- Revision
- 139029
- Author
- morr...@google.com
- Date
- 2013-01-07 20:39:39 -0800 (Mon, 07 Jan 2013)
Log Message
Document::m_activeNode should be always an Element.
https://bugs.webkit.org/show_bug.cgi?id=106193
Reviewed by Ryosuke Niwa.
Source/WebCore:
r137277 tightened an invariant that assumes that active node is
always an element. But Document::updateHoverActiveState() didn't
respect that assumption. This change forces it.
Test: svg/custom/text-use-click-crash.html
* dom/Document.cpp:
(WebCore::Document::removedLastRef):
(WebCore::Document::detach):
(WebCore::Document::setActiveNode):
(WebCore::Document::activeChainNodeDetached):
(WebCore::Document::updateHoverActiveState):
* dom/Document.h:
(WebCore::Document::activeElement): Renamed from m_activeNode for the clarification.
(Document):
LayoutTests:
* svg/custom/text-use-click-crash-expected.txt: Added.
* svg/custom/text-use-click-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (139028 => 139029)
--- trunk/LayoutTests/ChangeLog 2013-01-08 04:24:14 UTC (rev 139028)
+++ trunk/LayoutTests/ChangeLog 2013-01-08 04:39:39 UTC (rev 139029)
@@ -1,3 +1,13 @@
+2013-01-07 Hajime Morrita <morr...@google.com>
+
+ Document::m_activeNode should be always an Element.
+ https://bugs.webkit.org/show_bug.cgi?id=106193
+
+ Reviewed by Ryosuke Niwa.
+
+ * svg/custom/text-use-click-crash-expected.txt: Added.
+ * svg/custom/text-use-click-crash.html: Added.
+
2013-01-07 Julien Chaffraix <jchaffr...@webkit.org>
[CSS Grid Layout] Implement grid items sizing for fixed minmax grid tracks
Added: trunk/LayoutTests/svg/custom/text-use-click-crash-expected.txt (0 => 139029)
--- trunk/LayoutTests/svg/custom/text-use-click-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/text-use-click-crash-expected.txt 2013-01-08 04:39:39 UTC (rev 139029)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/svg/custom/text-use-click-crash.xhtml (0 => 139029)
--- trunk/LayoutTests/svg/custom/text-use-click-crash.xhtml (rev 0)
+++ trunk/LayoutTests/svg/custom/text-use-click-crash.xhtml 2013-01-08 04:39:39 UTC (rev 139029)
@@ -0,0 +1,33 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<body>
+<svg viewBox="0 0 480 360" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg">
+ <text font-size="58em" id="target">XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</text>
+ <use xlink:href=""
+</svg>
+<script><![CDATA[
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+}
+
+function keyDownMouseClick(x1, y1, x2, y2)
+{
+ if (!window.eventSender)
+ return;
+ eventSender.mouseMoveTo(x1, y1);
+ eventSender.mouseDown();
+ eventSender.mouseMoveTo(x2, y2);
+ eventSender.mouseUp();
+}
+
+target = document.getElementById("target");
+keyDownMouseClick(266, 322, 0, 0);
+target.setAttribute("requiredFeatures", "unknown_feature");
+keyDownMouseClick(226, 322, 0, 0);
+
+document.body.innerHTML = "PASS";
+testRunner.notifyDone();
+
+]]></script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (139028 => 139029)
--- trunk/Source/WebCore/ChangeLog 2013-01-08 04:24:14 UTC (rev 139028)
+++ trunk/Source/WebCore/ChangeLog 2013-01-08 04:39:39 UTC (rev 139029)
@@ -1,5 +1,28 @@
2013-01-07 Hajime Morrita <morr...@google.com>
+ Document::m_activeNode should be always an Element.
+ https://bugs.webkit.org/show_bug.cgi?id=106193
+
+ Reviewed by Ryosuke Niwa.
+
+ r137277 tightened an invariant that assumes that active node is
+ always an element. But Document::updateHoverActiveState() didn't
+ respect that assumption. This change forces it.
+
+ Test: svg/custom/text-use-click-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::removedLastRef):
+ (WebCore::Document::detach):
+ (WebCore::Document::setActiveNode):
+ (WebCore::Document::activeChainNodeDetached):
+ (WebCore::Document::updateHoverActiveState):
+ * dom/Document.h:
+ (WebCore::Document::activeElement): Renamed from m_activeNode for the clarification.
