[webkit-changes] [143115] trunk/Source/WebCore

Sat, 16 Feb 2013 15:45:13 -0800

Title: [143115] trunk/Source/WebCore
Revision
143115
Author
[email protected]
Date
2013-02-16 15:47:14 -0800 (Sat, 16 Feb 2013)

Log Message

REGRESSION(r143076): Crash when calling removeNamedItem or removeNamedItemNS with a non-existent attribute of newly created element.
<http://webkit.org/b/110019>

Patch by Peter Nelson <[email protected]> on 2013-02-16
Reviewed by Andreas Kling.

Now checks Element::hasAttributes() before calling Element::getAttributeItemIndex().

Test: http/tests/misc/acid3.html

* dom/NamedNodeMap.cpp:
(WebCore::NamedNodeMap::removeNamedItem):
(WebCore::NamedNodeMap::removeNamedItemNS):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (143114 => 143115)


--- trunk/Source/WebCore/ChangeLog	2013-02-16 23:34:22 UTC (rev 143114)
+++ trunk/Source/WebCore/ChangeLog	2013-02-16 23:47:14 UTC (rev 143115)
@@ -1,3 +1,18 @@
+2013-02-16  Peter Nelson  <[email protected]>
+
+        REGRESSION(r143076): Crash when calling removeNamedItem or removeNamedItemNS with a non-existent attribute of newly created element.
+        <http://webkit.org/b/110019>
+
+        Reviewed by Andreas Kling.
+
+        Now checks Element::hasAttributes() before calling Element::getAttributeItemIndex().
+
+        Test: http/tests/misc/acid3.html
+
+        * dom/NamedNodeMap.cpp:
+        (WebCore::NamedNodeMap::removeNamedItem):
+        (WebCore::NamedNodeMap::removeNamedItemNS):
+
 2013-02-16  Andreas Kling  <[email protected]>
 
         Element: Devirtualize attribute synchronization functions.

Modified: trunk/Source/WebCore/dom/NamedNodeMap.cpp (143114 => 143115)


--- trunk/Source/WebCore/dom/NamedNodeMap.cpp	2013-02-16 23:34:22 UTC (rev 143114)
+++ trunk/Source/WebCore/dom/NamedNodeMap.cpp	2013-02-16 23:47:14 UTC (rev 143115)
@@ -62,7 +62,7 @@
 
 PassRefPtr<Node> NamedNodeMap::removeNamedItem(const AtomicString& name, ExceptionCode& ec)
 {
-    size_t index = m_element->getAttributeItemIndex(name, shouldIgnoreAttributeCase(m_element));
+    size_t index = m_element->hasAttributes() ? m_element->getAttributeItemIndex(name, shouldIgnoreAttributeCase(m_element)) : notFound;
     if (index == notFound) {
         ec = NOT_FOUND_ERR;
         return 0;
@@ -72,7 +72,7 @@
 
 PassRefPtr<Node> NamedNodeMap::removeNamedItemNS(const AtomicString& namespaceURI, const AtomicString& localName, ExceptionCode& ec)
 {
-    size_t index = m_element->getAttributeItemIndex(QualifiedName(nullAtom, localName, namespaceURI));
+    size_t index = m_element->hasAttributes() ? m_element->getAttributeItemIndex(QualifiedName(nullAtom, localName, namespaceURI)) : notFound;
     if (index == notFound) {
         ec = NOT_FOUND_ERR;
         return 0;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to