[webkit-changes] [179307] branches/safari-600.5-branch

Wed, 28 Jan 2015 14:52:54 -0800

Title: [179307] branches/safari-600.5-branch

Diff

Modified: branches/safari-600.5-branch/LayoutTests/ChangeLog (179306 => 179307)


--- branches/safari-600.5-branch/LayoutTests/ChangeLog	2015-01-28 22:52:19 UTC (rev 179306)
+++ branches/safari-600.5-branch/LayoutTests/ChangeLog	2015-01-28 22:52:22 UTC (rev 179307)
@@ -1,5 +1,20 @@
 2015-01-28  Matthew  <[email protected]>
 
+        Merge r178363. rdar://problem/19617795
+
+    2015-01-13  Andreas Kling  <[email protected]>
+
+            Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
+            <https://webkit.org/b/140379>
+            <rdar://problem/19446901>
+
+            Reviewed by Benjamin Poulain.
+
+            * fast/dom/Element/normalize-crash2-expected.txt: Added.
+            * fast/dom/Element/normalize-crash2.html: Added.
+
+2015-01-28  Matthew  <[email protected]>
+
         Merge r178231. rdar://problem/19617801
 
     2015-01-09  Zalan Bujtas  <[email protected]>

Added: branches/safari-600.5-branch/LayoutTests/fast/dom/Element/normalize-crash2-expected.txt (0 => 179307)


--- branches/safari-600.5-branch/LayoutTests/fast/dom/Element/normalize-crash2-expected.txt	                        (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/fast/dom/Element/normalize-crash2-expected.txt	2015-01-28 22:52:22 UTC (rev 179307)
@@ -0,0 +1,9 @@
+This test passes if it does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: branches/safari-600.5-branch/LayoutTests/fast/dom/Element/normalize-crash2.html (0 => 179307)


--- branches/safari-600.5-branch/LayoutTests/fast/dom/Element/normalize-crash2.html	                        (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/fast/dom/Element/normalize-crash2.html	2015-01-28 22:52:22 UTC (rev 179307)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script src=""
+<div name="testDiv" id="testDiv"></div>
+<script>
+description("This test passes if it does not crash.");
+ 
+var testDiv = document.getElementById("testDiv");
+testDiv.attributes[0].appendChild(new Text("test"));
+testDiv.cloneNode(false);
+gc();
+testDiv.normalize();
+</script>

Modified: branches/safari-600.5-branch/Source/WebCore/ChangeLog (179306 => 179307)


--- branches/safari-600.5-branch/Source/WebCore/ChangeLog	2015-01-28 22:52:19 UTC (rev 179306)
+++ branches/safari-600.5-branch/Source/WebCore/ChangeLog	2015-01-28 22:52:22 UTC (rev 179307)
@@ -1,5 +1,28 @@
 2015-01-28  Matthew  <[email protected]>
 
+        Merge r178363. rdar://problem/19617795
+
+    2015-01-13  Andreas Kling  <[email protected]>
+
+            Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
+            <https://webkit.org/b/140379>
+            <rdar://problem/19446901>
+
+            Reviewed by Benjamin Poulain.
+
+            Since DOM mutation events may arise below the call to Node::normalize(),
+            have the loop in Element::normalizeAttributes() make a copy of the Attr nodes
+            beforehand, to guard against mutations.
+
+            Based on a patch by Chris "Chris Dumez" Dumez.
+
+            Test: fast/dom/Element/normalize-crash2.html
+
+            * dom/Element.cpp:
+            (WebCore::Element::normalizeAttributes):
+
+2015-01-28  Matthew  <[email protected]>
+
         Merge r178231. rdar://problem/19617801
 
     2015-01-09  Zalan Bujtas  <[email protected]>

Modified: branches/safari-600.5-branch/Source/WebCore/dom/Element.cpp (179306 => 179307)


--- branches/safari-600.5-branch/Source/WebCore/dom/Element.cpp	2015-01-28 22:52:19 UTC (rev 179306)
+++ branches/safari-600.5-branch/Source/WebCore/dom/Element.cpp	2015-01-28 22:52:22 UTC (rev 179307)
@@ -2273,10 +2273,17 @@
 {
     if (!hasAttributes())
         return;
-    for (const Attribute& attribute : attributesIterator()) {
-        if (RefPtr<Attr> attr = attrIfExists(attribute.name()))
-            attr->normalize();
-    }
+
+    auto* attrNodeList = attrNodeListForElement(*this);
+    if (!attrNodeList)
+        return;
+
+    // Copy the Attr Vector because Node::normalize() can fire synchronous JS
+    // events (e.g. DOMSubtreeModified) and a JS listener could add / remove
+    // attributes while we are iterating.
+    auto copyOfAttrNodeList = *attrNodeList;
+    for (auto& attrNode : copyOfAttrNodeList)
+        attrNode->normalize();
 }
 
 PseudoElement* Element::beforePseudoElement() const

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to