Skip to content

Instantly share code, notes, and snippets.

@yellows8

yellows8/oss.diff Secret

Created Feb 24, 2016
Embed
What would you like to do?
Old3DS browser v10.2 -> v10. OSS diff.
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/JavaScriptCore/wtf/WKC/FastMallocDebugWKC.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/JavaScriptCore/wtf/WKC/FastMallocDebugWKC.cpp
index f839452..59441db 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/JavaScriptCore/wtf/WKC/FastMallocDebugWKC.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/JavaScriptCore/wtf/WKC/FastMallocDebugWKC.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2010,2011 ACCESS CO., LTD. All rights reserved.
+// Copyright (c) 2010,2011,2016 ACCESS CO., LTD. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
@@ -1132,6 +1132,8 @@ static void attachAddressInfo(MemoryInfo& inMemInfo, UsedMemoryInfo& inUsedMemIn
{
const int index = findSpanInfo(inMemInfo, inUsedMemInfo, cl);
ASSERT(index >= 0 && index < (int)inMemInfo.numSpanArray);
+ if (!(index >= 0 && index < (int)inMemInfo.numSpanArray))
+ return;
SpanInfo* spanInfo = inMemInfo.spanPtrArray[index];
spanInfo->requestedSize += inUsedMemInfo.requestSize;
if (needUsedMemory) {
@@ -2324,12 +2326,16 @@ static bool initializeStackTrace()
bool ret = false;
#if ENABLE(WKC_FASTMALLOC_WIN_STACK_TRACE)
- gCurProcess = GetCurrentProcess();
+ static bool initialized = false;
+ if (!initialized) {
+ initialized = true;
+ gCurProcess = GetCurrentProcess();
- SymSetOptions(SYMOPT_LOAD_LINES | SYMOPT_UNDNAME | SYMOPT_DEFERRED_LOADS | SYMOPT_OMAP_FIND_NEAREST);
+ SymSetOptions(SYMOPT_LOAD_LINES | SYMOPT_UNDNAME | SYMOPT_DEFERRED_LOADS | SYMOPT_OMAP_FIND_NEAREST);
- if (!SymInitialize(gCurProcess, NULL, TRUE)) {
- goto exit_func;
+ if (!SymInitialize(gCurProcess, NULL, TRUE)) {
+ goto exit_func;
+ }
}
#endif /* ENABLE(WKC_FASTMALLOC_WIN_STACK_TRACE) */
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/graphics/WKC/PlatformPathWKC.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/graphics/WKC/PlatformPathWKC.cpp
index 585294f..08ef693 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/graphics/WKC/PlatformPathWKC.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/graphics/WKC/PlatformPathWKC.cpp
@@ -258,6 +258,8 @@ static void addArcPoints(PathPolygon& poly, const PlatformPathElement::ArcTo& da
double curAngle = startPoint - data.m_center;
double endAngle = data.m_end - data.m_center;
double angleStep = 2. / std::max(data.m_radius.m_x, data.m_radius.m_y);
+ if (fabs(angleStep) < 1E-10)
+ return;
if (data.m_clockwise) {
if (endAngle <= curAngle || startPoint == data.m_end)
endAngle += 2 * piDouble;
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/network/WKC/ResourceHandleManager.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/network/WKC/ResourceHandleManager.cpp
index 754e2c8..dc3ba1e 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/network/WKC/ResourceHandleManager.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/network/WKC/ResourceHandleManager.cpp
@@ -12,7 +12,7 @@
* Copyright (C) 2009 Appcelerator Inc.
* Copyright (C) 2009 Brent Fulgham <bfulgham@webkit.org>
* All rights reserved.
- * Copyright (c) 2010-2013 ACCESS CO., LTD. All rights reserved.
+ * Copyright (c) 2010-2013, 2016 ACCESS CO., LTD. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1471,9 +1471,11 @@ static void parseDataUrl(ResourceHandle* job)
{
FUNCTIONPRINTF(("<rhm>parseDataUrl(%p)", job));
- ResourceHandleClient* client = job->client();
- ASSERT(client);
- if (!client)
+ if (!job || job->getInternal()->m_cancelled)
+ return;
+
+ ASSERT(job->client());
+ if (!job->client())
return;
String url = job->request().url().string();
@@ -1481,7 +1483,7 @@ static void parseDataUrl(ResourceHandle* job)
int index = url.find(',');
if (index == -1) {
- client->cannotShowURL(job);
+ job->client()->cannotShowURL(job);
return;
}
@@ -1506,18 +1508,21 @@ static void parseDataUrl(ResourceHandle* job)
if (base64) {
data = decodeURLEscapeSequences(data);
response.setTextEncodingName(charset);
- client->didReceiveResponse(job, response);
if (job->getInternal()->m_cancelled)
return;
- client = job->client();
+ if (job->client())
+ job->client()->didReceiveResponse(job, response);
+
+ if (job->getInternal()->m_cancelled)
+ return;
// WebCore's decoder fails on Acid3 test 97 (whitespace).
Vector<char> out;
- if (client && base64Decode(data.latin1().data(), data.latin1().length(), out) && out.size() > 0) {
- client->willReceiveData(job, out.size());
+ if (job->client() && base64Decode(data.latin1().data(), data.latin1().length(), out) && out.size() > 0) {
+ job->client()->willReceiveData(job, out.size());
if (job->getInternal()->m_cancelled)
return;
- client->didReceiveData(job, out.data(), out.size(), 0);
+ job->client()->didReceiveData(job, out.data(), out.size(), 0);
if (job->getInternal()->m_cancelled)
return;
}
@@ -1525,23 +1530,24 @@ static void parseDataUrl(ResourceHandle* job)
// We have to convert to UTF-16 early due to limitations in KURL
data = decodeURLEscapeSequences(data, TextEncoding(charset));
response.setTextEncodingName("UTF-16");
- client->didReceiveResponse(job, response);
+ if (job->client())
+ job->client()->didReceiveResponse(job, response);
if (job->getInternal()->m_cancelled)
return;
- client = job->client();
- if (client && data.length() > 0) {
- client->willReceiveData(job, data.length() * sizeof(UChar));
+ if (job->client() && data.length() > 0) {
+ job->client()->willReceiveData(job, data.length() * sizeof(UChar));
if (job->getInternal()->m_cancelled)
return;
- client->didReceiveData(job, reinterpret_cast<const char*>(data.characters()), data.length() * sizeof(UChar), 0);
+ if (job->client())
+ job->client()->didReceiveData(job, reinterpret_cast<const char*>(data.characters()), data.length() * sizeof(UChar), 0);
if (job->getInternal()->m_cancelled)
return;
}
}
- if (client)
- client->didFinishLoading(job);
+ if (job->client())
+ job->client()->didFinishLoading(job);
}
void ResourceHandleManager::dispatchSynchronousJob(ResourceHandle* job)
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/network/WKC/ResourceHandleManagerSSL.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/network/WKC/ResourceHandleManagerSSL.cpp
index 0c9970f..6e2e7ba 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/network/WKC/ResourceHandleManagerSSL.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/network/WKC/ResourceHandleManagerSSL.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2010,2011 ACCESS CO., LTD. All rights reserved.
+ * Copyright (c) 2010,2011,2016 ACCESS CO., LTD. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -504,7 +504,7 @@ void ResourceHandleManagerSSL::initializeHandleSSL(ResourceHandle* job)
curl_easy_setopt(d->m_handle, CURLOPT_SSL_STATE_FUNCTION, ssl_state_callback);
curl_easy_setopt(d->m_handle, CURLOPT_SSL_STATE_DATA, job);
- curl_easy_setopt(d->m_handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+ curl_easy_setopt(d->m_handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1|CURL_SSLVERSION_TLSv1_1|CURL_SSLVERSION_TLSv1_2);
curl_easy_setopt(d->m_handle, CURLOPT_CERTINFO, 1L);
if (allowsServerHost(SSLhostAndPort(kurl))) {
@@ -516,6 +516,8 @@ void ResourceHandleManagerSSL::initializeHandleSSL(ResourceHandle* job)
curl_easy_setopt(d->m_handle, CURLOPT_SSL_VERIFYPEER, 1);
}
+ curl_easy_setopt(d->m_handle, CURLOPT_SSL_CIPHER_LIST, "ALL:!aNULL:!eNULL:!SSLv2:!RC2:!RC4:!DES:!EXPORT56:!ADH:+HIGH:+MEDIUM:!LOW");
+
d->m_SSLVerifyPeerResult = 0;
d->m_SSLVerifyHostResult = 0;
d->m_certChain = 0;
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/text/WKC/TextCodecWKC.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/text/WKC/TextCodecWKC.cpp
index c252799..2ffb433 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebCore/platform/text/WKC/TextCodecWKC.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebCore/platform/text/WKC/TextCodecWKC.cpp
@@ -3,7 +3,7 @@
* Copyright (C) 2006 Alexey Proskuryakov <ap@nypop.com>
* Copyright (C) 2008 Jurg Billeter <j@bitron.ch>
* Copyright (C) 2009 Dominik Rottsches <dominik.roettsches@access-company.com>
- * Copyright (c) 2010,2011 ACCESS CO., LTD. All rights reserved.
+ * Copyright (c) 2010,2011,2016 ACCESS CO., LTD. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -447,16 +447,30 @@ TextCodecWKC::decode(const char* str, size_t length, bool flush, bool stopOnErro
}
CString
-TextCodecWKC::encode(const UChar* str, size_t length, UnencodableHandling)
+TextCodecWKC::encode(const UChar* str, size_t length, UnencodableHandling handling)
{
int len, len2;
char* buf = NULL;
int remains = 0;
CString ret;
+ int fallback = WKC_I18N_ENCODEERRORFALLBACK_NONE;
if (!str || !length) {
goto error_end;
}
+ switch (handling) {
+ case QuestionMarksForUnencodables:
+ fallback = WKC_I18N_ENCODEERRORFALLBACK_QUESTION;
+ break;
+ case EntitiesForUnencodables:
+ fallback = WKC_I18N_ENCODEERRORFALLBACK_ESCAPE_XML_DECIMAL;
+ break;
+ case URLEncodedEntitiesForUnencodables:
+ fallback = WKC_I18N_ENCODEERRORFALLBACK_ESCAPE_URLENCODE;
+ break;
+ default:
+ break;
+ }
// should we consider dividing between surrogate pair ?
// 100331 ACCESS Co.,Ltd.
@@ -467,14 +481,14 @@ TextCodecWKC::encode(const UChar* str, size_t length, UnencodableHandling)
goto error_end;
}
}
- len = wkcI18NEncodePeer(m_encoder, str, length, NULL, NULL, &remains);
+ len = wkcI18NEncodePeer(m_encoder, str, length, NULL, NULL, &remains, fallback);
if (len<=0) {
goto error_end;
}
len += wkcI18NFlushEncodeStatePeer(m_encoder, false, NULL, NULL);
ret = CString::newUninitialized(len, buf);
- len2 = wkcI18NEncodePeer(m_encoder, str, length, buf, len, &remains);
+ len2 = wkcI18NEncodePeer(m_encoder, str, length, buf, len, &remains, fallback);
wkcI18NFlushEncodeStatePeer(m_encoder, false, buf + len2, len - len2);
return ret;
@@ -482,32 +496,32 @@ TextCodecWKC::encode(const UChar* str, size_t length, UnencodableHandling)
error_end:
return CString("");
}
-
-// returned value: 0 or more if succeeded, -1 if failed.
-int
-TextCodecWKC::getDecodedTextLength(const char* str, size_t length)
-{
- int ulen = 0;
-
- if (!m_decoder) {
- m_decoder = wkcI18NBeginDecodePeer(m_codecId);
- if (!m_decoder) {
- return -1;
- }
- }
-
- if (!str || !length) {
- return 0;
- }
-
- wkcI18NSaveDecodeStatePeer(m_decoder);
- ulen = decode(str, length, 0, 0);
- wkcI18NRestoreDecodeStatePeer(m_decoder);
- if (ulen < 0) {
- return -1;
- }
-
- return ulen;
-}
+
+// returned value: 0 or more if succeeded, -1 if failed.
+int
+TextCodecWKC::getDecodedTextLength(const char* str, size_t length)
+{
+ int ulen = 0;
+
+ if (!m_decoder) {
+ m_decoder = wkcI18NBeginDecodePeer(m_codecId);
+ if (!m_decoder) {
+ return -1;
+ }
+ }
+
+ if (!str || !length) {
+ return 0;
+ }
+
+ wkcI18NSaveDecodeStatePeer(m_decoder);
+ ulen = decode(str, length, 0, 0);
+ wkcI18NRestoreDecodeStatePeer(m_decoder);
+ if (ulen < 0) {
+ return -1;
+ }
+
+ return ulen;
+}
} // namespace WebCore
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/WebCoreSupport/FrameLoaderClientWKC.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/WebCoreSupport/FrameLoaderClientWKC.cpp
index 11f0260..a6efe85 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/WebCoreSupport/FrameLoaderClientWKC.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/WebCoreSupport/FrameLoaderClientWKC.cpp
@@ -614,8 +614,9 @@ FrameLoaderClientWKC::createFrame(const WebCore::KURL& url, const WebCore::Strin
if (!child) return 0;
RefPtr<WebCore::Frame> childframe = adoptRef(child->privateFrame()->core());
- frame->tree()->appendChild(childframe);
+
childframe->tree()->setName(name);
+ frame->tree()->appendChild(childframe);
childframe->init();
if (!childframe->page()) {
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/webkit/WKCVersion.h
index fc153c4..09d458a 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -1,7 +1,7 @@
/*
* WKCVersion.h
*
- * Copyright (c) 2013-2015 ACCESS CO., LTD. All rights reserved.
+ * Copyright (c) 2013-2016 ACCESS CO., LTD. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -29,7 +29,7 @@
#define WKC_VERSION_CHECK(major, minor, micro) \
(((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))
-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.17"
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.18"
#define WKC_WEBKIT_VERSION "532.7"
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCWebFrame.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/webkit/WKCWebFrame.cpp
index a1a9d3a..948d983 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCWebFrame.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/webkit/WKCWebFrame.cpp
@@ -216,7 +216,6 @@ WKCWebFrame::construct(WKCWebViewPrivate* view, WKCClientBuilders& builders, WKC
}
m_private = WKCWebFramePrivate::create(this, view, builders, owner);
if (!m_private) return false;
- m_private->core()->init();
return true;
}
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCWebView.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/webkit/WKCWebView.cpp
index 47ebea4..a1bcb40 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCWebView.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/WKC/WebKit/WKC/webkit/WKCWebView.cpp
@@ -11,7 +11,7 @@
Copyright (C) 2009 Igalia S.L.
Copyright (C) 2009 Movial Creative Technologies Inc.
Copyright (C) 2009 Bobby Powers
- Copyright (c) 2010-2013 ACCESS CO., LTD. All rights reserved.
