Title: [133231] branches/safari-536.28-branch
- Revision
- 133231
- Author
- lforsch...@apple.com
- Date
- 2012-11-01 15:23:59 -0700 (Thu, 01 Nov 2012)
Log Message
Merged r124156. <rdar://problem/12536490>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133230 => 133231)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 22:18:43 UTC (rev 133230)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 22:23:59 UTC (rev 133231)
@@ -1,3 +1,17 @@
+2012-11-01 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r124156
+
+ 2012-07-30 MORITA Hajime <morr...@google.com>
+
+ Node::replaceChild() can create bad DOM topology with MutationEvent
+ https://bugs.webkit.org/show_bug.cgi?id=92619
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/events/mutation-during-replace-child-expected.txt: Added.
+ * fast/events/mutation-during-replace-child.html: Added.
+
2012-10-31 Lucas Forschler <lforsch...@apple.com>
Merge r123131
@@ -10636,3 +10650,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child-expected.txt (from rev 124156, trunk/LayoutTests/fast/events/mutation-during-replace-child-expected.txt) (0 => 133231)
--- branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child-expected.txt 2012-11-01 22:23:59 UTC (rev 133231)
@@ -0,0 +1,10 @@
+Ensures that replaceChild() throws an exception if mutation even handler does something wrong
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS target.replaceChild(newChild, oldChild); threw exception Error: HIERARCHY_REQUEST_ERR: DOM Exception 3.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child.html (from rev 124156, trunk/LayoutTests/fast/events/mutation-during-replace-child.html) (0 => 133231)
--- branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/events/mutation-during-replace-child.html 2012-11-01 22:23:59 UTC (rev 133231)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div>
+ <div id="target">
+ <b></b><b id="oldChild"></b><b></b>
+ </div>
+ <div id="newChild"></div>
+</div>
+
+<script>
+description("Ensures that replaceChild() throws an exception if mutation even handler does something wrong");
+var target = document.getElementById('target');
+var oldChild = document.getElementById('oldChild');
+var newChild = document.getElementById('newChild');
+
+function handler(){
+ document.removeEventListener("DOMNodeRemoved", handler, false);
+ newChild.parentNode.removeChild(newChild);
+ target.parentNode.removeChild(target);
+ newChild.appendChild(target);
+}
+document.addEventListener("DOMNodeRemoved", handler, false);
+shouldThrow("target.replaceChild(newChild, oldChild);", "'Error: HIERARCHY_REQUEST_ERR: DOM Exception 3'");
+</script>
+<script src=""
+</body>
+</html>
+
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133230 => 133231)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 22:18:43 UTC (rev 133230)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 22:23:59 UTC (rev 133231)
@@ -1,5 +1,30 @@
2012-11-01 Lucas Forschler <lforsch...@apple.com>
+ Merge r124156
+
+ 2012-07-30 MORITA Hajime <morr...@google.com>
+
+ Node::replaceChild() can create bad DOM topology with MutationEvent
+ https://bugs.webkit.org/show_bug.cgi?id=92619
+
+ Reviewed by Ryosuke Niwa.
+
+ Node::replaceChild() calls insertBeforeCommon() after dispatching
+ a MutationEvent event for removeChild(). But insertBeforeCommon()
+ expects call sites to check the invariant and doesn't have
+ suffient check. So a MutationEvent handler can let some bad tree
+ topology to slip into insertBeforeCommon().
+
+ This change adds a guard for checking the invariant using
+ checkReplaceChild() between removeChild() and insertBeforeCommon().
+
+ Test: fast/events/mutation-during-replace-child.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::replaceChild): Added a guard.
+
+2012-11-01 Lucas Forschler <lforsch...@apple.com>
+
Merge r124089
2012-07-30 Andreas Kling <kl...@webkit.org>
@@ -205875,3 +205900,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp (133230 => 133231)
--- branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp 2012-11-01 22:18:43 UTC (rev 133230)
+++ branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp 2012-11-01 22:23:59 UTC (rev 133231)
@@ -270,6 +270,11 @@
if (next && (next->previousSibling() == newChild || next == newChild)) // nothing to do
return true;
+ // Does this one more time because removeChild() fires a MutationEvent.
+ checkReplaceChild(newChild.get(), oldChild, ec);
+ if (ec)
+ return false;
+
NodeVector targets;
collectChildrenAndRemoveFromOldParent(newChild.get(), targets, ec);
if (ec)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes