[webkit-changes] [137971] branches/chromium/1312

Mon, 17 Dec 2012 19:39:43 -0800

Title: [137971] branches/chromium/1312
Revision
137971
Author
[email protected]
Date
2012-12-17 19:41:28 -0800 (Mon, 17 Dec 2012)

Log Message

Merge 137702
BUG=165864
Review URL: https://codereview.chromium.org/11573057


Modified Paths




Added Paths

Diff

Copied: branches/chromium/1312/LayoutTests/fast/dom/insertedIntoDocument-no-crash-expected.txt (from rev 137702, trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash-expected.txt) (0 => 137971)


--- branches/chromium/1312/LayoutTests/fast/dom/insertedIntoDocument-no-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/dom/insertedIntoDocument-no-crash-expected.txt	2012-12-18 03:41:28 UTC (rev 137971)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 14: Uncaught Error: NotFoundError: DOM Exception 8
+This test must not crash.
+
+foo
+ <mark>
+<script>f1();</script>
+<xmp>
+foo

Copied: branches/chromium/1312/LayoutTests/fast/dom/insertedIntoDocument-no-crash.html (from rev 137702, trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash.html) (0 => 137971)


--- branches/chromium/1312/LayoutTests/fast/dom/insertedIntoDocument-no-crash.html	                        (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/dom/insertedIntoDocument-no-crash.html	2012-12-18 03:41:28 UTC (rev 137971)
@@ -0,0 +1,27 @@
+<html>
+<p>This test must not crash.</p>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function f1() {
+    document.write('<form>'); //Here we need the form tag to trigger the bug
+    document.getElementsByTagName("s")[0].innerHTML = 'foo';
+}
+
+function f2() {
+    document.getElementsByTagName("kbd")[0].innerHTML = 'foo';
+    document.getElementsByTagName("kbd")[0].insertBefore(document.createElement('foo'),document.createElement('foo'));
+}
+</script>
+<s>
+<!-- The following weird mark-up is needed to reproduce the crash -->
+<script>f1();</script>
+<xmp><mark>
+<script>f1();</script>
+<xmp></xmp>
+<kbd>
+<script>f2();</script>
+</kbd>
+</s>
+</html>

Modified: branches/chromium/1312/Source/WebCore/dom/ContainerNode.h (137970 => 137971)


--- branches/chromium/1312/Source/WebCore/dom/ContainerNode.h	2012-12-18 03:30:27 UTC (rev 137970)
+++ branches/chromium/1312/Source/WebCore/dom/ContainerNode.h	2012-12-18 03:41:28 UTC (rev 137971)
@@ -344,7 +344,7 @@
     Node* nextNode()
     {
         if (LIKELY(!hasSnapshot())) {
-            Node* node = m_currentNode;
+            Node* node = m_currentNode.get();
             if (m_currentNode)
                 m_currentNode = m_currentNode->nextSibling();
             return node;
@@ -360,7 +360,7 @@
         if (hasSnapshot())
             return;
         m_childNodes = adoptPtr(new Vector<RefPtr<Node> >());
-        Node* node = m_currentNode;
+        Node* node = m_currentNode.get();
         while (node) {
             m_childNodes->append(node);
             node = node->nextSibling();
@@ -382,7 +382,7 @@
 private:
     static ChildNodesLazySnapshot* latestSnapshot;
 
-    Node* m_currentNode;
+    RefPtr<Node> m_currentNode;
     unsigned m_currentIndex;
     OwnPtr<Vector<RefPtr<Node> > > m_childNodes; // Lazily instantiated.
     ChildNodesLazySnapshot* m_nextSnapshot;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to