+ Copyright (c) 2010-2015 ACCESS CO., LTD. All rights reserved.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -160,6 +160,7 @@
#include "html/HTMLOptGroupElement.h"
#include "html/HTMLOptionElement.h"
#include "html/HTMLParser.h"
+#include "html/HTMLTokenizer.h"
#include "html/HTMLSelectElement.h"
#include "html/HTMLTableElement.h"
#include "html/HTMLTextAreaElement.h"
@@ -279,6 +280,7 @@ extern bool initializeSharedTimer();
extern void finalizeSharedTimer();
extern void RenderThemeWKC_resetVariables();
+extern void RenderSlider_resetVariables();
extern void CookieJar_resetVariables();
extern void JSImageDataCustom_deleteSharedInstance();
extern void JSImageDataCustom_resetVariables();
@@ -467,6 +469,7 @@ WKCWebViewPrivate::construct()
m_mainFrame = WKC::WKCWebFrame::create(this, m_clientBuilders);
if (!m_mainFrame) goto error_end;
+ m_mainFrame->privateFrame()->core()->init();
m_dropdownlist = WKC::DropDownListClientWKC::create(this);
if (!m_dropdownlist) goto error_end;
@@ -3594,6 +3597,7 @@ WKCWebKitResetVariables()
WebCore::HTMLOptGroupElement::resetVariables();
WebCore::HTMLOptionElement::resetVariables();
WebCore::HTMLParser::resetVariables();
+ WebCore::HTMLTokenizer::resetVariables();
WebCore::HTMLSelectElement::resetVariables();
WebCore::HTMLTableElement::resetVariables();
WebCore::HTMLTextAreaElement::resetVariables();
@@ -3614,6 +3618,7 @@ WKCWebKitResetVariables()
WebCore::Pasteboard::resetVariables();
WebCore::RenderThemeWKC_resetVariables();
+ WebCore::RenderSlider_resetVariables();
WebCore::ScrollbarTheme::resetVariables();
WebCore::HTMLElementFactory::resetVariables();
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/ChangeLog b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/ChangeLog
index bf0c440..69ad491 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/ChangeLog
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/ChangeLog
@@ -1,3 +1,144 @@
+2013-08-16 Filip Pizlo <fpizlo@apple.com>
+
+ Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
+ https://bugs.webkit.org/show_bug.cgi?id=119897
+
+ Reviewed by Oliver Hunt.
+
+ 6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
+ on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
+ to turn objects into dictionaries when you're storing using bracket syntax or using
+ eval is still in place.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::putByIdContext):
+ * dfg/DFGOperations.cpp:
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/JSObject.h:
+ (JSC::JSObject::putDirectInternal):
+ * runtime/PutPropertySlot.h:
+ (JSC::PutPropertySlot::PutPropertySlot):
+ (JSC::PutPropertySlot::context):
+ * runtime/Structure.cpp:
+ (JSC::Structure::addPropertyTransition):
+ * runtime/Structure.h:
+
+2012-11-26 Daniel Bates <dbates@webkit.org>
+
+ JavaScript fails to handle String.replace() with large replacement string
+ https://bugs.webkit.org/show_bug.cgi?id=102956
+ <rdar://problem/12738012>
+
+ Reviewed by Oliver Hunt.
+
+ Fix an issue where we didn't check for overflow when computing the length
+ of the result of String.replace() with a large replacement string.
+
+ * runtime/StringPrototype.cpp:
+ (JSC::jsSpliceSubstringsWithSeparators):
+
+2011-10-18 Gavin Barraclough <barraclough@apple.com>
+
+ Array.prototype methods missing exception checks
+ https://bugs.webkit.org/show_bug.cgi?id=70360
+
+ Reviewed by Geoff Garen.
+
+ Missing exception checks after calls to the static getProperty helper,
+ these may result in the wrong exception being thrown (or an ASSERT being hit,
+ as is currently the case running test-262).
+
+ No performance impact.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncConcat):
+ (JSC::arrayProtoFuncReverse):
+ (JSC::arrayProtoFuncShift):
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ (JSC::arrayProtoFuncUnShift):
+ (JSC::arrayProtoFuncReduce):
+ (JSC::arrayProtoFuncReduceRight):
+ (JSC::arrayProtoFuncIndexOf):
+ (JSC::arrayProtoFuncLastIndexOf):
+
+2011-05-31 Yong Li <yoli@rim.com>
+
+ Reviewed by Eric Seidel.
+
+ https://bugs.webkit.org/show_bug.cgi?id=54807
+ We have been assuming plain bitfields (like "int a : 31") are always signed integers.
+ However some compilers can treat them as unsigned. For example, RVCT 4.0 states plain
+ bitfields (declared without either signed or unsigned qualifiers) are treats as unsigned.
+ http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0348c/Babjddhe.html
+ Although we can use "--signed-bitfields" flag to make RVCT 4.0 behave as most other compilers,
+ always using "signed"/"unsigned" qualifier to declare integral type bitfields is still a good
+ rule we should have in order to make our code independent from compilers and compiler flags.
+
+ No new test added because this change is not known to fix any issue.
+
+ * bytecode/StructureStubInfo.h:
+
+2011-04-12 Gavin Barraclough <barraclough@apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ https://bugs.webkit.org/show_bug.cgi?id=58395
+ Exceptions thrown from property getters called from Array prototype functions can be missed
+
+ This is caught by an ASSERT in the top of Interpreter::executeCall.
+ Check for exceptions after accessing properties that could be getters.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSort):
+ (JSC::arrayProtoFuncFilter):
+ (JSC::arrayProtoFuncMap):
+ (JSC::arrayProtoFuncEvery):
+ (JSC::arrayProtoFuncForEach):
+ (JSC::arrayProtoFuncSome):
+ (JSC::arrayProtoFuncReduce):
+ (JSC::arrayProtoFuncReduceRight):
+ - Add exception checks.
+
+2011-01-18 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Antti Koivisto.
+
+ [jsfunfuzz] Assertion in codegen for array of NaN constants
+ https://bugs.webkit.org/show_bug.cgi?id=52643
+
+ Don't cache NaN literals in the code generator, as NaN doesn't compare
+ as equal to itself it causes problems when rehashing the number cache.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitLoad):
+
+2010-09-29 Sam Weinig <sam@webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Add additional checks to StringBuffer.
+ <rdar://problem/7756381>
+
+ * wtf/text/StringBuffer.h:
+ (WTF::StringBuffer::StringBuffer):
+ (WTF::StringBuffer::resize):
+
+2010-01-13 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by NOBODY (OOPS!).
+
+ https://bugs.webkit.org/show_bug.cgi?id=33641
+ Assertion failure in Lexer.cpp if input stream ends while in string escape
+
+ Test: fast/js/end-in-string-escape.html
+
+ * parser/Lexer.cpp: (JSC::Lexer::lex): Bail out quickly on end of stream, not giving the
+ assertion a chance to fire.
+
2010-01-08 Norbert Leser <norbert.leser@nokia.com>
Reviewed by Darin Adler.
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/bytecode/CodeBlock.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/bytecode/CodeBlock.h
index eb874cc..35275a7 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/bytecode/CodeBlock.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/bytecode/CodeBlock.h
@@ -36,6 +36,7 @@
#include "JSGlobalObject.h"
#include "JumpTable.h"
#include "Nodes.h"
+#include "PutPropertySlot.h"
#include "PtrAndFlags.h"
#include "RegExp.h"
#include "UString.h"
@@ -376,6 +377,12 @@ namespace JSC {
bool usesArguments() const { return m_usesArguments; }
CodeType codeType() const { return m_codeType; }
+ PutPropertySlot::Context putByIdContext() const
+ {
+ if (codeType() == EvalCode)
+ return PutPropertySlot::PutByIdEval;
+ return PutPropertySlot::PutById;
+ }
SourceProvider* source() const { return m_source.get(); }
unsigned sourceOffset() const { return m_sourceOffset; }
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/bytecode/StructureStubInfo.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/bytecode/StructureStubInfo.h
index 8e2c489..1d49245 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/bytecode/StructureStubInfo.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/bytecode/StructureStubInfo.h
@@ -140,8 +140,8 @@ namespace JSC {
seen = true;
}
- int accessType : 31;
- int seen : 1;
+ signed accessType : 31;
+ unsigned seen : 1;
union {
struct {
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
index 4cf543c..a050f22 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -985,8 +985,9 @@ RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, bool b)
RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, double number)
{
// FIXME: Our hash tables won't hold infinity, so we make a new JSNumberCell each time.
- // Later we can do the extra work to handle that like the other cases.
- if (number == HashTraits<double>::emptyValue() || HashTraits<double>::isDeletedValue(number))
+ // Later we can do the extra work to handle that like the other cases. They also don't
+ // work correctly with NaN as a key.
+ if (isnan(number) || number == HashTraits<double>::emptyValue() || HashTraits<double>::isDeletedValue(number))
return emitLoad(dst, jsNumber(globalData(), number));
JSValue& valueInMap = m_numberMap.add(number, JSValue()).first->second;
if (!valueInMap)
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/interpreter/Interpreter.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/interpreter/Interpreter.cpp
index ceee9b6..679f540 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/interpreter/Interpreter.cpp
@@ -1679,7 +1679,11 @@ JSValue Interpreter::privateExecute(ExecutionFlag flag, RegisterFile* registerFi
JSValue dividend = callFrame->r(vPC[2].u.operand).jsValue();
JSValue divisor = callFrame->r(vPC[3].u.operand).jsValue();
+#if PLATFORM(WKC)
+ if (dividend.isInt32() && divisor.isInt32() && divisor.asInt32() > 0) {
+#else
if (dividend.isInt32() && divisor.isInt32() && divisor.asInt32() != 0) {
+#endif
JSValue result = jsNumber(callFrame, dividend.asInt32() % divisor.asInt32());
ASSERT(result);
callFrame->r(dst) = result;
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/jit/JITStubs.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/jit/JITStubs.cpp
index fb7f931..4a8c5bc 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/jit/JITStubs.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/jit/JITStubs.cpp
@@ -1146,7 +1146,7 @@ DEFINE_STUB_FUNCTION(void, op_put_by_id_generic)
{
STUB_INIT_STACK_FRAME(stackFrame);
- PutPropertySlot slot;
+ PutPropertySlot slot(stackFrame.callFrame->codeBlock()->putByIdContext());
stackFrame.args[0].jsValue().put(stackFrame.callFrame, stackFrame.args[1].identifier(), stackFrame.args[2].jsValue(), slot);
CHECK_FOR_EXCEPTION_AT_END();
}
@@ -1174,7 +1174,7 @@ DEFINE_STUB_FUNCTION(void, op_put_by_id)
CallFrame* callFrame = stackFrame.callFrame;
Identifier& ident = stackFrame.args[1].identifier();
- PutPropertySlot slot;
+ PutPropertySlot slot(stackFrame.callFrame->codeBlock()->putByIdContext());
stackFrame.args[0].jsValue().put(callFrame, ident, stackFrame.args[2].jsValue(), slot);
CodeBlock* codeBlock = stackFrame.callFrame->codeBlock();
@@ -1194,7 +1194,7 @@ DEFINE_STUB_FUNCTION(void, op_put_by_id_fail)
CallFrame* callFrame = stackFrame.callFrame;
Identifier& ident = stackFrame.args[1].identifier();
- PutPropertySlot slot;
+ PutPropertySlot slot(stackFrame.callFrame->codeBlock()->putByIdContext());
stackFrame.args[0].jsValue().put(callFrame, ident, stackFrame.args[2].jsValue(), slot);
CHECK_FOR_EXCEPTION_AT_END();
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/parser/Lexer.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/parser/Lexer.cpp
index 15bda7b..2a269b8 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/parser/Lexer.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/parser/Lexer.cpp
@@ -142,19 +142,19 @@ void Lexer::setCode(const SourceCode& source, ParserArena& arena)
m_lastToken = -1;
const UChar* data = source.provider()->data();
-#if PLATFORM(WKC)
- if (!data) {
- m_source = &source;
- const_cast<SourceCode*>(m_source)->invalidate();
- m_codeStart = (UChar*)0;
- m_code = (UChar*)0;
- m_codeEnd = (UChar*)0;
- m_codeWithoutBOMs.shrink(0);
- m_error = true;
- m_atLineStart = true;
- m_current = m_next1 = m_next2 = m_next3 = -1;
- return;
- }
+#if PLATFORM(WKC)
+ if (!data) {
+ m_source = &source;
+ const_cast<SourceCode*>(m_source)->invalidate();
+ m_codeStart = (UChar*)0;
+ m_code = (UChar*)0;
+ m_codeEnd = (UChar*)0;
+ m_codeWithoutBOMs.shrink(0);
+ m_error = true;
+ m_atLineStart = true;
+ m_current = m_next1 = m_next2 = m_next3 = -1;
+ return;
+ }
#endif
m_source = &source;
@@ -654,6 +654,8 @@ inStringEscapeSequence:
shiftLineTerminator();
goto inString;
}
+ if (m_current == -1)
+ goto returnError;
record16(singleEscape(m_current));
shift1();
goto inString;
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/ArrayPrototype.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/ArrayPrototype.cpp
index 13120dc..a121435 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/ArrayPrototype.cpp
@@ -326,7 +326,10 @@ JSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec, JSObject*, JSValue t
unsigned length = curArg.get(exec, exec->propertyNames().length).toUInt32(exec);
JSObject* curObject = curArg.toObject(exec);
for (unsigned k = 0; k < length; ++k) {
- if (JSValue v = getProperty(exec, curObject, k))
+ JSValue v = getProperty(exec, curObject, k);
+ if (exec->hadException())
+ return jsUndefined();
+ if (v)
arr->put(exec, n, v);
n++;
}
@@ -388,7 +391,11 @@ JSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec, JSObject*, JSValue
for (unsigned k = 0; k < middle; k++) {
unsigned lk1 = length - k - 1;
JSValue obj2 = getProperty(exec, thisObj, lk1);
+ if (exec->hadException())
+ return jsUndefined();
JSValue obj = getProperty(exec, thisObj, k);
+ if (exec->hadException())
+ return jsUndefined();
if (obj2)
thisObj->put(exec, k, obj2);
@@ -415,7 +422,10 @@ JSValue JSC_HOST_CALL arrayProtoFuncShift(ExecState* exec, JSObject*, JSValue th
} else {
result = thisObj->get(exec, 0);
for (unsigned k = 1; k < length; k++) {
- if (JSValue obj = getProperty(exec, thisObj, k))
+ JSValue obj = getProperty(exec, thisObj, k);
+ if (exec->hadException())
+ return jsUndefined();
+ if (obj)
thisObj->put(exec, k - 1, obj);
else
thisObj->deleteProperty(exec, k - 1);
@@ -464,7 +474,10 @@ JSValue JSC_HOST_CALL arrayProtoFuncSlice(ExecState* exec, JSObject*, JSValue th
int b = static_cast<int>(begin);
int e = static_cast<int>(end);
for (int k = b; k < e; k++, n++) {
- if (JSValue v = getProperty(exec, thisObj, k))
+ JSValue v = getProperty(exec, thisObj, k);
+ if (exec->hadException())
+ return jsUndefined();
+ if (v)
resObj->put(exec, n, v);
}
resObj->setLength(n);
@@ -498,10 +511,14 @@ JSValue JSC_HOST_CALL arrayProtoFuncSort(ExecState* exec, JSObject*, JSValue thi
// or quicksort, and much less swapping than bubblesort/insertionsort.
for (unsigned i = 0; i < length - 1; ++i) {
JSValue iObj = thisObj->get(exec, i);
+ if (exec->hadException())
+ return jsUndefined();
unsigned themin = i;
JSValue minObj = iObj;
for (unsigned j = i + 1; j < length; ++j) {
JSValue jObj = thisObj->get(exec, j);
+ if (exec->hadException())
+ return jsUndefined();
double compareResult;
if (jObj.isUndefined())
compareResult = 1; // don't check minObj because there's no need to differentiate == (0) from > (1)
@@ -574,7 +591,10 @@ JSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec, JSObject*, JSValue t
deleteCount = length - begin;
for (unsigned k = 0; k < deleteCount; k++) {
- if (JSValue v = getProperty(exec, thisObj, k + begin))
+ JSValue v = getProperty(exec, thisObj, k + begin);
+ if (exec->hadException())
+ return jsUndefined();
+ if (v)
resObj->put(exec, k, v);
}
resObj->setLength(deleteCount);
@@ -583,7 +603,10 @@ JSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec, JSObject*, JSValue t
if (additionalArgs != deleteCount) {
if (additionalArgs < deleteCount) {
for (unsigned k = begin; k < length - deleteCount; ++k) {
- if (JSValue v = getProperty(exec, thisObj, k + deleteCount))
+ JSValue v = getProperty(exec, thisObj, k + deleteCount);
+ if (exec->hadException())
+ return jsUndefined();
+ if (v)
thisObj->put(exec, k + additionalArgs, v);
else
thisObj->deleteProperty(exec, k + additionalArgs);
@@ -592,7 +615,10 @@ JSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec, JSObject*, JSValue t
thisObj->deleteProperty(exec, k - 1);
} else {
for (unsigned k = length - deleteCount; k > begin; --k) {
- if (JSValue obj = getProperty(exec, thisObj, k + deleteCount - 1))
+ JSValue obj = getProperty(exec, thisObj, k + deleteCount - 1);
+ if (exec->hadException())
+ return jsUndefined();
+ if (obj)
thisObj->put(exec, k + additionalArgs - 1, obj);
else
thisObj->deleteProperty(exec, k + additionalArgs - 1);
@@ -615,7 +641,10 @@ JSValue JSC_HOST_CALL arrayProtoFuncUnShift(ExecState* exec, JSObject*, JSValue
unsigned nrArgs = args.size();
if (nrArgs) {
for (unsigned k = length; k > 0; --k) {
- if (JSValue v = getProperty(exec, thisObj, k - 1))
+ JSValue v = getProperty(exec, thisObj, k - 1);
+ if (exec->hadException())
+ return jsUndefined();
+ if (v)
thisObj->put(exec, k + nrArgs - 1, v);
else
thisObj->deleteProperty(exec, k + nrArgs - 1);
@@ -672,6 +701,9 @@ JSValue JSC_HOST_CALL arrayProtoFuncFilter(ExecState* exec, JSObject*, JSValue t
JSValue v = slot.getValue(exec, k);
+ if (exec->hadException())
+ return jsUndefined();
+
MarkedArgumentBuffer eachArguments;
eachArguments.append(v);
@@ -725,12 +757,18 @@ JSValue JSC_HOST_CALL arrayProtoFuncMap(ExecState* exec, JSObject*, JSValue this
JSValue v = slot.getValue(exec, k);
+ if (exec->hadException())
+ return jsUndefined();
+
MarkedArgumentBuffer eachArguments;
eachArguments.append(v);
eachArguments.append(jsNumber(exec, k));
eachArguments.append(thisObj);
+ if (exec->hadException())
+ return jsUndefined();
+
JSValue result = call(exec, function, callType, callData, applyThis, eachArguments);
resultArray->put(exec, k, result);
}
@@ -788,6 +826,9 @@ JSValue JSC_HOST_CALL arrayProtoFuncEvery(ExecState* exec, JSObject*, JSValue th
eachArguments.append(jsNumber(exec, k));
eachArguments.append(thisObj);
+ if (exec->hadException())
+ return jsUndefined();
+
bool predicateResult = call(exec, function, callType, callData, applyThis, eachArguments).toBoolean(exec);
if (!predicateResult) {
@@ -839,6 +880,9 @@ JSValue JSC_HOST_CALL arrayProtoFuncForEach(ExecState* exec, JSObject*, JSValue
eachArguments.append(jsNumber(exec, k));
eachArguments.append(thisObj);
+ if (exec->hadException())
+ return jsUndefined();
+
call(exec, function, callType, callData, applyThis, eachArguments);
}
return jsUndefined();
@@ -887,6 +931,9 @@ JSValue JSC_HOST_CALL arrayProtoFuncSome(ExecState* exec, JSObject*, JSValue thi
eachArguments.append(jsNumber(exec, k));
eachArguments.append(thisObj);
+ if (exec->hadException())
+ return jsUndefined();
+
bool predicateResult = call(exec, function, callType, callData, applyThis, eachArguments).toBoolean(exec);
if (predicateResult) {
@@ -924,6 +971,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncReduce(ExecState* exec, JSObject*, JSValue t
} else {
for (i = 0; i < length; i++) {
rv = getProperty(exec, thisObj, i);
+ if (exec->hadException())
+ return jsUndefined();
if (rv)
break;
}
@@ -953,6 +1002,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncReduce(ExecState* exec, JSObject*, JSValue t
for (; i < length && !exec->hadException(); ++i) {
JSValue prop = getProperty(exec, thisObj, i);
+ if (exec->hadException())
+ return jsUndefined();
if (!prop)
continue;
@@ -994,6 +1045,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncReduceRight(ExecState* exec, JSObject*, JSVa
} else {
for (i = 0; i < length; i++) {
rv = getProperty(exec, thisObj, length - i - 1);
+ if (exec->hadException())
+ return jsUndefined();
if (rv)
break;
}
@@ -1022,6 +1075,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncReduceRight(ExecState* exec, JSObject*, JSVa
for (; i < length && !exec->hadException(); ++i) {
unsigned idx = length - i - 1;
JSValue prop = getProperty(exec, thisObj, idx);
+ if (exec->hadException())
+ return jsUndefined();
if (!prop)
continue;
@@ -1058,6 +1113,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncIndexOf(ExecState* exec, JSObject*, JSValue
JSValue searchElement = args.at(0);
for (; index < length; ++index) {
JSValue e = getProperty(exec, thisObj, index);
+ if (exec->hadException())
+ return jsUndefined();
if (!e)
continue;
if (JSValue::strictEqual(exec, searchElement, e))
@@ -1089,6 +1146,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncLastIndexOf(ExecState* exec, JSObject*, JSVa
JSValue searchElement = args.at(0);
for (; index >= 0; --index) {
JSValue e = getProperty(exec, thisObj, index);
+ if (exec->hadException())
+ return jsUndefined();
if (!e)
continue;
if (JSValue::strictEqual(exec, searchElement, e))
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Collector.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Collector.cpp
index 7f083c6..1e726ee 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Collector.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Collector.cpp
@@ -1466,7 +1466,8 @@ static void setCollectorHeapStatistics(CollectorHeapStatistics& stat, int type,
unsigned int num = stat.numBlockInfo;
ASSERT(block);
- ASSERT(num < kMaxBlockInfo);
+ if (num >= kMaxBlockInfo)
+ return;
info = &stat.blockInfo[num];
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Executable.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Executable.cpp
index 2946221..71f5920 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Executable.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Executable.cpp
@@ -268,8 +268,10 @@ PassRefPtr<FunctionExecutable> FunctionExecutable::fromGlobalCode(const Identifi
return 0;
StatementNode* exprStatement = program->singleStatement();
+#if !PLATFORM(WKC)
ASSERT(exprStatement);
ASSERT(exprStatement->isExprStatement());
+#endif
if (!exprStatement || !exprStatement->isExprStatement())
return 0;
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/JSObject.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/JSObject.h
index a5da267..b91b5b0 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/JSObject.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/JSObject.h
@@ -501,7 +501,7 @@ inline void JSObject::putDirectInternal(const Identifier& propertyName, JSValue
if (specificFunction && m_structure->hasTransition(propertyName, attributes))
specificFunction = 0;
- RefPtr<Structure> structure = Structure::addPropertyTransition(m_structure, propertyName, attributes, specificFunction, offset);
+ RefPtr<Structure> structure = Structure::addPropertyTransition(m_structure, propertyName, attributes, specificFunction, offset, slot.context());
if (currentCapacity != structure->propertyStorageCapacity())
allocatePropertyStorage(currentCapacity, structure->propertyStorageCapacity());
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/JSString.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/JSString.cpp
index 69164f8..fa19019 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/JSString.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/JSString.cpp
@@ -40,6 +40,8 @@ void JSString::Rope::destructNonRecursive()
unsigned length = rope->ropeLength();
for (unsigned i = 0; i < length; ++i) {
Fiber& fiber = rope->fibers(i);
+ if (!fiber.string())
+ continue;
if (fiber.isString())
fiber.string()->deref();
else {
@@ -117,6 +119,12 @@ void JSString::resolveRope(ExecState* exec) const
while (true) {
if (currentFiber.isRope()) {
Rope* rope = currentFiber.rope();
+ if (rope->ropeLength()==0) {
+ for (unsigned i = 0; i < m_ropeLength; ++i)
+ m_fibers[i].deref();
+ m_ropeLength = 0;
+ return;
+ }
// Copy the contents of the current rope into the workQueue, with the last item in 'currentFiber'
// (we will be working backwards over the rope).
unsigned ropeLengthMinusOne = rope->ropeLength() - 1;
@@ -126,8 +134,16 @@ void JSString::resolveRope(ExecState* exec) const
} else {
UString::Rep* string = currentFiber.string();
unsigned length = string->size();
- position -= length;
- copyChars(position, string->data(), length);
+ if (position-length >= buffer) {
+ position -= length;
+ copyChars(position, string->data(), length);
+ } else {
+ for (unsigned i = 0; i < m_ropeLength; ++i)
+ m_fibers[i].deref();
+ m_ropeLength = 0;
+ throwOutOfMemoryError(exec);
+ return;
+ }
// Was this the last item in the work queue?
if (workQueue.isEmpty()) {
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/JSString.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/JSString.h
index 54e67d9..a9341c3 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/JSString.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/JSString.h
@@ -118,7 +118,11 @@ namespace JSC {
static PassRefPtr<Rope> createOrNull(unsigned ropeLength)
{
void* allocation;
+#if PLATFORM(WKC)
+ if (tryFastZeroedMalloc(sizeof(Rope) + (ropeLength - 1) * sizeof(Fiber)).getValue(allocation))
+#else
if (tryFastMalloc(sizeof(Rope) + (ropeLength - 1) * sizeof(Fiber)).getValue(allocation))
+#endif
return adoptRef(new (allocation) Rope(ropeLength));
return 0;
}
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Operations.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Operations.h
index c256b4b..680c29a 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Operations.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Operations.h
@@ -148,12 +148,9 @@ namespace JSC {
if (UNLIKELY(!rope))
return throwOutOfMemoryError(exec);
-#if 1 // webkit.org trunk r54925
- unsigned length = 0;
- bool overflow = false;
-#endif
+ unsigned oldLength = 0;
- unsigned index = 0;
+ unsigned int index = 0;
for (unsigned i = 0; i < count; ++i) {
JSValue v = strings[i].jsValue();
if (LIKELY(v.isString()))
@@ -161,18 +158,10 @@ namespace JSC {
else
rope->append(index, v.toString(exec));
-#if 1 // webkit.org trunk r54925
- unsigned newLength = rope->ropeLength();
- if (newLength < length)
- overflow = true;
- length = newLength;
- }
-
- if (overflow)
- return throwOutOfMemoryError(exec);
-#else
+ if (rope->stringLength() < oldLength)
+ return throwOutOfMemoryError(exec);
+ oldLength = rope->stringLength();
}
-#endif
ASSERT(index == ropeLength);
return new (globalData) JSString(globalData, rope.release());
@@ -197,16 +186,17 @@ namespace JSC {
if (UNLIKELY(!rope))
return throwOutOfMemoryError(exec);
+ unsigned oldLength = 0;
+
unsigned index = 0;
if (LIKELY(thisValue.isString()))
rope->append(index, asString(thisValue));
else
rope->append(index, thisValue.toString(exec));
-#if 1 // webkit.org trunk r54925
- unsigned length = 0;
- bool overflow = false;
-#endif
+ if (rope->stringLength() < oldLength)
+ return throwOutOfMemoryError(exec);
+ oldLength = rope->stringLength();
for (unsigned i = 0; i < args.size(); ++i) {
JSValue v = args.at(i);
@@ -214,18 +204,14 @@ namespace JSC {
rope->append(index, asString(v));
else
rope->append(index, v.toString(exec));
-#if 1 // webkit.org trunk r54925
- unsigned newLength = rope->ropeLength();
- if (newLength < length)
- overflow = true;
- length = newLength;
- }
- if (overflow)
- return throwOutOfMemoryError(exec);
-#else
+ if (rope->stringLength() < oldLength) {
+ rope.clear();
+ return throwOutOfMemoryError(exec);
+ }
+ oldLength = rope->stringLength();
}
-#endif
+
ASSERT(index == ropeLength);
JSGlobalData* globalData = &exec->globalData();
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/PutPropertySlot.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/PutPropertySlot.h
index eb8ea8a..22512de 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/PutPropertySlot.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/PutPropertySlot.h
@@ -37,10 +37,16 @@ namespace JSC {
class PutPropertySlot {
public:
enum Type { Uncachable, ExistingProperty, NewProperty };
+#if !PLATFORM(WKC)
+ enum Context { UnknownContext, PutById, PutByIdEval };
+#else
+ enum Context { UnknownContext, PutById, PutByIdEval, Contexts = 0x7fffffff };
+#endif
- PutPropertySlot()
+ PutPropertySlot(Context context = UnknownContext)
: m_type(Uncachable)
, m_base(0)
+ , m_context(context)
{
}
@@ -58,6 +64,8 @@ namespace JSC {
m_offset = offset;
}
+ Context context() const { return static_cast<Context>(m_context); }
+
Type type() const { return m_type; }
JSObject* base() const { return m_base; }
@@ -70,6 +78,7 @@ namespace JSC {
Type m_type;
JSObject* m_base;
size_t m_offset;
+ uint8_t m_context;
};
} // namespace JSC
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Structure.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Structure.cpp
index 0dbe7ca..e3dc291 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Structure.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Structure.cpp
@@ -410,7 +410,7 @@ PassRefPtr<Structure> Structure::addPropertyTransitionToExistingStructure(Struct
return 0;
}
-PassRefPtr<Structure> Structure::addPropertyTransition(Structure* structure, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset)
+PassRefPtr<Structure> Structure::addPropertyTransition(Structure* structure, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset, PutPropertySlot::Context context)
{
ASSERT(!structure->isDictionary());
ASSERT(structure->typeInfo().type() == ObjectType);
@@ -422,7 +422,12 @@ PassRefPtr<Structure> Structure::addPropertyTransition(Structure* structure, con
specificValue = 0;
#endif
- if (structure->transitionCount() > s_maxTransitionLength) {
+ int maxTransitionLength;
+ if (context == PutPropertySlot::PutById)
+ maxTransitionLength = s_maxTransitionLengthForNonEvalPutById;
+ else
+ maxTransitionLength = s_maxTransitionLength;
+ if (structure->transitionCount() > maxTransitionLength) {
RefPtr<Structure> transition = toCacheableDictionaryTransition(structure);
ASSERT(structure != transition);
offset = transition->put(propertyName, attributes, specificValue);
@@ -506,7 +511,7 @@ PassRefPtr<Structure> Structure::despecifyFunctionTransition(Structure* structur
{
#if 1
// added at webkit.org trunk r52948
- ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount);
+// ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount);
#endif
RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Structure.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Structure.h
index ce71210..a04c56f 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/Structure.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/Structure.h
@@ -33,6 +33,7 @@
#include "PropertyMapHashTable.h"
#include "PropertyNameArray.h"
#include "Protect.h"
+#include "PutPropertySlot.h"
#include "StructureChain.h"
#include "StructureTransitionTable.h"
#include "JSTypeInfo.h"
@@ -66,7 +67,7 @@ namespace JSC {
static void dumpStatistics();
- static PassRefPtr<Structure> addPropertyTransition(Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset);
+ static PassRefPtr<Structure> addPropertyTransition(Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset, PutPropertySlot::Context = PutPropertySlot::UnknownContext);
static PassRefPtr<Structure> addPropertyTransitionToExistingStructure(Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset);
static PassRefPtr<Structure> removePropertyTransition(Structure*, const Identifier& propertyName, size_t& offset);
static PassRefPtr<Structure> changePrototypeTransition(Structure*, JSValue prototype);
@@ -195,6 +196,7 @@ namespace JSC {
static const unsigned emptyEntryIndex = 0;
static const signed char s_maxTransitionLength = 64;
+ static const int s_maxTransitionLengthForNonEvalPutById = 512;
static const signed char noOffset = -1;
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/UString.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/UString.cpp
index 742b65b..3d37650 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/JavaScriptCore/runtime/UString.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/JavaScriptCore/runtime/UString.cpp
@@ -399,10 +399,18 @@ UString UString::spliceSubstringsWithSeparators(const Range* substringRanges, in
}
int totalLength = 0;
- for (int i = 0; i < rangeCount; i++)
+ for (int i = 0; i < rangeCount; i++) {
+ if ((unsigned int)totalLength + (unsigned int)substringRanges[i].length > 0x7fffffff) {
+ return "";
+ }
totalLength += substringRanges[i].length;
- for (int i = 0; i < separatorCount; i++)
+ }
+ for (int i = 0; i < separatorCount; i++) {
+ if ((unsigned int)totalLength + (unsigned int)separators[i].size() > 0x7fffffff) {
+ return "";
+ }
totalLength += separators[i].size();
+ }
if (totalLength == 0)
return "";
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/ChangeLog b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/WebCore/ChangeLog
index bf59b0a..7b2ee9f 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/ChangeLog
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.6.0/webkit/WebCore/ChangeLog
@@ -1,3 +1,2132 @@
+2015-11-02 Jiewen Tan <jiewen_tan@apple.com>
+
+ Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=150211
+ <rdar://problem/23137321>
+
+ Reviewed by Alex Christensen.
+
+ This is a merge of Blink r188842:
+ https://codereview.chromium.org/846933002
+
+ By setting the backgroundRepeatY property to null it can
+ happen that accessing that CSS value returns a null pointer.
+ In that case simply bail out early.
+
+ Test: fast/css/background-repeat-null-y-crash.html
+
+ * css/StyleProperties.cpp:
+ (WebCore::StyleProperties::getLayeredShorthandValue):
+
+2014-10-17 Jeffrey Pfau <jpfau@apple.com>
+
+ Ensure attached frame count doesn't exceed the maximum allowed frames
+ https://bugs.webkit.org/show_bug.cgi?id=136457
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: fast/frames/exponential-frames.html
+
+ * html/HTMLFrameElementBase.cpp:
+ (WebCore::HTMLFrameElementBase::isURLAllowed):
+
+2014-05-07 Dean Jackson <dino@apple.com>
+
+ Using a fill pattern much larger than actual canvas reliably segfaults browser
+ https://bugs.webkit.org/show_bug.cgi?id=132635
+
+ Reviewed by Simon Fraser.
+
+ Make sure that createPattern checks that the canvas it is about to use
+ as a source is valid.
+
+ Test: fast/canvas/pattern-too-large-to-create.html
+
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::createPattern): Check that the source canvas has
+ an ok ImageBuffer.
+
+2014-04-22 Zalan Bujtas <zalan@apple.com>
+
+ Do not paint border image when the border rect is empty.
+ https://bugs.webkit.org/show_bug.cgi?id=131988
+
+ Reviewed by Darin Adler.
+
+ http://trac.webkit.org/changeset/167351 introduced an early return when border
+ rect is empty. This patch ensures that border image is not painted either in that case.
+
+ Modified padding-margin-negative-border.html to cover border-image case.
+
+ * rendering/RenderBoxModelObject.cpp:
+ (WebCore::RenderBoxModelObject::paintBorder):
+
+2014-04-11 Jon Honeycutt <jhoneycutt@apple.com>
+
+ Assertion failure changing select element size during focus event
+ dispatch
+ <https://bugs.webkit.org/show_bug.cgi?id=131566>
+ <rdar://problem/16400735>
+
+ Reviewed by Andy Estes.
+
+ Test: fast/forms/select-change-size-during-focus.html
+
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::listBoxDefaultEventHandler):
+ Adopt the fix from Chromium r171216; check that the renderer is still
+ of the expected type, and return early if it is not.
+
+2014-03-21 Oliver Hunt <oliver@apple.com>
+
+ Fix a crash when assigning an object to document.location
+ https://bugs.webkit.org/show_bug.cgi?id=130213
+
+ Reviewed by Geoffrey Garen.
+
+ Convert location to string before we make use the document.
+ This prevents us from attempting to navigate a frame that
+ has already been removed.
+
+ Test: fast/dom/navigation-with-sideeffects-crash.html
+
+ * bindings/js/JSDocumentCustom.cpp:
+ (WebCore::JSDocument::location):
+ (WebCore::JSDocument::setLocation):
+
+2013-08-14 Rob Buis <rwlbuis@webkit.org>
+
+ Assertion failure in RenderObject::drawLineForBoxSide
+ https://bugs.webkit.org/show_bug.cgi?id=108187
+
+ Reviewed by David Hyatt.
+
+ Don't draw the outline if the rectangle to draw is empty.
+
+ Test: fast/css/outline-negative.html
+
+ * rendering/RenderInline.cpp:
+ (WebCore::RenderInline::paintOutlineForLine):
+
+2013-07-18 Santosh Mahto <santosh.ma@samsung.com>
+
+ ASSERTION FAILED: !listItems().size() || m_activeSelectionAnchorIndex >= 0 in WebCore::HTMLSelectElement::updateListBoxSelection
+ https://bugs.webkit.org/show_bug.cgi?id=118591
+
+ Reviewed by Kent Tamura.
+
+ Test: fast/forms/select/selectall-command-crash.html
+
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::selectAll):
+ We should return this function if activeSelectionAnchorIndex is not valid index
+
+2013-02-13 Abhishek Arya <inferno@chromium.org>
+
+ ASSERTION FAILED: !object || object->isBox(), Bad cast in RenderBox::computeLogicalHeight
+ https://bugs.webkit.org/show_bug.cgi?id=107748
+
+ Reviewed by Levi Weintraub.
+
+ Make sure that body renderer is not an inline-block display
+ when determining that it stretches to viewport or when paginated
+ content needs base height.
+
+ Test: fast/block/body-inline-block-crash.html
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::computeLogicalHeight):
+ * rendering/RenderBox.h:
+ (WebCore::RenderBox::stretchesToViewport):
+
+2013-02-11 Emil A Eklund <eae@chromium.org>
+
+ Change RenderFrameSet::paint to use m-rows/m_cols directly.
+ https://bugs.webkit.org/show_bug.cgi?id=108503
+
+ Reviewed by Eric Seidel.
+
+ Test: fast/frames/invalid-frameset.html
+
+ * rendering/RenderFrameSet.cpp:
+ (WebCore::RenderFrameSet::paint):
+
+2013-01-02 Douglas Stockwell <dstockwell@chromium.org>
+
+ Crash in WebCore::InlineBox::deleteLine
+ https://bugs.webkit.org/show_bug.cgi?id=93448
+
+ Reviewed by Eric Seidel.
+
+ When we ran off the end of the line while looking for line breaks in an
+ inline with white-space:nowrap nested in a block with white-space:pre
+ it was possible for the line break to be set at or before the current
+ position -- this could result in duplications in the render tree or
+ infinite looping.
+
+ This patch changes the "fixup" logic that runs after we have finished
+ iterating through elements and text and have potentially found a break
+ point. In the case of a block setting white-space:pre we would back up
+ a character in some cases. Not doing so could leave whitespace that
+ should have been collapsed at the end of an inline.
+
+ For example in '<span style="white-space:nowrap">x_</span>_y' if a
+ break was inserted before 'y' the space after 'x' would still be
+ rendered (rather than be collapsed with the break).
+
+ To avoid this problem we will not take the opportunity to break until
+ we have finished collapsing whitespace.
+
+ Tests: fast/text/whitespace/inline-whitespace-wrapping-1.html
+ fast/text/whitespace/inline-whitespace-wrapping-2.html
+ fast/text/whitespace/inline-whitespace-wrapping-3.html
+ fast/text/whitespace/inline-whitespace-wrapping-4.html
+ fast/text/whitespace/nowrap-white-space-collapse.html
+ fast/text/whitespace/pre-block-normal-inline-crash-1.html
+ fast/text/whitespace/pre-block-normal-inline-crash-2.html
+
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::RenderBlock::LineBreaker::nextLineBreak): Collapse
+ whitespace before breaking. Avoid setting the break before the current
+ position.
+
+2012-12-03 Hajime Morrita <morrita@google.com>
+
+ Corrupted DOM tree during appendChild/insertBefore
+ https://bugs.webkit.org/show_bug.cgi?id=103601
+
+ Reviewed by Abhishek Arya.
+
+ There are some missing protection in appendChild() and insertBefore().
+ This change added these.
+
+ Dromaeo dom-modify shows no speed regression (5445run/s before vs 5351run/s after)
+
+ Tests: fast/events/mutation-during-append-child.html
+ fast/events/mutation-during-insert-before.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::checkAcceptChildGuaranteedNodeTypes):
+ (WebCore):
+ (WebCore::ContainerNode::insertBefore):
+ (WebCore::ContainerNode::appendChild):
+
+2012-11-25 Takashi Sakamoto <tasak@google.com>
+
+ WebCore::RenderBlock::determineStartPosition crash
+ https://bugs.webkit.org/show_bug.cgi?id=98993
+
+ Reviewed by Brent Fulgham.
+
+ If we move some node and the node has some text,
+ InlineFlowBox::removeChild() is invoked. The method invokes
+ RootInlineBox::childRemoved(). childRemoved() checks whether the
+ removed inlinebox has the renderer of its parent's line break object.
+ If so, use setLineBreakInfo to make the parent's line break info to
+ be 0. However in RenderBlock::determineStartPosition(), the code
+ assume that all line break info is solved, i.e.
+ prevRootBox->lineBreakObj()->isText(). Since lineBreakObj() returns 0
+ because of removeChild(), determineStartPosition crash occurs.
+
+ Test: fast/inline/inline-box-append-child-crash.html
+
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::RenderBlock::determineStartPosition):
+ Checks whether lineBreakObj() is 0 or not before using lineBreakObj().
+
+2012-11-21 Daniel Bates <dbates@webkit.org>
+
+ JavaScript fails to concatenate large strings
+ <https://bugs.webkit.org/show_bug.cgi?id=102963>
+
+ Reviewed by Michael Saboff.
+
+ Fixes an issue where we inadvertently didn't check the length of
+ a JavaScript string for overflow.
+
+ * runtime/Operations.h:
+ (JSC::jsString):
+ (JSC::jsStringFromArguments):
+
+2012-08-09 MORITA Hajime <morrita@google.com>
+
+ https://bugs.webkit.org/show_bug.cgi?id=93587
+ Node::replaceChild() can create bad DOM topology with MutationEvent, Part 2
+
+ Reviewed by Kent Tamura.
+
+ This is a followup of r124156. replaceChild() has yet another hidden
+ MutationEvent trigger. This change added a guard for it.
+
+ Test: fast/events/mutation-during-replace-child-2.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::replaceChild):
+
+2012-07-30 MORITA Hajime <morrita@google.com>
+
+ Node::replaceChild() can create bad DOM topology with MutationEvent
+ https://bugs.webkit.org/show_bug.cgi?id=92619
+
+ Reviewed by Ryosuke Niwa.
+
+ Node::replaceChild() calls insertBeforeCommon() after dispatching
+ a MutationEvent event for removeChild(). But insertBeforeCommon()
+ expects call sites to check the invariant and doesn't have
+ suffient check. So a MutationEvent handler can let some bad tree
+ topology to slip into insertBeforeCommon().
+
+ This change adds a guard for checking the invariant using
+ checkReplaceChild() between removeChild() and insertBeforeCommon().
+
+ Test: fast/events/mutation-during-replace-child.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::replaceChild): Added a guard.
+
+2012-05-10 Julien Chaffraix <jchaffraix@webkit.org>
+
+ Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment
+ https://bugs.webkit.org/show_bug.cgi?id=85912
+
+ Reviewed by Eric Seidel.
+
+ Tests: fast/images/link-body-content-imageDimensionChanged-crash.html
+ fast/images/script-counter-imageDimensionChanged-crash.html
+
+ The bug comes from CSS generated images that could end up calling imageDimensionsChanged during attachment. As the
+ rest of the code (e.g. computedCSSPadding*) would assumes that we are already inserted in the tree, we would crash.
+
+ The solution is to bail out in this case as newly inserted RenderObject will trigger layout later on and properly
+ handle what we would be doing as part of imageDimensionChanged (the only exception being updating our intrinsic
+ size which should be done as part of imageDimensionsChanged).
+
+ * rendering/RenderImage.cpp:
+ (WebCore::RenderImage::imageDimensionsChanged):
+
+2012-02-29 Parag Radke <parag@motorola.com>
+
+ Crash in WebCore::CompositeEditCommand::insertNodeAt
+ https://bugs.webkit.org/show_bug.cgi?id=67764
+
+ Reviewed by Ryosuke Niwa.
+
+ If caret position after deletion and destination position coincides then
+ removing the node will result in removing the destination node also. Hence crash.
+
+ Test: editing/deleting/delete-block-merge-contents-025.html
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::cleanupAfterDeletion):
+ If the caret position after delete and the destination position
+ renderes at the same place, pruning the node and making an early exit.
+
+2012-02-06 Cris Neckar <cdn@chromium.org>
+
+ Add RefPtrs for parent and sibling counter nodes
+ https://bugs.webkit.org/show_bug.cgi?id=75212
+
+ Reviewed by Adam Barth.
+
+ Test: fast/css/counters/reparent-table-children-with-counters-crash.html
+
+ * rendering/RenderCounter.cpp:
+ (WebCore::findPlaceForCounter):
+ (WebCore::makeCounterNode):
+ (WebCore::updateCounters):
+
+2012-01-05 Kent Tamura <tkent@chromium.org>
+
+ Fix a crash by importing an element of which local name ends with ":input".
+ https://bugs.webkit.org/show_bug.cgi?id=75103
+
+ Reviewed by Ryosuke Niwa.
+
+ Test: fast/dom/importNode-confusing-localName.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::importNode): Pass QualifiedName of the source elemnt
+ to createElement() in order to avoid unnecessary serialization and
+ parsing of the qualified name
+
+2011-11-18 Chris Evans <cevans@google.com>
+
+ Crash with ranges across a detached, reparented node tree
+ https://bugs.webkit.org/show_bug.cgi?id=72757
+
+ Reviewed by Adam Barth.
+
+ Test: fast/dom/move-detached-child-in-range.html
+
+ * dom/RangeBoundaryPoint.h:
+ (WebCore::RangeBoundaryPoint::childBefore): protect the raw child node from getting pulled from under us.
+
+2011-11-08 Chris Evans <cevans@google.com>
+
+ Crash accessing font fact rule parent
+ https://bugs.webkit.org/show_bug.cgi?id=71860
+
+ Reviewed by Adam Barth.
+
+ Test: fast/css/css-fontface-rule-crash.html
+
+ * css/CSSFontFaceRule.cpp:
+ (WebCore::CSSFontFaceRule::~CSSFontFaceRule): tell our child rule when we are going away.
+
+2011-09-27 Julien Chaffraix <jchaffraix@webkit.org>
+
+ Crash because CSSPrimitiveValue::computeLengthDouble assumes fontMetrics are available
+ https://bugs.webkit.org/show_bug.cgi?id=66291
+
+ Reviewed by Darin Adler.
+
+ Test: fast/canvas/crash-set-font.html
+
+ This is Yet Another Missing updateFont (similar to bug 57756 and likely others). Here the issue is that
+ applying one of the font properties could mutate the parent style's font if m_parentStyle == m_style.
+ We would then query the newly created font when applying CSSPropertyFontSize, which has no font fallback
+ list as Font::update was never called.
+
+ The right fix would be to refactor of how we handle fonts to avoid such manual updates (see bug 62390).
+ Until this happens, it is better not to crash.