+ (Document):
+
+2013-01-07 Hajime Morrita <morr...@google.com>
+
WebKit should compile on Mac with --shadow-dom
https://bugs.webkit.org/show_bug.cgi?id=105469
Modified: trunk/Source/WebCore/dom/Document.cpp (139028 => 139029)
--- trunk/Source/WebCore/dom/Document.cpp 2013-01-08 04:24:14 UTC (rev 139028)
+++ trunk/Source/WebCore/dom/Document.cpp 2013-01-08 04:39:39 UTC (rev 139029)
@@ -688,7 +688,7 @@
m_docType = 0;
m_focusedNode = 0;
m_hoverNode = 0;
- m_activeNode = 0;
+ m_activeElement = 0;
m_titleElement = 0;
m_documentElement = 0;
m_contextFeatures = ContextFeatures::defaultSwitch();
@@ -2091,7 +2091,7 @@
m_hoverNode = 0;
m_focusedNode = 0;
- m_activeNode = 0;
+ m_activeElement = 0;
ContainerNode::detach();
@@ -3220,7 +3220,12 @@
void Document::setActiveNode(PassRefPtr<Node> newActiveNode)
{
- m_activeNode = newActiveNode;
+ if (!newActiveNode) {
+ m_activeElement.clear();
+ return;
+ }
+
+ m_activeElement = newActiveNode->isElementNode() ? toElement(newActiveNode.get()) : newActiveNode->parentElement();
}
void Document::focusedNodeRemoved()
@@ -3261,12 +3266,12 @@
void Document::activeChainNodeDetached(Node* node)
{
- if (!m_activeNode || (node != m_activeNode && (!m_activeNode->isTextNode() || node != m_activeNode->parentNode())))
+ if (!m_activeElement || (node != m_activeElement && (!m_activeElement->isTextNode() || node != m_activeElement->parentNode())))
return;
- m_activeNode = node->parentNode();
- while (m_activeNode && !m_activeNode->renderer())
- m_activeNode = m_activeNode->parentNode();
+ m_activeElement = node->parentElement();
+ while (m_activeElement && !m_activeElement->renderer())
+ m_activeElement = m_activeElement->parentElement();
}
#if ENABLE(DASHBOARD_SUPPORT) || ENABLE(DRAGGABLE_REGION)
@@ -5793,7 +5798,7 @@
Node* innerNodeInDocument = result.innerNode();
ASSERT(!innerNodeInDocument || innerNodeInDocument->document() == this);
- Node* oldActiveNode = activeNode();
+ Node* oldActiveNode = activeElement();
if (oldActiveNode && !request.active()) {
// We are clearing the :active chain because the mouse has been released.
for (RenderObject* curr = oldActiveNode->renderer(); curr; curr = curr->parent()) {
@@ -5812,12 +5817,13 @@
if (curr->node() && !curr->isText())
m_userActionElements.setInActiveChain(curr->node(), true);
}
+
setActiveNode(newActiveNode);
}
}
// If the mouse has just been pressed, set :active on the chain. Those (and only those)
// nodes should remain :active until the mouse is released.
- bool allowActiveChanges = !oldActiveNode && activeNode();
+ bool allowActiveChanges = !oldActiveNode && activeElement();
// If the mouse is down and if this is a mouse move event, we want to restrict changes in
// :hover/:active to only apply to elements that are in the :active chain that we froze
Modified: trunk/Source/WebCore/dom/Document.h (139028 => 139029)
--- trunk/Source/WebCore/dom/Document.h 2013-01-08 04:24:14 UTC (rev 139028)
+++ trunk/Source/WebCore/dom/Document.h 2013-01-08 04:39:39 UTC (rev 139029)
@@ -701,7 +701,7 @@
Node* hoverNode() const { return m_hoverNode.get(); }
void setActiveNode(PassRefPtr<Node>);
- Node* activeNode() const { return m_activeNode.get(); }
+ Element* activeElement() const { return m_activeElement.get(); }
void focusedNodeRemoved();
void removeFocusedNodeOfSubtree(Node*, bool amongChildrenOnly = false);
@@ -1341,7 +1341,7 @@
RefPtr<Node> m_focusedNode;
RefPtr<Node> m_hoverNode;
- RefPtr<Node> m_activeNode;
+ RefPtr<Element> m_activeElement;
RefPtr<Element> m_documentElement;
UserActionElementSet m_userActionElements;
