[webkit-changes] [193713] branches/safari-601.1.46-branch

Tue, 08 Dec 2015 00:11:16 -0800

Title: [193713] branches/safari-601.1.46-branch

Diff

Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (193712 => 193713)


--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2015-12-08 08:08:16 UTC (rev 193712)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2015-12-08 08:10:36 UTC (rev 193713)
@@ -1,5 +1,20 @@
 2015-12-08  Babak Shafiei  <bshaf...@apple.com>
 
+        Merge r192316.
+
+    2015-11-10  Jon Honeycutt  <jhoneyc...@apple.com>
+
+            Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+            https://bugs.webkit.org/show_bug.cgi?id=150201
+            <rdar://problem/23136478>
+
+            Reviewed by Brent Fulgham.
+
+            * fast/parser/strip-script-attrs-on-input-expected.txt: Added.
+            * fast/parser/strip-script-attrs-on-input.html: Added.
+
+2015-12-08  Babak Shafiei  <bshaf...@apple.com>
+
         Merge r192281.
 
     2015-11-10  Brent Fulgham  <bfulg...@apple.com>

Copied: branches/safari-601.1.46-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt (from rev 193704, branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt) (0 => 193713)


--- branches/safari-601.1.46-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt	2015-12-08 08:10:36 UTC (rev 193713)
@@ -0,0 +1 @@
+Text for WebKit bug #150201. Test passes if it does not crash in an ASan build.

Copied: branches/safari-601.1.46-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html (from rev 193704, branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html) (0 => 193713)


--- branches/safari-601.1.46-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html	2015-12-08 08:10:36 UTC (rev 193713)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<body>
+    <div contenteditable="true" id="target">
+        <input _onblur_="_javascript_:false;" _onclick_="_javascript_:false;" type="text"/>
+    </div>
+    <script>
+        if (window.testRunner) {
+            testRunner.dumpAsText();
+            testRunner.waitUntilDone();
+        }
+
+        requestAnimationFrame(function() {
+            var target = document.getElementById("target");
+            var selection = window.getSelection();
+            var range = document.createRange();
+            range.selectNodeContents(target);
+            selection.addRange(range);
+
+            document.execCommand("Cut");
+            document.execCommand("Paste");
+
+            target.innerHTML = '';
+            testRunner.notifyDone();
+        });
+    </script>
+    <p>
+        Text for WebKit bug #<a href=""
+        Test passes if it does not crash in an ASan build.
+    </p>
+</body>

Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (193712 => 193713)


--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2015-12-08 08:08:16 UTC (rev 193712)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2015-12-08 08:10:36 UTC (rev 193713)
@@ -1,5 +1,25 @@
 2015-12-08  Babak Shafiei  <bshaf...@apple.com>
 
+        Merge r192316.
+
+    2015-11-10  Jon Honeycutt  <jhoneyc...@apple.com>
+
+            Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+            https://bugs.webkit.org/show_bug.cgi?id=150201
+            <rdar://problem/23136478>
+
+            Reviewed by Brent Fulgham.
+
+            Test: fast/parser/strip-script-attrs-on-input.html
+
+            * html/parser/HTMLTreeBuilder.cpp:
+            (WebCore::HTMLTreeBuilder::processStartTagForInBody):
+            Get the attribute after calling
+            HTMLConstructionSite::insertSelfClosingHTMLElement(), as this may
+            mutate the token's attributes.
+
+2015-12-08  Babak Shafiei  <bshaf...@apple.com>
+
         Merge r192281.
 
     2015-11-10  Brent Fulgham  <bfulg...@apple.com>

Modified: branches/safari-601.1.46-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (193712 => 193713)


--- branches/safari-601.1.46-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2015-12-08 08:08:16 UTC (rev 193712)
+++ branches/safari-601.1.46-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2015-12-08 08:10:36 UTC (rev 193713)
@@ -774,9 +774,9 @@
         return;
     }
     if (token.name() == inputTag) {
-        Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
         m_tree.reconstructTheActiveFormattingElements();
         m_tree.insertSelfClosingHTMLElement(&token);
+        Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
         if (!typeAttribute || !equalIgnoringCase(typeAttribute->value(), "hidden"))
             m_framesetOk = false;
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to