+
+ * css/CSSStyleSelector.cpp:
+ (WebCore::CSSStyleSelector::applyProperty): Added updateFont() here as the fonts could have been
+ mutated by the previous property change. Also added a comment explaining why it is safe to do it
+ this way.
+
+2011-09-24 Abhishek Arya <inferno@chromium.org>
+
+ Issues with merging block children of a ruby
+ base with another ruby base having inline children.
+ https://bugs.webkit.org/show_bug.cgi?id=66124
+
+ Reviewed by Dan Bernstein.
+
+ Test: fast/ruby/ruby-base-merge-block-children-crash.html
+
+ * rendering/RenderRubyBase.cpp:
+ (WebCore::RenderRubyBase::moveInlineChildren): add a firstChild()
+ check to prevent empty anonymous block addition, just like
+ moveBlockChildren method.
+ * rendering/RenderRubyBase.cpp:
+ (WebCore::RenderRubyBase::moveBlockChildren): This was incorrectly
+ doing optimizations to see if current ruby base has only inline
+ children before beforeChild and then trying to take out them from
+ their parent anonymous blocks. The problem is those inlines could
+ be split and have continuations because of encountering a block
+ inside inline flow. In those cases, we cannot take the inline out.
+ So, we should just make children non-inline in the destination
+ block and transfer the children as it-is.
+ * rendering/RenderRubyBase.h: remove unncessary functions.
+
+2011-09-15 Julien Chaffraix <jchaffraix@webkit.org>
+
+ Crash in RenderBox::paintMaskImages due to a mask without an associated image
+ https://bugs.webkit.org/show_bug.cgi?id=50151
+
+ Reviewed by Simon Fraser.
+
+ Test: fast/css/empty-webkit-mask-crash.html
+
+ The crash stems from the fact that FillLayer::hasImage would walk over the linked list
+ of FillLayers and return true if one had an image. This means that hasImage() is true
+ does not mean that image() is non-NULL on all FillLayers.
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::paintMaskImages): Simplify the logic by doing the hasImage() check up-front
+ and properly check image() for each FillLayers. This has the nice benefit of changing the complexity
+ from O(n^2) to O(n), which was what the code expected anyway.
+
+2011-08-30 Abhishek Arya <inferno@chromium.org>
+
+ Style not updated for table parts in :before, :after content.
+ https://bugs.webkit.org/show_bug.cgi?id=66141
+
+ Reviewed by Dave Hyatt.
+
+ Tests: fast/table/table-before-child-style-update.html
+ fast/table/table-row-before-child-style-update.html
+
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::RenderObjectChildList::updateBeforeAfterContent):
+
+2011-08-30 Tony Chang <tony@chromium.org>
+
+ refactor box-ordinal-group handling so we don't timeout on large values
+ https://bugs.webkit.org/show_bug.cgi?id=65783
+
+ Reviewed by David Hyatt.
+
+ The old code walked from 1 to the last box-ordinal-group while
+ iterating over each flex item. The new code collects ordinals as
+ we do the first walk and sorts them. Each additional iteration
+ through the flex items gets the next oridnal from the sorted list.
+
+ This maintains the single pass for the common case of no
+ box-ordinal-groups specified. If there are ordinal groups,
+ the runtime is O(n*m + m lg m) where n is the # of flex items and
+ m is the number of unique box-ordinal-group values. The memory
+ usage is O(2m).
+
+ Test: fast/flexbox/box-ordinal-group.html
+
+ * rendering/RenderDeprecatedFlexibleBox.cpp:
+ (WebCore::FlexBoxIterator::FlexBoxIterator):
+ (WebCore::FlexBoxIterator::reset):
+ (WebCore::FlexBoxIterator::next):
+ (WebCore::FlexBoxIterator::compareFlexOrder):
+
+2011-08-25 Abhishek Arya <inferno@chromium.org>
+
+ Incorrect layout of :before and :after content, with display
+ table, table-row and table-cell.
+ https://bugs.webkit.org/show_bug.cgi?id=66699
+
+ Reviewed by David Hyatt.
+
+ Tests: fast/table/table-after-child-in-table.html
+ fast/table/table-before-child-in-table.html
+ fast/table/table-cell-after-child-in-block.html
+ fast/table/table-cell-after-child-in-table.html
+ fast/table/table-cell-before-child-in-block.html
+ fast/table/table-cell-before-child-in-table.html
+ fast/table/table-row-after-child-in-block.html
+ fast/table/table-row-after-child-in-table.html
+ fast/table/table-row-before-child-in-block.html
+ fast/table/table-row-before-child-in-table.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
+ Fix the looping condition to detect :after child correctly.
+ isAnonymousBlock() does not apply to tables, instead
+ using isAnonymous().
+ * rendering/RenderTableRow.cpp:
+ (WebCore::RenderTableRow::addChild): Don't add the new child
+ in the generatedContainer with :before, :after content.
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::addChild): Don't add the new child
+ in the generatedContainer with :before, :after content.
+
+2011-08-20 Darin Adler <darin@apple.com>
+
+ If Range::insertNode is passed an empty document fragment, it creates a broken DOM tree
+ https://bugs.webkit.org/show_bug.cgi?id=65015
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: fast/dom/Range/insertNode-empty-fragment-crash.html
+
+ * dom/Range.cpp: (WebCore::Range::insertNode): Don't adjust the range after insertion
+ if we didn't add anything. Otherwise the code will put a wrong "child before" value into
+ the range end boundary point.
+
+2011-08-11 Cris Neckar <cdn@chromium.org>
+
+ Fixes several bugs when adding CounterNodes to a tree which can cause asymetrical relationships.
+ https://bugs.webkit.org/show_bug.cgi?id=65996
+
+ Reviewed by Eric Seidel.
+
+ Test: fast/css/counters/counter-reparent-table-children-crash.html
+
+ * rendering/CounterNode.cpp:
+ (WebCore::CounterNode::insertAfter):
+ * rendering/RenderCounter.cpp:
+ (WebCore::findPlaceForCounter):
+ (WebCore::makeCounterNode):
+
+2011-07-29 Emil A Eklund <eae@chromium.org>
+
+ -webkit-marquee with anonymous node causes segmentation fault in Node::document
+ https://bugs.webkit.org/show_bug.cgi?id=64693
+
+ Reviewed by Simon Fraser.
+
+ Test: fast/css/webkit-marquee-anonymous-node-crash.html
+
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::scrollTo):
+ Add null check as renderer()->node() is null for anonymous nodes.
+
+2011-07-27 Ryosuke Niwa <rniwa@webkit.org>
+
+ Calling window.find immediately after mutating the document crashes WebKit.
+ https://bugs.webkit.org/show_bug.cgi?id=65296
+
+ Reviewed by Darin Adler.
+
+ Don't forget to layout first.
+
+ Test: editing/text-iterator/find-after-mutation.html
+
+ * editing/TextIterator.cpp:
+ (WebCore::findPlainText):
+
+2011-07-20 Tony Chang <tony@chromium.org>
+
+ Stale pointer due to floats not removed (flexible box display)
+ https://bugs.webkit.org/show_bug.cgi?id=64603
+
+ Reviewed by David Hyatt.
+
+ Flexbox items should avoid floats.
+
+ Test: fast/flexbox/horizontal-box-float-crash.html
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::avoidsFloats):
+ * rendering/RenderBox.h:
+ (WebCore::RenderBox::isDeprecatedFlexItem):
+
+2011-07-13 MORITA Hajime <morrita@google.com>
+
+ Refactoring: Ignored ExceptionCode value should be less annoying.
+ https://bugs.webkit.org/show_bug.cgi?id=63688
+
+ - Introduced ExceptionCodePlaceholder class for the default parameter of ExceptionCode.
+ - Introduced ASSERT_NO_EXCEPTION to check ExceptionCode not set to non-zero after the call.
+ - Adopted ASSERT_NO_EXCEPTION in Range.cpp
+
+ No new tests. No behaviour change.
+
+ Reviewed by Darin Adler.
+
+ * GNUmakefile.list.am:
+ * WebCore.gypi:
+ * WebCore.xcodeproj/project.pbxproj:
+ * dom/ExceptionCodePlaceholder.h: Added.
+ (WebCore::ExceptionCodePlaceholder::ExceptionCodePlaceholder):
+ (WebCore::ExceptionCodePlaceholder::operator ExceptionCode& ):
+ (WebCore::IgnorableExceptionCode::IgnorableExceptionCode):
+ (WebCore::CheckedExceptionCode::CheckedExceptionCode):
+ (WebCore::CheckedExceptionCode::~CheckedExceptionCode):
+ * dom/Range.cpp:
+ (WebCore::Range::Range):
+ (WebCore::Range::editingStartPosition):
+ * dom/Range.h:
+
+2011-06-30 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Ryosuke Niwa.
+
+ Crash when calling DOMSubtreeModified event when extracting range
+ contents.
+ https://bugs.webkit.org/show_bug.cgi?id=63650
+
+ Convert a few nodes to RefPtrs and add commonRoot verification checks
+ for Range::processContents.
+
+ Tests: fast/dom/Range/range-extract-contents-event-fire-crash.html
+ fast/dom/Range/range-extract-contents-event-fire-crash2.html
+
+ * dom/Range.cpp:
+ (WebCore::childOfCommonRootBeforeOffset):
+ (WebCore::Range::processContents):
+ (WebCore::Range::processContentsBetweenOffsets):
+ (WebCore::Range::processAncestorsAndTheirSiblings):
+
+2011-06-29 Darin Adler <darin@apple.com>
+
+ Reviewed by Anders Carlsson.
+
+ [WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
+ https://bugs.webkit.org/show_bug.cgi?id=63483
+
+ Test: fast/loader/create-frame-in-DOMContentLoaded.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::init): Added an assertion.
+ (WebCore::FrameLoader::finishedLoadingDocument): Removed a non-helpful #if
+ statement. The rule that we do not call the client when creating the initial
+ empty document was nominally specific to Windows and Chromium but is needed
+ for all platforms.
+
+2011-06-28 Roland Steiner <rolandsteiner@chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
+ https://bugs.webkit.org/show_bug.cgi?id=55930
+
+ Don't set style type BEFORE/AFTER on anonymous wrapper block.
+ Rather, check style type on generated wrapped child.
+
+ Tests: fast/ruby/generated-after-counter-doesnt-crash.html
+ fast/ruby/generated-before-and-after-counter-doesnt-crash.html
+ fast/ruby/generated-before-counter-doesnt-crash.html
+
+ * rendering/RenderRuby.cpp:
+ (WebCore::isAnonymousRubyInlineBlock):
+ (WebCore::isRubyBeforeBlock):
+ (WebCore::isRubyAfterBlock):
+ (WebCore::rubyBeforeBlock):
+ (WebCore::rubyAfterBlock):
+ (WebCore::createAnonymousRubyInlineBlock):
+ (WebCore::RenderRubyAsInline::addChild):
+ (WebCore::RenderRubyAsBlock::addChild):
+
+2011-05-31 Yong Li <yoli@rim.com>
+
+ Reviewed by Eric Seidel.
+
+ https://bugs.webkit.org/show_bug.cgi?id=54807
+ We have been assuming plain bitfields (like "int a : 31") are always signed integers.
+ However some compilers can treat them as unsigned. For example, RVCT 4.0 states plain
+ bitfields (declared without either signed or unsigned qualifiers) are treats as unsigned.
+ http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0348c/Babjddhe.html
+ Although we can use "--signed-bitfields" flag to make RVCT 4.0 behave as most other compilers,
+ always using "signed"/"unsigned" qualifier to declare integral type bitfields is still a good
+ rule we should have in order to make our code independent from compilers and compiler flags.
+
+ No new test added because this change is not known to fix any issue.
+
+ * css/CSSPrimitiveValue.h:
+ * css/CSSProperty.h:
+ * rendering/InlineBox.h:
+ * rendering/RenderBlock.h:
+
+2011-04-13 Roland Steiner <rolandsteiner@chromium.org>
+
+ Reviewed by David Hyatt.
+
+ Bug 55930 - Incorrect handling of 'display:' property within nested <ruby> tags
+ https://bugs.webkit.org/show_bug.cgi?id=55930
+
+ Non-inline :before/:after generated content is now wrapped with an anonymous inline block.
+
+ Also, added an additional check in RenderObjectChildList::updateBeforeAfterContent()
+ to verify that the created render object is legal under the parent.
+
+ Tests: fast/ruby/after-block-doesnt-crash.html
+ fast/ruby/after-table-doesnt-crash.html
+ fast/ruby/before-block-doesnt-crash.html
+ fast/ruby/before-table-doesnt-crash.html
+
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::RenderObjectChildList::updateBeforeAfterContent):
+ * rendering/RenderRuby.cpp:
+ (WebCore::isAnonymousRubyInlineBlock):
+ (WebCore::rubyBeforeBlock):
+ (WebCore::rubyAfterBlock):
+ (WebCore::createAnonymousRubyInlineBlock):
+ (WebCore::lastRubyRun):
+ (WebCore::RenderRubyAsInline::addChild):
+ (WebCore::RenderRubyAsInline::removeChild):
+ (WebCore::RenderRubyAsBlock::addChild):
+ (WebCore::RenderRubyAsBlock::removeChild):
+ * rendering/RenderRuby.h:
+
+2011-03-30 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Darin Adler.
+
+ <rdar://problem/9199518> Crash when focusing a styled editable element
+
+ Test: editing/deleting/delete-button-background-image-none.html
+
+ * editing/DeleteButtonController.cpp:
+ (WebCore::isDeletableElement): Check all background layers for background images.
+ * rendering/style/RenderStyle.h: Removed backgroundImage() as it was only used, incorrectly,
+ in the above function.
+
+2011-03-10 Alice Boxhall <aboxhall@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ NULL pointer crash when using :empty and :first-line pseudoclass selectors together
+ https://bugs.webkit.org/show_bug.cgi?id=53316
+
+ :empty is calculated for each element during parsing, but then not
+ recalculated after any child elements are attached. Force style
+ re-calculation on elements which have :empty in their style when
+ their children are changed.
+
+ Test: fast/css/empty-first-line-crash.html
+
+ * dom/Element.cpp:
+ (WebCore::checkForEmptyStyleChange): Pull out empty style checking
+ logic from checkForSiblingStyleChanges().
+ (WebCore::checkForSiblingStyleChanges): Use new checkForEmptyStyleChanges()
+ method.
+ (WebCore::Element::childrenChanged): Call checkForEmptyStyleChanges() when
+ called with changedByParser = true.
+
+2011-03-09 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Dave Hyatt.
+
+ <rdar://problem/8733254> Float disappears after incremental layout
+ Fixed the original bug and a copule more issues noticed while doing so.
+
+ Tests: fast/dynamic/dirty-float-in-clean-line.html
+ fast/dynamic/float-at-line-break.html
+ fast/dynamic/float-from-empty-line.html
+
+ * rendering/RenderBlock.h:
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::RenderBlock::layoutInlineChildren): If findNextLineBreak() returned an empty line,
+ update the line break info of the last line with the new line break position. This is tested
+ by float-from-empty-line.html.
+ (WebCore::RenderBlock::checkFloatsInCleanLine): Factored out code from determineStartPosition()
+ into this new function.
+ (WebCore::RenderBlock::determineStartPosition): Call checkFloatsInCleanLine().
+ (WebCore::RenderBlock::determineEndPosition): When iterating over lines, check clean lines with
+ floats, as they may yet become dirty because of the floats. This is tested by
+ dirty-float-in-clean-line.html.
+ (WebCore::RenderBlock::findNextLineBreak): If a float fits on the line, and the current line
+ break is at the float, advance it to after the float. Otherwise, if the line gets dirty and the
+ next one does not, the float will not make it into any line. This is tested by
+ float-at-line-break.html.
+
+2011-02-01 chris reiss <christopher.reiss@nokia.com>
+
+ Reviewed by Adam Barth.
