-02 22:11:12 UTC (rev 124509)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS. WebKit didn't crash.

Copied: branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash.html (from rev 119050, trunk/LayoutTests/fast/dom/child-insertion-notify-crash.html) (0 => 124509)


--- branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/fast/dom/child-insertion-notify-crash.html	2012-08-02 22:11:12 UTC (rev 124509)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<script>
+function crash()
+{
+    document.getElementById("test").innerHTML = "PASS. WebKit didn't crash.";
+    gc();    
+}
+</script>
+<div dir="auto" id="test">A<iframe _onload_="crash()"></iframe></div>
+<script src=""
+</html>
+

Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124508 => 124509)


--- branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-08-02 22:05:02 UTC (rev 124508)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-08-02 22:11:12 UTC (rev 124509)
@@ -1,5 +1,31 @@
 2012-08-02  Lucas Forschler  <[email protected]>
 
+    Merge 119050
+
+    2012-05-30  Abhishek Arya  <[email protected]>
+
+            Crash in ContainerNode::parserAddChild.
+            https://bugs.webkit.org/show_bug.cgi?id=87903
+
+            Reviewed by Ryosuke Niwa.
+
+            Call the ChildNodeInsertionNotifier.notify call at the end since
+            it can destroy |this| and some of the local pointers like |last|.
+            This also matches the order of calls - childrenChanged precedes
+            ChildNodeInsertionNotifier.notify in updateTreeAfterInsertion and
+            ContainerNode::parserInsertBefore.
+
+            Also remove a FIXME since we use ChildNodeInsertionNotifier.notify
+            instead of ChildNodeInsertionNotifier.notifyInsertedIntoDocument
+            (as recommended in the FIXME).
+
+            Test: fast/dom/child-insertion-notify-crash.html
+
+            * dom/ContainerNode.cpp:
+            (WebCore::ContainerNode::parserAddChild):
+
+2012-08-02  Lucas Forschler  <[email protected]>
+
     Merge 118816
 
     2012-05-29  Abhishek Arya  <[email protected]>

Modified: branches/safari-536.26-branch/Source/WebCore/dom/ContainerNode.cpp (124508 => 124509)


--- branches/safari-536.26-branch/Source/WebCore/dom/ContainerNode.cpp	2012-08-02 22:05:02 UTC (rev 124508)
+++ branches/safari-536.26-branch/Source/WebCore/dom/ContainerNode.cpp	2012-08-02 22:11:12 UTC (rev 124509)
@@ -593,10 +593,8 @@
     
     allowEventDispatch();
 
-    // FIXME: Why doesn't this use notify(newChild.get()) instead?
-    if (inDocument())
-        ChildNodeInsertionNotifier(this).notifyInsertedIntoDocument(newChild.get());
     childrenChanged(true, last, 0, 1);
+    ChildNodeInsertionNotifier(this).notify(newChild.get());
 }
 
 void ContainerNode::suspendPostAttachCallbacks()

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes