Title: [91895] trunk
- Revision
- 91895
- Author
- morr...@google.com
- Date
- 2011-07-27 20:44:57 -0700 (Wed, 27 Jul 2011)
Log Message
Source/WebCore: Inconsistent state of TreeScope reference.
https://bugs.webkit.org/show_bug.cgi?id=65235
The tree scope pointers on shadow tree nodes didn't cleared.
even when the tree scope (shadow root) is destroyed.
This change clear these poitners before detaching the shadow root.
Reviewed by Dimitri Glazkov.
Test: fast/dom/shadow/tree-scope-crash.html
* dom/Element.cpp:
(WebCore::Element::removeShadowRoot):
LayoutTests: Inconsistent state of TreeScope reference.
https://bugs.webkit.org/show_bug.cgi?id=65235
Reviewed by Dimitri Glazkov.
* fast/dom/shadow/tree-scope-crash-expected.txt: Added.
* fast/dom/shadow/tree-scope-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (91894 => 91895)
--- trunk/LayoutTests/ChangeLog 2011-07-28 03:25:19 UTC (rev 91894)
+++ trunk/LayoutTests/ChangeLog 2011-07-28 03:44:57 UTC (rev 91895)
@@ -1,3 +1,13 @@
+2011-07-27 MORITA Hajime <morr...@google.com>
+
+ Inconsistent state of TreeScope reference.
+ https://bugs.webkit.org/show_bug.cgi?id=65235
+
+ Reviewed by Dimitri Glazkov.
+
+ * fast/dom/shadow/tree-scope-crash-expected.txt: Added.
+ * fast/dom/shadow/tree-scope-crash.html: Added.
+
2011-07-27 Rachel Blum <gr...@chromium.org>
Implement sizes attribute for link tag from HTML5
Added: trunk/LayoutTests/fast/dom/shadow/tree-scope-crash-expected.txt (0 => 91895)
--- trunk/LayoutTests/fast/dom/shadow/tree-scope-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/tree-scope-crash-expected.txt 2011-07-28 03:44:57 UTC (rev 91895)
@@ -0,0 +1,4 @@
+PASS unless crash
+
+
+
Added: trunk/LayoutTests/fast/dom/shadow/tree-scope-crash.html (0 => 91895)
--- trunk/LayoutTests/fast/dom/shadow/tree-scope-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/shadow/tree-scope-crash.html 2011-07-28 03:44:57 UTC (rev 91895)
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+RELOAD_THRESHOULD = 10;
+
+if (window.layoutTestController)
+ layoutTestController.waitUntilDone();
+
+Markup.noAutoDump();
+
+function assertMarkup(name, element, expected)
+{
+ var markup = Markup.get(element);
+}
+
+function currentCount()
+{
+ var match = /=(.*)/.exec(window.location.search)
+ if (!match)
+ return 0;
+ return parseInt(match[1]);
+}
+
+function runTest()
+{
+ var items = document.getElementsByTagName('li');
+ document.getElementById('testReplace').outerHTML = '<progress> node';
+ assertMarkup('replace', items[0], '| \n| "Replaced"\n| " node using outerHTML."');
+
+
+ var count = currentCount();
+ if (RELOAD_THRESHOULD <= count && window.layoutTestController) {
+ layoutTestController.notifyDone();
+ return;
+ }
+
+ document.getElementById("counter").value = (count + 1).toString();
+ document.getElementById("theForm").submit();
+}
+</script>
+</head>
+<body _onload_="runTest()">
+<h1>PASS unless crash</h1>
+<ul>
+ <li><span id="testReplace"></span></li>
+</ul>
+<form id="theForm">
+ <input id="counter" name="counter" value="">
+<form>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (91894 => 91895)
--- trunk/Source/WebCore/ChangeLog 2011-07-28 03:25:19 UTC (rev 91894)
+++ trunk/Source/WebCore/ChangeLog 2011-07-28 03:44:57 UTC (rev 91895)
@@ -1,3 +1,19 @@
+2011-07-27 MORITA Hajime <morr...@google.com>
+
+ Inconsistent state of TreeScope reference.
+ https://bugs.webkit.org/show_bug.cgi?id=65235
+
+ The tree scope pointers on shadow tree nodes didn't cleared.
+ even when the tree scope (shadow root) is destroyed.
+ This change clear these poitners before detaching the shadow root.
+
+ Reviewed by Dimitri Glazkov.
+
+ Test: fast/dom/shadow/tree-scope-crash.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::removeShadowRoot):
+
2011-07-27 Rachel Blum <gr...@chromium.org>
Implement sizes attribute for link tag from HTML5
Modified: trunk/Source/WebCore/dom/Element.cpp (91894 => 91895)
--- trunk/Source/WebCore/dom/Element.cpp 2011-07-28 03:25:19 UTC (rev 91894)
+++ trunk/Source/WebCore/dom/Element.cpp 2011-07-28 03:44:57 UTC (rev 91895)
@@ -1260,7 +1260,7 @@
oldRoot->detach();
oldRoot->setShadowHost(0);
-
+ oldRoot->setTreeScopeRecursively(document());
if (oldRoot->inDocument())
oldRoot->removedFromDocument();
else
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