+
+ Self-replicating code makes Safari hang and eventually crash
+ https://bugs.webkit.org/show_bug.cgi?id=15123
+
+
+ Here we are replicating the Firefox safeguard against
+ recursive document.write( ) 's.
+
+ See https://bug197052.bugzilla.mozilla.org/attachment.cgi?id=293907 in bug
+ https://bugzilla.mozilla.org/show_bug.cgi?id=197052 . Firefox does two things -
+ a) imposes a recursion limit of 20 on document.write( ) and
+ b) once that limit is passed, panics all the way the call stack (rather than just returning one level.)
+ To see why this is necessary, consider the script :
+
+ <script>
+ var t = document.body.innerHTML;
+ document.write(t);
+ </script>
+
+ This will create a tree both broad and deep as the script keeps appending itself to the text. If
+ we just return one level after the recursion limit is reached, we still allow millions of copies to
+ duplicate (and execute).
+
+ The recursion is fortunately depth-first, so as soon as we cross this limit, we panic up the callstack
+ to prevent this situation. (IE apparently does the same thing, with a lower recursion limit.)
+
+ Test: fast/dom/Document/document-write-recursion.html
+ Test: fast/dom/Document/document-close-iframe-load.html
+ Test: fast/dom/Document/document-close-nested-iframe-load.html
+
+
+ * dom/Document.cpp:
+ (WebCore::Document::Document):
+ (WebCore::Document::write):
+ * dom/Document.h:
+
+2011-01-20 James Robinson <jamesr@chromium.org>
+
+ Reviewed by Eric "Baller" Seidel.
+
+ RenderTableSection's setNeedsCellRecalc needs to null check table()
+ https://bugs.webkit.org/show_bug.cgi?id=52770
+
+ Null checks table() before deferencing it in RenderTableSection::setNeedsCellRecalc.
+ This can be null during detach(). Test constructed by Eric Seidel.
+
+ Test: fast/css-generated-content/table-with-scrollbar-corner.html
+
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::setNeedsCellRecalc):
+ * rendering/RenderTableSection.h:
+
+2011-01-20 Xiaomei Ji <xji@chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ Fix regression(r71566): PDF in RTL block might messes up text directionality.
+ https://bugs.webkit.org/show_bug.cgi?id=52776
+
+ Test: fast/dom/52776.html
+
+ * platform/text/BidiResolver.h:
+ (WebCore::::checkDirectionInLowerRaiseEmbeddingLevel):
+ (WebCore::::lowerExplicitEmbeddingLevel):
+ (WebCore::::raiseExplicitEmbeddingLevel):
+ (WebCore::::createBidiRunsForLine):
+
+2011-01-19 Yuzo Fujishima <yuzo@google.com>
+
+ Reviewed by Kent Tamura.
+
+ Fix for Bug 52279 - WebCore::RenderBlock::updateFirstLetter crashes for anonymous blocks
+ https://bugs.webkit.org/show_bug.cgi?id=52279
+
+ In constructing text fragments to handle first-letter rule, first add
+ the text for the non-first letters and then remove the original text,
+ rather than the other way around. Otherwise, the text can be added to
+ an anoymous block that is different from the original one. This breaks
+ the assumption that a first letter render object has a non-null sibling
+ for the non-first letters and causes a crash.
+
+ Test: fast/css/first-letter-anonymous-block-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::updateFirstLetter):
+
+2011-01-14 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by David Hyatt.
+
+ Prevent merging of anonymous blocks if one of them is already getting
+ destroyed.
+ https://bugs.webkit.org/show_bug.cgi?id=52402
+
+ Test: fast/block/merge-anonymous-block-remove-child-crash2.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::RenderBlock): initialize m_beingDestroyed to false.
+ (WebCore::RenderBlock::destroy): set m_beingDestroyed to true.
+ (WebCore::canMergeContiguousAnonymousBlocks): do not merge if any or prev or next is being destroyed.
+ (WebCore::RenderBlock::removeChild): remove the hack previously done for preventing oldChild merging with nextBlock's next sibling.
+ * rendering/RenderBlock.h:
+ (WebCore::RenderBlock::beingDestroyed): public function for m_beingDestroyed.
+
+2011-01-11 Simon Fraser <simon.fraser@apple.com>
+
+ Reviewed by Dan Bernstein.
+
+ Webkit crashes when a gradient is applied using the first-line pseudo element
+ https://bugs.webkit.org/show_bug.cgi?id=52225
+
+ When a pseudostyle references images, we fail to register/unregister
+ the relevant RenderObjects as clients of the image in the style.
+ For gradients, this caused a crash.
+
+ This patch fixes the crash by returning a null gradient image in this
+ situation.
+
+ Test: fast/gradients/gradient-on-pseudoelement-crash.html
+
+ * css/CSSGradientValue.cpp:
+ (WebCore::CSSGradientValue::image):
+
+2011-01-11 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ RefPtr the FrameView to prevent scrollbar from getting deleted inside
+ its scroll event.
+ https://bugs.webkit.org/show_bug.cgi?id=52238
+
+ Test: scrollbars/scrollable-iframe-remove-crash.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::scrollTo):
+
+2010-12-29 Tony Gentilcore <tonyg@chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ Assertion failure: element->inDocument() in AsyncScriptRunner::executeScriptSoon()
+ https://bugs.webkit.org/show_bug.cgi?id=51067
+
+ Typically when a script element is removed from the document, the cached script
+ client is removed. However, during the before load event, the cached script client
+ hasn't been created yet so it can't be removed.
+
+ This patch handles that case by explicitly checking if the script element was
+ removed during the beforeload event. Also, it avoids caching the Document references
+ over the arbitrary script execution in the before load event.
+
+ Test: fast/dom/HTMLScriptElement/move-in-beforeload.html
+ fast/dom/HTMLScriptElement/remove-in-beforeload.html
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScript):
+
+2010-12-15 Yong Li <yoli@rim.com>
+
+ Reviewed by Darin Adler.
+
+ Fix stack overflow when there are too many sibling inline boxes by using
+ a loop to traverse children instead of calling each sibling from the first child.
+ https://bugs.webkit.org/show_bug.cgi?id=48255
+
+ Test: fast/overflow/lots-of-sibling-inline-boxes.html
+
+ * rendering/InlineBox.h:
+ (WebCore::InlineBox::setConstructed):
+ (WebCore::InlineBox::next):
+ * rendering/InlineFlowBox.h:
+ (WebCore::InlineFlowBox::setConstructed):
+
+2010-12-14 Emil Eklund <eae@chromium.org>
+
+ Reviewed by NOBODY (OOPS!).
+
+ Change ContainerNode::willRemoveChildren to not fire mutation events for children
+ added as a result of a mutation event, thereby avoiding an infinite loop.
+ https://bugs.webkit.org/show_bug.cgi?id=51079
+
+ Test: fast/dom/containerNode.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::willRemoveChildren): Don't fire mutation events for children added during a mutation event.
+
+2010-12-10 Emil Eklund <eae@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Fix crash in Range::processContents when modified during mutation event.
+ https://bugs.webkit.org/show_bug.cgi?id=50710
+
+ Test: fast/dom/Range/range-extractContents.html
+
+ * dom/Range.cpp:
+ (WebCore::Range::processContents):
+ Replace raw pointers with RefPtrs and add checks.
+
+2010-12-09 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ As part of r73559, I added the referenceNode check to validate whether the root
+ node of the iterator matches the node which is getting moved to other document.
+ referenceNode is initialized to root, however can get moved using previousNode
+ and nextNode methods, so it is required to use root directly.
+ https://bugs.webkit.org/show_bug.cgi?id=50764
+
+ Test: fast/dom/node-iterator-reference-node-moved-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::moveNodeIteratorsToNewDocument): change referenceNode to root.
+
+2010-12-08 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Detach node iterator and move to new document when node gets moved.
+ https://bugs.webkit.org/show_bug.cgi?id=50697
+
+ Test: fast/dom/node-iterator-document-moved-crash.html
+
+ * dom/Document.cpp: Method that takes a node and new document as argument.
+ It detaches the node iterators belonging to the current document and attaches
+ them to the new document.
+ (WebCore::Document::moveNodeIteratorsToNewDocument):
+ * dom/Document.h: Function definition.
+ * dom/Node.cpp: When node is moved to another document, call the function to move
+ the iterators appropriately.
+ (WebCore::Node::setDocument):
+
+2010-11-30 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darin Adler and Geoff Garen.
+
+ https://bugs.webkit.org/show_bug.cgi?id=44152
+ <rdar://problem/8324423> CSSOM should match DOM in discarding wrapper-less parents.
+
+ We have existing behaviors where parent objects in detached subtrees are not preserved:
+ - if a root of a node tree doesn't have a wrapper, it's immediately destroyed, making
+ its children parentNode attribute null;
+ - relationship between a <style> or <link> node and its stylesheet is immediately broken
+ when the node is removed from document (in this case, regardless of wrapper existence).
+
+ Both match Firefox. For consistency, CSSOM should do the same. In fact, it already partially
+ does - CSSRule.parentRule gets zeroed out when the parent rule is destroyed.
+
+ Tests: fast/dom/StyleSheet/detached-parent-rule-without-wrapper.html
+ fast/dom/StyleSheet/detached-stylesheet-without-wrapper.html
+
+ * css/StyleSheet.cpp: (WebCore::StyleSheet::~StyleSheet): Clear out child rule parent.
+
+ * svg/SVGFontFaceElement.cpp: (WebCore::SVGFontFaceElement::insertedIntoDocument): Keep
+ the new assertion from firing. This function was adding a rule to style sheet, without
+ telling the rule about it.
+
+2010-11-29 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=50165
+ CSS style rules don't GC protect parents
+
+ Tests: fast/dom/StyleSheet/gc-parent-rule.html
+ fast/dom/StyleSheet/gc-parent-stylesheet.html
+
+ * bindings/js/JSCSSRuleCustom.cpp: (WebCore::JSCSSRule::markChildren): Mark parents. The code
+ is super naive compared to what we have for nodes - but CSSOM has shallow hierarchies, so
+ it should be OK.
+
+ * css/CSSRule.idl: Added CustomMarkFunction.
+
+2010-11-23 Cris Neckar <cdn@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Removed unneeded conversions to RenderBlock.
+ https://bugs.webkit.org/show_bug.cgi?id=49896
+
+ Test: fast/css/input-search-table-column-crash.html
+
+ * rendering/RenderTextControlSingleLine.cpp:
+ (WebCore::RenderTextControlSingleLine::adjustControlHeightBasedOnLineHeight):
+
+2010-11-08 Alexander Pavlov <apavlov@chromium.org>
+
+ Reviewed by David Hyatt.
+
+ getPropertyValue("background") causes crash
+ https://bugs.webkit.org/show_bug.cgi?id=49055
+
+ Test: fast/css/background-norepeat-crash.html
+
+ * css/CSSMutableStyleDeclaration.cpp:
+ (WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue):
+
+2010-11-03 Simon Fraser <simon.fraser@apple.com>
+
+ Reviewed by John Sullivan.
+
+ Crash when setting context font to bad value
+ https://bugs.webkit.org/show_bug.cgi?id=48948
+
+ Null-check the CSSValue passed to CSSStyleSelector::applyPropertyToStyle(),
+ since it may be null if the style declaration does not contain a value
+ for the 'font' property.
+
+ Test: fast/canvas/invalid-set-font-crash.html
+
+ * css/CSSStyleSelector.cpp:
+ (WebCore::CSSStyleSelector::applyPropertyToStyle):
+
+2010-10-12 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Prevent block logical height of a root inline box from overflowing by clamping it
+ at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
+ removal a floating object.
+ https://bugs.webkit.org/show_bug.cgi?id=45611
+
+ Test: fast/overflow/overflow-block-logical-height-crash.html
+
+ * rendering/RootInlineBox.cpp:
+ (WebCore::RootInlineBox::alignBoxesInBlockDirection):
+
+2010-10-12 Roland Steiner <rolandsteiner@chromium.org>
+
+ Reviewed by David Hyatt.
+
+ Bug 41040 - :before/:after content should not become part of a ruby base
+ https://bugs.webkit.org/show_bug.cgi?id=41040
+
+ Also related to:
+ https://bugs.webkit.org/show_bug.cgi?id=40895.
+ https://bugs.webkit.org/show_bug.cgi?id=43722.
+
+ Explicitly handle :before and :after content in the default way.
+
+ Test: fast/ruby/ruby-beforeafter.html
+ fast/ruby/after-doesnt-crash.html
+
+ * rendering/RenderObject.h:
+ (WebCore::RenderObject::isBeforeContent):
+ * rendering/RenderRuby.cpp:
+ (WebCore::lastRubyRun):
+ (WebCore::RenderRubyAsInline::addChild):
+ (WebCore::RenderRubyAsInline::removeChild):
+ (WebCore::RenderRubyAsBlock::addChild):
+ (WebCore::RenderRubyAsBlock::removeChild):
+
+2010-10-06 Daniel Bates <dbates@rim.com>
+
+ Reviewed by Darin Adler.
+
+ ASSERTION FAILURE: Attempt to cast RenderObject to RenderFrameSet
+ when <frameset> has CSS content property
+ https://bugs.webkit.org/show_bug.cgi?id=47314
+
+ Fixes an issue where sending a mouse event to an HTML Frameset Element that
+ whose content was replaced via the CSS content property causes an assertion
+ failure.
+
+ By default, HTMLFrameSetElement forwards mouse events to RenderFrameSet so as
+ to support resizing a frame within the set. When a <frameset> specifies an
+ image in its CSS content property we create a generic render object (RenderObject)
+ for the frame set instead of a RenderFrameSet object. The event handler code
+ in HTMLFrameSetElement calls WebCore::toRenderFrameSet() to cast its renderer
+ to type RenderFrameSet, which fails. To correct this, HTMLFrameSetElement
+ must check that its renderer is of type RenderFrameSet before casting to this type.
+
+ Test: fast/frames/crash-frameset-CSS-content-property.html
+
+ * html/HTMLFrameSetElement.cpp:
+ (WebCore::HTMLFrameSetElement::defaultEventHandler): Check that our renderer is
+ of type RenderFrameSet before casting it as such.
+
+2010-09-30 Cris Neckar <cdn@chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Added check to test for removed counter node when calling findPlaceForCounter() in updateCounters().
+ Added refcounting to counternodes in countermaps.
+ https://bugs.webkit.org/show_bug.cgi?id=46387
+
+ Test: fast/css/counters/counter-traverse-table-cell.html
+
+ * rendering/CounterNode.cpp:
+ (WebCore::CounterNode::create):
+ * rendering/CounterNode.h:
+ * rendering/RenderCounter.cpp:
+ (WebCore::makeCounterNode):
+ (WebCore::destroyCounterNodeWithoutMapRemoval):
+ (WebCore::RenderCounter::destroyCounterNodes):
+ (WebCore::RenderCounter::destroyCounterNode):
+ (WebCore::updateCounters):
+
+2010-09-30 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ While updating :before and :after content, make sure that the generated
+ container is allowed to add the child type.
+ https://bugs.webkit.org/show_bug.cgi?id=46106
+
+ Test: fast/css-generated-content/text-before-table-col-crash.html
+
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::RenderObjectChildList::updateBeforeAfterContent):
+
+2010-09-28 Andreas Kling <andreas.kling@nokia.com>
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ Canvas: Crash when setting a font with size in 'ex' units
+ https://bugs.webkit.org/show_bug.cgi?id=46538
+
+ update() the style's font after setting the style's font description.
+ Needed because CSSPrimitiveValue::computeLengthDouble() later assumes
+ that the style's font is properly initialized (for xHeight().)
+
+ Fixes crash on IE test center's canvas-text-font-002 test.
