Title: [133231] branches/safari-536.28-branch

Diff

Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133230 => 133231)


--- branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-01 22:18:43 UTC (rev 133230)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-01 22:23:59 UTC (rev 133231)
@@ -1,3 +1,17 @@
+2012-11-01  Lucas Forschler  <lforsch...@apple.com>
+
+        Merge r124156
+
+    2012-07-30  MORITA Hajime  <morr...@google.com>
+
+            Node::replaceChild() can create bad DOM topology with MutationEvent
+            https://bugs.webkit.org/show_bug.cgi?id=92619
+
+            Reviewed by Ryosuke Niwa.
+
+            * fast/events/mutation-during-replace-child-expected.txt: Added.
+            * fast/events/mutation-during-replace-child.html: Added.
+
 2012-10-31  Lucas Forschler  <lforsch...@apple.com>
 
         Merge r123131
@@ -10636,3 +10650,4 @@
 .
 .
 .
+.

Copied: branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child-expected.txt (from rev 124156, trunk/LayoutTests/fast/events/mutation-during-replace-child-expected.txt) (0 => 133231)


--- branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child-expected.txt	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child-expected.txt	2012-11-01 22:23:59 UTC (rev 133231)
@@ -0,0 +1,10 @@
+Ensures that replaceChild() throws an exception if mutation even handler does something wrong
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS target.replaceChild(newChild, oldChild); threw exception Error: HIERARCHY_REQUEST_ERR: DOM Exception 3.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child.html (from rev 124156, trunk/LayoutTests/fast/events/mutation-during-replace-child.html) (0 => 133231)


--- branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child.html	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child.html	2012-11-01 22:23:59 UTC (rev 133231)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div>
+  <div id="target">
+    <b></b><b id="oldChild"></b><b></b>
+  </div>
+  <div id="newChild"></div>
+</div>
+
+<script>
+description("Ensures that replaceChild() throws an exception if mutation even handler does something wrong");
+var target = document.getElementById('target');
+var oldChild = document.getElementById('oldChild');
+var newChild = document.getElementById('newChild');
+
+function handler(){
+    document.removeEventListener("DOMNodeRemoved", handler, false);
+    newChild.parentNode.removeChild(newChild);
+    target.parentNode.removeChild(target);
+    newChild.appendChild(target);
+}   
+document.addEventListener("DOMNodeRemoved", handler, false);
+shouldThrow("target.replaceChild(newChild, oldChild);",  "'Error: HIERARCHY_REQUEST_ERR: DOM Exception 3'");
+</script>
+<script src=""
+</body>
+</html>
+

Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133230 => 133231)


--- branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-01 22:18:43 UTC (rev 133230)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-01 22:23:59 UTC (rev 133231)
@@ -1,5 +1,30 @@
 2012-11-01  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r124156
+
+    2012-07-30  MORITA Hajime  <morr...@google.com>
+
+            Node::replaceChild() can create bad DOM topology with MutationEvent
+            https://bugs.webkit.org/show_bug.cgi?id=92619
+
+            Reviewed by Ryosuke Niwa.
+
+            Node::replaceChild() calls insertBeforeCommon() after dispatching
+            a MutationEvent event for removeChild(). But insertBeforeCommon()
+            expects call sites to check the invariant and doesn't have
+            suffient check. So a MutationEvent handler can let some bad tree
+            topology to slip into insertBeforeCommon().
+
+            This change adds a guard for checking the invariant using
+            checkReplaceChild() between removeChild() and insertBeforeCommon().
+
+            Test: fast/events/mutation-during-replace-child.html
+
+            * dom/ContainerNode.cpp:
+            (WebCore::ContainerNode::replaceChild): Added a guard.
+
+2012-11-01  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r124089
 
     2012-07-30  Andreas Kling  <kl...@webkit.org>
@@ -205875,3 +205900,4 @@
 .
 .
 .
+.

Modified: branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp (133230 => 133231)


--- branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp	2012-11-01 22:18:43 UTC (rev 133230)
+++ branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp	2012-11-01 22:23:59 UTC (rev 133231)
@@ -270,6 +270,11 @@
     if (next && (next->previousSibling() == newChild || next == newChild)) // nothing to do
         return true;
 
+    // Does this one more time because removeChild() fires a MutationEvent.
+    checkReplaceChild(newChild.get(), oldChild, ec);
+    if (ec)
+        return false;
+
     NodeVector targets;
     collectChildrenAndRemoveFromOldParent(newChild.get(), targets, ec);
     if (ec)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to