Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (91419 => 91420)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-20 23:25:33 UTC (rev 91420)
@@ -1,3 +1,18 @@
+2011-07-20 Lucas Forschler <lforsch...@apple.com>
+
+ Merged 87743.
+
+ 2011-05-31 Abhishek Arya <infe...@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Tests that cloning an audio element with media controls does
+ not result in crash.
+ https://bugs.webkit.org/show_bug.cgi?id=61765
+
+ * media/media-controls-clone-crash-expected.txt: Added.
+ * media/media-controls-clone-crash.html: Added.
+
2011-06-20 Lucas Forschler <lforsch...@apple.com>
Merged 86976.
Copied: branches/safari-534.51-branch/LayoutTests/fast/dom/xml-parser-error-message-crash-expected.txt (from rev 87737, trunk/LayoutTests/fast/dom/xml-parser-error-message-crash-expected.txt) (0 => 91420)
--- branches/safari-534.51-branch/LayoutTests/fast/dom/xml-parser-error-message-crash-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/dom/xml-parser-error-message-crash-expected.txt 2011-07-20 23:25:33 UTC (rev 91420)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-534.51-branch/LayoutTests/fast/dom/xml-parser-error-message-crash.svg (from rev 87737, trunk/LayoutTests/fast/dom/xml-parser-error-message-crash.svg) (0 => 91420)
--- branches/safari-534.51-branch/LayoutTests/fast/dom/xml-parser-error-message-crash.svg (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/dom/xml-parser-error-message-crash.svg 2011-07-20 23:25:33 UTC (rev 91420)
@@ -0,0 +1,13 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest()
+{
+ document.firstChild.innerHTML = "PASS";
+}
+
+document.addEventListener("DOMNodeInsertedIntoDocument", runTest, true);
+</script>
+
Copied: branches/safari-534.51-branch/LayoutTests/media/media-controls-clone-crash-expected.txt (from rev 87743, trunk/LayoutTests/media/media-controls-clone-crash-expected.txt) (0 => 91420)
--- branches/safari-534.51-branch/LayoutTests/media/media-controls-clone-crash-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/media/media-controls-clone-crash-expected.txt 2011-07-20 23:25:33 UTC (rev 91420)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Copied: branches/safari-534.51-branch/LayoutTests/media/media-controls-clone-crash.html (from rev 87743, trunk/LayoutTests/media/media-controls-clone-crash.html) (0 => 91420)
--- branches/safari-534.51-branch/LayoutTests/media/media-controls-clone-crash.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/media/media-controls-clone-crash.html 2011-07-20 23:25:33 UTC (rev 91420)
@@ -0,0 +1,25 @@
+<html>
+ <body _onload_="runTest();">
+ Test passes if it does not crash.
+ <script>
+ if (window.layoutTestController)
+ {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ function runTest() {
+ node = document.createElement('audio');
+ node.setAttribute('src', 'foo');
+ node.setAttribute('controls', 'foo');
+ node.style.fontWeight = '100';
+ var clone = node.cloneNode(false);
+ clone.load();
+
+ if (window.layoutTestController)
+ setTimeout("layoutTestController.notifyDone()", 0);
+ }
+ </script>
+ </body>
+</html>
+
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (91419 => 91420)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-20 23:25:33 UTC (rev 91420)
@@ -1,3 +1,26 @@
+2011-07-20 Lucas Forschler <lforsch...@apple.com>
+
+ Merged 87743.
+
+ 2011-05-31 Abhishek Arya <infe...@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Improve hasMediaControls logic to check that node has
+ media controls. This can be false when cloning nodes.
+ https://bugs.webkit.org/show_bug.cgi?id=61765
+
+ Test: media/media-controls-clone-crash.html
+
+ * dom/Node.h:
+ (WebCore::Node::isMediaControls):
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::mediaControls):
+ (WebCore::HTMLMediaElement::hasMediaControls):
+ * html/shadow/MediaControls.h:
+ (WebCore::MediaControls::isMediaControls):
+ (WebCore::toMediaControls):
+
2011-07-27 Lucas Forschler <lforsch...@apple.com>
Merged 89748.
Modified: branches/safari-534.51-branch/Source/WebCore/dom/Node.h (91419 => 91420)
--- branches/safari-534.51-branch/Source/WebCore/dom/Node.h 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/Source/WebCore/dom/Node.h 2011-07-20 23:25:33 UTC (rev 91420)
@@ -202,6 +202,7 @@
#endif
virtual bool isMediaControlElement() const { return false; }
+ virtual bool isMediaControls() const { return false; }
bool isStyledElement() const { return getFlag(IsStyledElementFlag); }
virtual bool isFrameOwnerElement() const { return false; }
virtual bool isAttributeNode() const { return false; }
Modified: branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParser.cpp (91419 => 91420)
--- branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParser.cpp 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParser.cpp 2011-07-20 23:25:33 UTC (rev 91420)
@@ -286,7 +286,7 @@
// Create elements for display
ExceptionCode ec = 0;
Document* document = this->document();
- Element* documentElement = document->documentElement();
+ RefPtr<Element> documentElement = document->documentElement();
if (!documentElement) {
RefPtr<Element> rootElement = document->createElement(htmlTag, false);
document->appendChild(rootElement, ec);
Modified: branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParserLibxml2.cpp (91419 => 91420)
--- branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParserLibxml2.cpp 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParserLibxml2.cpp 2011-07-20 23:25:33 UTC (rev 91420)
@@ -848,12 +848,16 @@
return;
}
+ // _javascript_ can detach the parser. Make sure this is not released
+ // before the end of this method.