+
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::setFont):
+
+2010-09-27 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ When the block RunIn is destroyed, its line box tree is not deleted. As a result, it
+ gets later used during dirtying of inline text boxes step where this deleted parent is
+ accessed. The fix is to delete the line box tree before destroying the runin block.
+
+ https://bugs.webkit.org/show_bug.cgi?id=46376
+
+ Test: fast/text/dirty-inline-textbox-crash.html
+
+ * rendering/RenderText.cpp:
+ (WebCore::RenderText::dirtyLineBoxes):
+
+2010-09-27 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Dave Hyatt.
+
+ Fix memory safety issue during positioning list marker as a result of assuming
+ that list item's parent can always be casted to a RenderBox. The display of the parent
+ can be manipluated using css as Inline which causes a bad cast.
+
+ https://bugs.webkit.org/show_bug.cgi?id=46384
+
+ Test: fast/lists/parent-box-not-box-crash.html
+
+ * rendering/RenderListItem.cpp:
+ (WebCore::RenderListItem::positionListMarker):
+ * rendering/RenderListMarker.cpp:
+ (WebCore::RenderListMarker::layout):
+
+2010-09-23 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=46326
+ Crash when trying to create a NodeIterator rooted at a document-less DocumentType node
+
+ Test: fast/dom/node-iterator-with-doctype-root.html
+
+ * dom/Document.cpp: (WebCore::Document::detachNodeIterator): Added a comment explaining that
+ attach/detach may not always be paired.
+
+ * dom/NodeIterator.cpp:
+ (WebCore::NodeIterator::NodeIterator): Don't try to register with the document if there is none.
+ (WebCore::NodeIterator::~NodeIterator): Ditto.
+ (WebCore::NodeIterator::detach): Ditto.
+ (WebCore::NodeIterator::updateForNodeRemoval): There should be a document if we're getting a
+ notification.
+
+2010-09-22 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=46222
+ <rdar://problem/8461701> Document.getElementById() malfunctions if ID was changed via Attr node modification.
+
+ Test: fast/dom/Attr/change-id-via-attr-node-value.html
+
+ * dom/Attr.h:
+ * dom/Attr.cpp:
+ (WebCore::Attr::setValue): Separated a version callable from WebCore from one avaiable to JS.
+ Attr::setValue() can be called from Element::setAttribute(), and we don't want to update
+ m_elementsById (or to call attributeChanged()) twice in that case.
+ (WebCore::Attr::childrenChanged): If Attr's node children change, id changes.
+
+ * dom/Document.cpp: (WebCore::Document::removeElementById): Added an assertion that we are
+ not trying to remove something that isn't there. If we are, we probably failed to update
+ m_elementsById earlier.
+
+ * dom/Element.cpp: (WebCore::Element::setAttribute): If the attribute has an Attr node, its
+ children should be updated to match attribute value.
+
+2010-09-21 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Darin Adler.
+
+ <rdar://problem/7729077> Extending the selection to sentence boundary after a line break may select extra character
+ https://bugs.webkit.org/show_bug.cgi?id=46232
+
+ Test: editing/selection/extend-by-sentence-002.html
+
+ * editing/visible_units.cpp:
+ (WebCore::nextBoundary): The text iterator\81fs range end can be the position after
+ the line break, in which case the next visible is actually after the first character
+ of the next sentence. Instead, advance the text iterator past the newline character
+ and return the beginning of its range, which is guaranteed to still be before the
+ next sentence.
+
+2010-09-16 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=45852
+ Range::selectNode and selectNodeContents misbehave when argument is in another document
+
+ Test: fast/dom/Range/select-node-different-document.html
+
+ There is nothing in DOM Traversal spec that says this shouldn't work, and it does work in
+ Firefox.
+
+ * dom/Range.cpp:
+ (WebCore::Range::setDocument):
+ (WebCore::Range::selectNode):
+ (WebCore::Range::selectNodeContents):
+ * dom/Range.h:
+
+2010-09-16 Tony Gentilcore <tonyg@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Crash in WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions
+ https://bugs.webkit.org/show_bug.cgi?id=45833
+
+ Test: fast/parser/x-frame-options-detached-document-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Other branches in this method already test for a null frame. So it seems to make sense to test that here as well.
+
+2010-09-14 Darin Adler <darin@apple.com>
+
+ Reviewed by Geoffrey Garen.
+
+ Hang processing href attribute containing a million slashes
+ https://bugs.webkit.org/show_bug.cgi?id=45767
+
+ Test: fast/css/visited-link-hang.html
+
+ * platform/LinkHash.cpp:
+ (WebCore::findSlashDotDotSlash): Added a start position argument and
+ changed types to use size_t consistently instead of a mix.
+ (WebCore::findSlashSlash): Ditto.
+ (WebCore::findSlashDotSlash): Ditto.
+ (WebCore::squeezeOutNullCharacters): Added.
+ (WebCore::cleanSlashDotDotSlashes): Added. Factored out part
+ of cleanPath (see below).
+ (WebCore::mergeDoubleSlashes): Ditto.
+ (WebCore::cleanSlashDotSlashes): Ditto.
+ (WebCore::cleanPath): Changed algorithm to not remove as we go to
+ avoid N^2 behavior; instead replace with null characters and then
+ do a squeeze operation after the fact. Also moved the body of the
+ function out of line since we normally don't have to do any cleaning.
+ This whole thing should go at some point -- it's not the right
+ algorithm -- but this should eliminate the performance problems
+ without changing behavior.
+
+2010-09-07 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Remove redundant bounds check in originalText(). Add bounds check
+ to previousCharacter(). No need of start() > 0 check since m_start
+ is unsigned and we already do start() null check inside function.
+ https://bugs.webkit.org/show_bug.cgi?id=45303
+
+ Test: fast/text/one-letter-transform-crash.html
+
+ * rendering/RenderTextFragment.cpp:
+ (WebCore::RenderTextFragment::originalText):
+ (WebCore::RenderTextFragment::previousCharacter):
+
+2010-08-30 Adam Barth <abarth@webkit.org>
+
+ Reviewed by Darin Adler.
+
+ WebCore::RenderBlock::addChild* NULL ptrs
+ https://bugs.webkit.org/show_bug.cgi?id=43722
+
+ Also includes some cleanup of comments and ASSERTs.
+
+ Test: fast/ruby/before-doesnt-crash.html
+
+ * rendering/RenderRuby.cpp:
+ (WebCore::RenderRubyAsInline::addChild):
+
+2010-08-18 Adam Barth <abarth@webkit.org>
+
+ Reviewed by Adele Peterson.
+
+ Null dereference in DOMSelection::deleteFromDocument
+ https://bugs.webkit.org/show_bug.cgi?id=44153
+
+ deleteFromDocument checks selection->isNone() before calling
+ selection->selection().toNormalizedRange(), but toNormalizedRange()
+ notes that it needs to updateLayout(), which can make the selection
+ isNone() again. In that case, we crash on a NULL pointer in
+ deleteFromDocument. I don't know how to trigger that situation in a
+ test, but cross_fuzz was able to hit it, so we should fix it.
+
+ * page/DOMSelection.cpp:
+ (WebCore::DOMSelection::deleteFromDocument):
+
+2010-08-17 Dmitry Titov <dimich@chromium.org>
+
+ Reviewed by David Levin.
+
+ MessagePort.close() crashes if the owning context was destroyed.
+ https://bugs.webkit.org/show_bug.cgi?id=43140
+
+ Test: fast/events/message-port-context-destroyed.html
+
+ * dom/MessagePort.cpp:
+ (WebCore::MessagePort::postMessage):
+ (WebCore::MessagePort::start):
+ (WebCore::MessagePort::close):
+ (WebCore::MessagePort::contextDestroyed):
+ Use isEntangled() method to gate various operations on MessagePort. This method also takes into account m_closed bit.
+
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::stopActiveDOMObjects):
+ (WebCore::ScriptExecutionContext::closeMessagePorts):
+ * dom/ScriptExecutionContext.h:
+ Add closeMessagePorts() method that closes message ports at the same moments when other ActiveDOMObjects are stopped.
+
+2010-08-17 Eric Seidel <eric@webkit.org>
+
+ Reviewed by Adam Barth.
+
+ Make DocumentParser safer to use
+ https://bugs.webkit.org/show_bug.cgi?id=43055
+
+ Make DocumentParser and its subclasses RefCounted, and protect
+ HTMLDocumentParser during parsing. It's possible for a parser to
+ get deleted if certain actions (e.g., a document.write()) occur
+ synchronously.
+
+ The original version of this patch was written by Nate Chapin.
+
+ DocumentParser doesn't actually have to be fully RefCounted, since
+ the only two things which should ever hold a reference to it are
+ Document and DocumentParser itself. However using RefCounted and
+ RefPtr was easier/cleaner than inventing a custom ref() scheme.
+
+ This deploys a new "detach()" method throughout the parsing
+ framework. detach() causes the parser to disconnect from the
+ document so that no further modifications will be made to the
+ document while any possible DocumentParser stacks are unwound.
+
+ The irony of this patch is that the new detach() system is never
+ used, since Document always outlives the DocumentParser in all of
+ our layout tests. There is an ASSERT in ~Document() to verify
+ that the DocumentParser will not outlive the Document.
+
+ However I expect that we will soon either find new test cases, or change
+ the architecture in such a way that DocumentParser will outlive
+ Document. At which point, the detach() plumbing will be crucial.
+ Right now detach() serves as a safe-guard against use-after-free bugs
+ for any case where DocumentParser does outlive the Document.
+
+ This also fixes test cases attached to:
+ https://bugs.webkit.org/show_bug.cgi?id=42099
+
+ Tests: fast/frames/document-write-in-iframe-onload.html
+ fast/frames/set-parent-src-synchronously.html
+ fast/parser/document-close-iframe-load.html
+ fast/parser/document-close-nested-iframe-load.html
+ fast/parser/iframe-sets-parent-to-javascript-url.html
+
+ * dom/Document.cpp:
+ - Added a new detachParser() call to be used anywhere we
+ used to call m_parser.clear().
+ There is an ASSERT in ~DocumentParser which ensures that
+ we get this right.
+ (WebCore::Document::removedLastRef):
+ (WebCore::Document::~Document):
+ (WebCore::Document::createParser):
+ (WebCore::Document::detachParser):
+ (WebCore::Document::cancelParsing):
+ (WebCore::Document::implicitOpen):
+ - removed redundant m_parser.clear()
+ (WebCore::Document::implicitClose):
+ * dom/Document.h:
+ * dom/DocumentParser.cpp:
+ (WebCore::DocumentParser::~DocumentParser):
+ - ASSERT that callers always call detach() before destruction.
+ - This ASSERT might prove too cumbersome, but for now it's useful.
+ (WebCore::DocumentParser::detach):
+ * dom/DocumentParser.h:
+ * dom/RawDataDocumentParser.h:
+ * dom/XMLDocumentParser.cpp:
+ (WebCore::XMLDocumentParser::finish):
+ - Add a FIXME explaining part of the reason why
+ stopParsing() and detach() are separate concepts.
+ * dom/XMLDocumentParser.h:
+ (WebCore::XMLDocumentParser::create):
+ * dom/XMLDocumentParserLibxml2.cpp:
+ (WebCore::XMLDocumentParser::parseDocumentFragment):
+ * dom/XMLDocumentParserQt.cpp:
+ (WebCore::XMLDocumentParser::parseDocumentFragment):
+ * html/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::detach):
+ (WebCore::HTMLConstructionSite::dispatchDocumentElementAvailableIfNeeded):
+ * html/HTMLConstructionSite.h:
+ * html/HTMLDocument.cpp:
+ (WebCore::HTMLDocument::createParser):
+ * html/HTMLDocument.h:
+ * html/HTMLDocumentParser.cpp:
+ - We need to protect(this) before calling into any code
+ which might cause the parser to be destroyed.
+ (WebCore::HTMLDocumentParser::~HTMLDocumentParser):
+ (WebCore::HTMLDocumentParser::detach):
+ (WebCore::HTMLDocumentParser::resumeParsingAfterYield):
+ (WebCore::HTMLDocumentParser::pumpTokenizer):
+ (WebCore::HTMLDocumentParser::insert):
+ (WebCore::HTMLDocumentParser::append):
+ (WebCore::HTMLDocumentParser::end):
+ (WebCore::HTMLDocumentParser::finish):
+ (WebCore::HTMLDocumentParser::notifyFinished):
+ (WebCore::HTMLDocumentParser::executeScriptsWaitingForStylesheets):
+ (WebCore::HTMLDocumentParser::parseDocumentFragment):
+ * html/HTMLDocumentParser.h:
+ (WebCore::HTMLDocumentParser::create):
+ * html/HTMLScriptRunner.cpp:
+ (WebCore::HTMLScriptRunner::detach):
+ (WebCore::HTMLScriptRunner::executeParsingBlockingScript):
+ (WebCore::HTMLScriptRunner::executeScript):
+ (WebCore::HTMLScriptRunner::executeScriptsWaitingForStylesheets):
+ (WebCore::HTMLScriptRunner::runScript):
+ * html/HTMLScriptRunner.h:
+ * html/HTMLTreeBuilder.cpp:
+ (WebCore::HTMLTreeBuilder::detach):
+ (WebCore::HTMLTreeBuilder::passTokenToLegacyParser):
+ (WebCore::HTMLTreeBuilder::finished):
+ * html/HTMLTreeBuilder.h:
+ * html/HTMLViewSourceDocument.cpp:
+ (WebCore::HTMLViewSourceDocument::createParser):
+ * html/HTMLViewSourceDocument.h:
+ * html/HTMLViewSourceParser.cpp:
+ (WebCore::HTMLViewSourceParser::HTMLViewSourceParser):
+ * html/HTMLViewSourceParser.h:
+ (WebCore::HTMLViewSourceParser::create):
+ * loader/FTPDirectoryDocument.cpp:
+ (WebCore::FTPDirectoryDocumentParser::create):
+ (WebCore::FTPDirectoryDocument::createParser):
+ * loader/FTPDirectoryDocument.h:
+ * loader/ImageDocument.cpp:
+ (WebCore::ImageDocumentParser::create):
+ (WebCore::ImageDocumentParser::ImageDocumentParser):
+ (WebCore::ImageDocument::createParser):
+ * loader/ImageDocument.h:
+ * loader/MediaDocument.cpp:
+ (WebCore::MediaDocumentParser::create):
+ (WebCore::MediaDocument::createParser):
+ * loader/MediaDocument.h:
+ * loader/PluginDocument.cpp:
+ (WebCore::PluginDocumentParser::create):
+ (WebCore::PluginDocument::createParser):
+ * loader/PluginDocument.h:
+ * loader/SinkDocument.cpp:
+ (WebCore::SinkDocumentParser::create):
+ (WebCore::SinkDocument::createParser):
+ * loader/SinkDocument.h:
+ * loader/TextDocument.cpp:
+ (WebCore::TextDocumentParser::create):
+ (WebCore::TextDocument::createParser):
+ (WebCore::createTextDocumentParser):
+ * loader/TextDocument.h:
+
+2010-08-15 Adam Barth <abarth@webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Don't try to replace a non-existent document after executing JavaScript URLs
+ https://bugs.webkit.org/show_bug.cgi?id=44024
+
+ Synchronous JavaScript execution is evil. Previously, the frame was
+ deleted after executing the JavaScript URL, so we'd get confused when
+ we tried to replace its document.
+
+ Test: fast/frames/javascript-url-for-deleted-frame.html
+
+ * bindings/ScriptControllerBase.cpp:
+ (WebCore::ScriptController::executeIfJavaScriptURL):
+
+2010-08-13 Mihai Parparita <mihaip@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Session history should skip over JS redirects
+ https://bugs.webkit.org/show_bug.cgi?id=42861
+
+ Lock the back/forward list for location changes and form submits that
+ happen before the onload event fires that are not the result of user
+ gestures.
