[webkit-changes] [125237] trunk

Thu, 09 Aug 2012 19:15:25 -0700

Title: [125237] trunk
Revision
125237
Author
morr...@google.com
Date
2012-08-09 19:15:42 -0700 (Thu, 09 Aug 2012)

Log Message

https://bugs.webkit.org/show_bug.cgi?id=93587
Node::replaceChild() can create bad DOM topology with MutationEvent, Part 2

Reviewed by Kent Tamura.

Source/WebCore:

This is a followup of r124156. replaceChild() has yet another hidden
MutationEvent trigger. This change added a guard for it.

Test: fast/events/mutation-during-replace-child-2.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::replaceChild):

LayoutTests:

* fast/events/mutation-during-replace-child-2-expected.txt: Added.
* fast/events/mutation-during-replace-child-2.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (125236 => 125237)


--- trunk/LayoutTests/ChangeLog	2012-08-10 02:13:55 UTC (rev 125236)
+++ trunk/LayoutTests/ChangeLog	2012-08-10 02:15:42 UTC (rev 125237)
@@ -1,3 +1,13 @@
+2012-08-09  MORITA Hajime  <morr...@google.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=93587
+        Node::replaceChild() can create bad DOM topology with MutationEvent, Part 2
+
+        Reviewed by Kent Tamura.
+
+        * fast/events/mutation-during-replace-child-2-expected.txt: Added.
+        * fast/events/mutation-during-replace-child-2.html: Added.
+
 2012-08-09  Kinuko Yasuda  <kin...@chromium.org>
 
         http/tests/security/mixedContent/blob-url-in-iframe.html fails on Mac

Added: trunk/LayoutTests/fast/events/mutation-during-replace-child-2-expected.txt (0 => 125237)


--- trunk/LayoutTests/fast/events/mutation-during-replace-child-2-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/events/mutation-during-replace-child-2-expected.txt	2012-08-10 02:15:42 UTC (rev 125237)
@@ -0,0 +1,10 @@
+Ensures that replaceChild() throws an exception if mutation even handler does something wrong
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS target.replaceChild(newChild, oldChild); threw exception Error: HIERARCHY_REQUEST_ERR: DOM Exception 3.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Property changes on: trunk/LayoutTests/fast/events/mutation-during-replace-child-2-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/fast/events/mutation-during-replace-child-2.html (0 => 125237)


--- trunk/LayoutTests/fast/events/mutation-during-replace-child-2.html	                        (rev 0)
+++ trunk/LayoutTests/fast/events/mutation-during-replace-child-2.html	2012-08-10 02:15:42 UTC (rev 125237)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div>
+  <div id="target">
+    <b></b><b id="oldChild"></b><b></b>
+  </div>
+  <div id="newChild"></div>
+</div>
+
+<script>
+description("Ensures that replaceChild() throws an exception if mutation even handler does something wrong");
+var target = document.getElementById('target');
+var oldChild = document.getElementById('oldChild');
+var newChild = document.getElementById('newChild');
+
+var numCalled = 0;
+
+function handler(){
+    numCalled++;
+    if (numCalled < 2)
+        return;
+    document.removeEventListener("DOMNodeRemoved", handler, false);
+    target.parentNode.removeChild(target);
+    newChild.appendChild(target);
+}   
+document.addEventListener("DOMNodeRemoved", handler, false);
+shouldThrow("target.replaceChild(newChild, oldChild);",  "'Error: HIERARCHY_REQUEST_ERR: DOM Exception 3'");
+</script>
+<script src=""
+</body>
+</html>
+
Property changes on: trunk/LayoutTests/fast/events/mutation-during-replace-child-2.html
___________________________________________________________________

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (125236 => 125237)


--- trunk/Source/WebCore/ChangeLog	2012-08-10 02:13:55 UTC (rev 125236)
+++ trunk/Source/WebCore/ChangeLog	2012-08-10 02:15:42 UTC (rev 125237)
@@ -1,3 +1,18 @@
+2012-08-09  MORITA Hajime  <morr...@google.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=93587
+        Node::replaceChild() can create bad DOM topology with MutationEvent, Part 2
+
+        Reviewed by Kent Tamura.
+
+        This is a followup of r124156. replaceChild() has yet another hidden
+        MutationEvent trigger. This change added a guard for it.
+
+        Test: fast/events/mutation-during-replace-child-2.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::replaceChild):
+
 2012-08-09  Kentaro Hara  <hara...@chromium.org>
 
         [V8] V8Utilities::throwTypeMismatchException() should use setDOMException()

Modified: trunk/Source/WebCore/dom/ContainerNode.cpp (125236 => 125237)


--- trunk/Source/WebCore/dom/ContainerNode.cpp	2012-08-10 02:13:55 UTC (rev 125236)
+++ trunk/Source/WebCore/dom/ContainerNode.cpp	2012-08-10 02:15:42 UTC (rev 125237)
@@ -283,6 +283,11 @@
     if (ec)
         return false;
 
+    // Does this yet another check because collectChildrenAndRemoveFromOldParent() fires a MutationEvent.
+    checkReplaceChild(newChild.get(), oldChild, ec);
+    if (ec)
+        return false;
+
     InspectorInstrumentation::willInsertDOMNode(document(), this);
 
     // Add the new child(ren)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to