+ RefPtr<XMLDocumentParser> protect(this);
+
exitText();
- Node* n = m_currentNode;
+ RefPtr<Node> n = m_currentNode;
n->finishParsingChildren();
- if (m_scriptingPermission == FragmentScriptingNotAllowed && n->isElementNode() && toScriptElement(static_cast<Element*>(n))) {
+ if (m_scriptingPermission == FragmentScriptingNotAllowed && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {
popCurrentNode();
ExceptionCode ec;
n->remove(ec);
@@ -865,7 +869,7 @@
return;
}
- Element* element = static_cast<Element*>(n);
+ Element* element = static_cast<Element*>(n.get());
// The element's parent may have already been removed from document.
// Parsing continues in this case, but scripts aren't executed.
@@ -894,10 +898,6 @@
// FIXME: Script execution should be shared between
// the libxml2 and Qt XMLDocumentParser implementations.
- // _javascript_ can detach the parser. Make sure this is not released
- // before the end of this method.
- RefPtr<XMLDocumentParser> protect(this);
-
if (scriptElement->readyToBeParserExecuted())
scriptElement->executeScript(ScriptSourceCode(scriptElement->scriptContent(), document()->url(), m_scriptStartPosition));
else if (scriptElement->willBeParserExecuted()) {
Modified: branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParserQt.cpp (91419 => 91420)
--- branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParserQt.cpp 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/Source/WebCore/dom/XMLDocumentParserQt.cpp 2011-07-20 23:25:33 UTC (rev 91420)
@@ -552,10 +552,10 @@
{
exitText();
- Node* n = m_currentNode;
+ RefPtr<ContainerNode> n = m_currentNode;
n->finishParsingChildren();
- if (m_scriptingPermission == FragmentScriptingNotAllowed && n->isElementNode() && toScriptElement(static_cast<Element*>(n))) {
+ if (m_scriptingPermission == FragmentScriptingNotAllowed && n->isElementNode() && toScriptElement(static_cast<Element*>(n.get()))) {
popCurrentNode();
ExceptionCode ec;
n->remove(ec);
@@ -568,7 +568,7 @@
return;
}
- Element* element = static_cast<Element*>(n);
+ Element* element = static_cast<Element*>(n.get());
// The element's parent may have already been removed from document.
// Parsing continues in this case, but scripts aren't executed.
Modified: branches/safari-534.51-branch/Source/WebCore/html/HTMLMediaElement.cpp (91419 => 91420)
--- branches/safari-534.51-branch/Source/WebCore/html/HTMLMediaElement.cpp 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/Source/WebCore/html/HTMLMediaElement.cpp 2011-07-20 23:25:33 UTC (rev 91420)
@@ -2691,17 +2691,16 @@
MediaControls* HTMLMediaElement::mediaControls()
{
- if (!shadowRoot())
- return 0;
-
- Node* node = shadowRoot()->firstChild();
- ASSERT(node->isHTMLElement());
- return static_cast<MediaControls*>(node);
+ return toMediaControls(shadowRoot()->firstChild());
}
bool HTMLMediaElement::hasMediaControls()
{
- return shadowRoot();
+ if (!shadowRoot())
+ return false;
+
+ Node* node = shadowRoot()->firstChild();
+ return node && node->isMediaControls();
}
void HTMLMediaElement::ensureMediaControls()
Modified: branches/safari-534.51-branch/Source/WebCore/html/shadow/MediaControls.h (91419 => 91420)
--- branches/safari-534.51-branch/Source/WebCore/html/shadow/MediaControls.h 2011-07-20 23:22:32 UTC (rev 91419)
+++ branches/safari-534.51-branch/Source/WebCore/html/shadow/MediaControls.h 2011-07-20 23:25:33 UTC (rev 91420)
@@ -75,10 +75,21 @@
private:
MediaControls();
+
+ virtual bool isMediaControls() const { return true; }
};
+inline MediaControls* toMediaControls(Node* node)
+{
+ ASSERT(!node || node->isMediaControls());
+ return static_cast<MediaControls*>(node);
}
+// This will catch anyone doing an unneccessary cast.
+void toMediaControls(const Node*);
+
+}
+
#endif
#endif