+
+ Made form submission (at the ScheduledFormSubmission level) more similar
+ to ScheduledURLNavigation by having it call clientRedirected too, fixing
+ a long-standing FIXME.
+
+ Test: fast/history/gesture-before-onload-location-href.html,
+ fast/history/gesture-before-onload-form-submit.html and updated
+ expectations for http/tests/history tests that used to fail.
+
+ * loader/FormSubmission.cpp:
+ (WebCore::FormSubmission::requestURL):
+ (WebCore::FormSubmission::populateFrameLoadRequest):
+ * loader/FormSubmission.h:
+ * loader/RedirectScheduler.cpp:
+ (WebCore::ScheduledFormSubmission::ScheduledFormSubmission):
+ (WebCore::ScheduledFormSubmission::fire):
+ (WebCore::ScheduledFormSubmission::didStartTimer):
+ (WebCore::ScheduledFormSubmission::didStopTimer):
+ (WebCore::RedirectScheduler::scheduleRedirect):
+ (WebCore::RedirectScheduler::mustLockBackForwardList):
+ (WebCore::RedirectScheduler::scheduleLocationChange):
+ (WebCore::RedirectScheduler::scheduleFormSubmission):
+ * loader/RedirectScheduler.h:
+
+2010-08-12 Justin Schuh <jschuh@chromium.org>
+
+ Reviewed by Dumitru Daniliuc.
+
+ Clear PluginData's page pointer on page refresh
+ https://bugs.webkit.org/show_bug.cgi?id=43888
+
+ Test: plugins/access-after-page-destroyed.html
+
+ * page/Page.cpp:
+ (WebCore::Page::refreshPlugins):
+
+2010-08-08 Adam Barth <abarth@webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ cross_fuzz WebCore::SelectionController::isFocusedAndActive ReadAV@NULL (9e865de49b1800ec790dcc35d8ebd069)
+ https://bugs.webkit.org/show_bug.cgi?id=43040
+
+ The pointer from Document to Frame can be null. See http://webkit.org/coding/major-objects.html.
+
+ * css/CSSStyleSelector.cpp:
+ (WebCore::CSSStyleSelector::SelectorChecker::checkOneSelector):
+
+2010-06-23 Andy Estes <aestes@apple.com>
+
+ Reviewed by Alexey Proskuryakov.
+
+ <rdar://problem/8107855> Prevent a crash in WebCore when removing an
+ object element with an invalid data URL in in a listener to its
+ beforeload event.
+ https://bugs.webkit.org/show_bug.cgi?id=41054
+
+ Tests: fast/dom/beforeload/remove-bad-object-in-beforeload-listener.html
+
+ * html/HTMLObjectElement.cpp:
+ (WebCore::HTMLObjectElement::renderFallbackContent): Exit early if the
+ object element is not in the document.
+ * rendering/RenderEmbeddedObject.cpp:
+ (WebCore::RenderEmbeddedObject::updateWidget): If RenderWidget::destroy()
+ was called during processing of onbeforeload, do not proceed with loading
+ the object.
+
+2010-06-18 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Convert column span from an unsigned short type to an unsigned int
+ type. Fixes a divide-by-zero crash arising from using a zero colspan
+ value coming from a narrow cast of an int to an unsigned short.
+ https://bugs.webkit.org/show_bug.cgi?id=40812
+
+ Test: fast/table/zero-colspan-crash.html
+
+ * rendering/RenderTable.h: Change span from unsigned short to unsigned int.
+ * rendering/RenderTableSection.cpp: Fix a compiler warning with comparing
+ unsigned int with signed int. Value of an unsigned int here cannot be
+ greater than maximum positive value of a signed int.
+ (WebCore::RenderTableSection::addCell):
+
+2010-06-17 Andy Estes <aestes@apple.com>
+
+ Reviewed by Dan Bernstein.
+
+ <rdar://problem/8091385> Prevent a crash in WebCore when removing a stylesheet link element in
+ in a listener to its beforeload event.
+ https://bugs.webkit.org/show_bug.cgi?id=40742
+
+ Postpone loading of link elements until after they have been inserted into the DOM and
+ attached. This prevents DOM mutations triggered by beforeload handlers from firing in the
+ midst of DOM insertion, which can lead to assertion failures and crashes.
+
+ Test: fast/dom/beforeload/remove-link-in-beforeload-listener.html
+
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::HTMLLinkElement): Initialize m_shouldProcessAfterAttach to false.
+ (WebCore::HTMLLinkElement::processCallback): Add a static callback function which calls
+ HTMLLinkElement::process().
+ (WebCore::HTMLLinkElement::insertedIntoDocument): Instead of calling process() directly, set
+ m_shouldProcessAfterAttach to true to indicate that process() should be called after attach().
+ (WebCore::HTMLLinkElement::removedFromDocument): Set m_shouldProcessAfterAttach to false.
+ (WebCore::HTMLLinkElement::attach): If m_shouldProcessAfterAttach is true, register
+ HTMLLinkElement::processCallback() as a post-attach callback.
+ * html/HTMLLinkElement.h: Add m_shouldProcessAfterAttach.
+ (WebCore::HTMLLinkElement::canLazyAttach): Override canLazyAttach() to return false to
+ indicate that a full attach should be performed. This ensures the post-attach callbacks are
+ fired.
+
+2010-05-31 Tony Chang <tony@chromium.org>
+
+ Reviewed by Dan Bernstein.
+
+ REGRESSION (r58665): Infinite recursion in Position::getInlineBoxAndOffset()
+ https://bugs.webkit.org/show_bug.cgi?id=39946
+
+ r58665 added an infinite recursion check, but didn't take into consideration recursion between two
+ Positions. This adds a check for when
+ downstreamIgnoringEditingBoundaries(p1) == p2 and upstreamIgnoringEditingBoundaries(p2) == p1
+
+ Test: editing/selection/mixed-editability-12.html
+
+ * dom/Position.cpp:
+ (WebCore::Position::getInlineBoxAndOffset):
+
+2010-05-12 Yuzo Fujishima <yuzo@google.com>
+
+ Reviewed by Darin Adler.
+
+ Fix Bug 35014 - Modifying UA rules from page JS crashes
+ Added a NULL check.
+ https://bugs.webkit.org/show_bug.cgi?id=35014
+
+ Test: fast/css/modify-ua-rules-from-javascript.html
+
+ * css/CSSMutableStyleDeclaration.cpp:
+ (WebCore::CSSMutableStyleDeclaration::setNeedsStyleRecalc):
+
+2010-05-02 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Simon Fraser.
+
+ Another case of <rdar://problem/7552959> REGRESSION: Infinite recursion in Position::getInlineBoxAndOffset()
+ https://bugs.webkit.org/show_bug.cgi?id=38445
+
+ Test: editing/selection/mixed-editability-11.html
+
+ * dom/Position.cpp:
+ (WebCore::downstreamIgnoringEditingBoundaries): Added. Returns the furthest visually equivalent
+ position downstream, crossing any editability boundaries.
+ (WebCore::upstreamIgnoringEditingBoundaries): Similarly for upstream.
+ (WebCore::Position::getInlineBoxAndOffset): Changed the logic for finding an inline box for positions
+ whose node is a block flow. Instead of traversing the DOM, advance downstream or upstream as far as
+ possible, crossing any editability boudaries. Infinite recursion is avoided by advancing all the way
+ and checking that the new position is different from the starting position. Also replaced the specific
+ test for buttons with the generic and more comprehensive canHaveChildrenForEditing().
+
+2010-04-28 Julien Chaffraix <jchaffraix@webkit.org>
+
+ Reviewed by Alexey Proskuryakov.
+
+ [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
+ https://bugs.webkit.org/show_bug.cgi?id=37781
+ <rdar://problem/7905150>
+
+ Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html
+ http/tests/xmlhttprequest/access-control-preflight-credential-sync.html
+
+ Rolling the patch in as I could not reproduce Qt results locally.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the
+ credential from the request here to avoid forgetting to do so in the different code path.
+ (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the
+ "Origin" header.
+ (WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have
+ been removed so that we don't leak them. Also tweaked a comment to make it clear that
+ the URL check has issue when credential is involved.
+
+2010-04-09 Darin Adler <darin@apple.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ https://bugs.webkit.org/show_bug.cgi?id=37370
+ Division by 0 in RenderBoxModelObject::calculateFillTileSize
+
+ Test: fast/backgrounds/background-fill-zero-area-crash.html
+
+ * rendering/RenderBoxModelObject.cpp:
+ (WebCore::RenderBoxModelObject::calculateFillTileSize): Added checks for
+ zero before doing division. These come up when the area to fill is zero.
+
+2010-04-08 Dimitri Glazkov <dglazkov@chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Manipulating document fragment members while adding it to tree may result in loss of tree integrity.
+ https://bugs.webkit.org/show_bug.cgi?id=36031
+
+ Changes the logic of appending/inserting document fragment to first stashing all of its children
+ to a vector, then processing the vector. This avoids ghastliness that would be caused by mutation
+ events mucking with the document fragment while it's being appended/inserted.
+
+ Test: fast/dom/Node/fragment-mutation.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::targetNodes): Added method to populate a vector of nodes (targets) to be used in
+ inserting/appending operation.
+ (WebCore::ContainerNode::insertBefore): Changed to use vector-based iteration.
+ (WebCore::ContainerNode::appendChild): Ditto.
+ * dom/Node.cpp:
+ (WebCore::Node::checkReplaceChild): Cleaned up comments.
+ (WebCore::Node::checkAddChild): Ditto.
+
+2010-04-02 Justin Schuh <jschuh@chromium.org>
+
+ Reviewed by Alexey Proskuryakov.
+
+ XHR allows arbitrary XSRF across domains
+ https://bugs.webkit.org/show_bug.cgi?id=36843
+
+ Added a one-line change to prevent bypassing the XDC check on
+ synchronous preflighted requests. Added layout tests to cover
+ variations of this problem.
+
+ Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::preflightFailure):
+
+2010-04-01 MORITA Hajime <morrita@google.com>
+
+ Reviewed by Darin Adler.
+
+ WebCore::Document::updateLayoutIgnorePendingStylesheets NULL pointer
+ https://bugs.webkit.org/show_bug.cgi?id=31680
+ Ownerless nodes leads a crash on DOMSelection APIs
+ https://bugs.webkit.org/show_bug.cgi?id=36800
+
+ Added guards nodes from foreign documents to DOMSelection APIs.
+
+ Tests: editing/selection/DOMSelection-DocumentType.html
+ editing/selection/DOMSelection-crossing-document.html
+
+ * editing/VisiblePosition.cpp:
+ (WebCore::VisiblePosition::canonicalPosition):
+ * page/DOMSelection.cpp:
+ (WebCore::DOMSelection::collapse):
+ (WebCore::DOMSelection::setBaseAndExtent):
+ (WebCore::DOMSelection::setPosition):
+ (WebCore::DOMSelection::extend):
+ (WebCore::DOMSelection::containsNode):
+ (WebCore::DOMSelection::isValidForPosition):
+ * page/DOMSelection.h:
+
+2010-03-31 MORITA Hajime <morrita@google.com>
+
+ Reviewed by Darin Adler.
+
+ Crash when writing into a detached TITLE element
+ https://bugs.webkit.org/show_bug.cgi?id=25567
+
+ Document::setTitle() invoked HTMLTitleElement::setText(), which
+ contains DOM tree modification, even when setTitle() is called
+ from HTMLTitleElement::childrenChanged(). Fix to skip setText()
+ when setTitle() is called childrenChanged() to avoid cascading
+ DOM mutations between Document and HTMLTitleElement.
+
+ Test: fast/dom/title-content-write-set.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::setTitle):
+
+2010-03-31 Geoffrey Garen <ggaren@apple.com>
+
+ Reviewed by Darin Adler.
+
+ Crash submitting display:none textarea in a form
+ https://bugs.webkit.org/show_bug.cgi?id=36905
+
+ Test: fast/forms/textarea-submit-crash.html
+
+ * html/HTMLTextAreaElement.cpp:
+ (WebCore::HTMLTextAreaElement::appendFormData): Do update layout before
+ asking our renderer for its text, since we can't rely on our renderer's
+ text if layout is needed.
+
+ * rendering/RenderTextControl.cpp:
+ (WebCore::RenderTextControl::textWithHardLineBreaks): Don't update layout
+ while being asked for our text, since doing so may delete us, causing a crash.
+
+2010-03-04 James Robinson <jamesr@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Handles setting HTMLSelectElement.length with mutation handlers present
+ https://bugs.webkit.org/show_bug.cgi?id=33983
+
+ When setting an HTMLSelectElement's length attribute, option elements have to be added or removed to the select
+ as appropriate. This is a little tricky with mutation events since they might add, remove, or reorder elements
+ while option elements are being added or deleted.
+
+ Tests: fast/forms/select-set-length-optgroup.html
+ fast/forms/select-set-length-with-mutation-remove.html
+ fast/forms/select-set-length-with-mutation-reorder.html
+ fast/forms/select-set-length-with-mutation-reparent.html
+ fast/forms/select-set-length-with-mutation.html
+ fast/forms/select-set-length.html
+
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::setLength):
+
+2010-02-16 Mark Rowe <mrowe@apple.com>
+
+ Reviewed by NOBODY (OOPS!).
+
+ Bug 34974: Leak of ScheduledAction during layout tests
+ <https://bugs.webkit.org/show_bug.cgi?id=34974>
+
+ ScheduledAction::create was returning a raw pointer which was threaded down through to an OwnPtr in DOMTimer.
+ If any of the code paths in between hit an error case and returned early the raw pointer would be leaked. We
+ can avoid this by passing it as a PassOwnPtr. This will ensure that the ScheduledAction is cleaned up should
+ an error case be hit.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::setTimeout): Store the newly-created ScheduledAction in an OwnPtr and then hand it off
+ as the function argument.
+ (WebCore::JSDOMWindow::setInterval): Ditto.
+ * bindings/js/JSWorkerContextCustom.cpp:
+ (WebCore::JSWorkerContext::setTimeout): Ditto.
+ (WebCore::JSWorkerContext::setInterval): Ditto.
+ * bindings/js/ScheduledAction.cpp:
+ (WebCore::ScheduledAction::create): Return a PassOwnPtr.
+ * bindings/js/ScheduledAction.h:
+ * page/DOMTimer.cpp:
+ (WebCore::DOMTimer::DOMTimer): Update argument type.
+ (WebCore::DOMTimer::install): Ditto.
+ * page/DOMTimer.h:
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::setTimeout): Ditto.
+ (WebCore::DOMWindow::setInterval): Ditto.
+ * page/DOMWindow.h:
+
+2010-01-26 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Beth Dakin.
+
+ <rdar://problem/7576663> Crash caused by anonymous list item
+ https://bugs.webkit.org/show_bug.cgi?id=34183
+
+ Test: fast/lists/anonymous-items.html
+
+ enclosingList() and previousListItem() were DOM-based, but in order to work with anonymous
+ list items, they need to work with rthe render tree.
+
+ * rendering/RenderListItem.cpp:
+ (WebCore::isList): Factored out.
+ (WebCore::enclosingList): Added this variant that takes a RenderObject.
+ (WebCore::previousListItem): Changed to travers the render tree.
+ (WebCore::RenderListItem::calcValue): Use the RenderObject version of enclosingList()
+ (WebCore::RenderListItem::setExplicitValue): Added an assertion.
+ (WebCore::RenderListItem::clearExplicitValue): Ditto.
+
+2010-01-24 Maciej Stachowiak <mjs@apple.com>
+
+ Reviewed by Dan Bernstein.
+
+ Content with heavily nested residual style is so slow, it seems like a hang
+ https://bugs.webkit.org/show_bug.cgi?id=34059
+ <rdar://problem/7292906>
+
+ Test cast: fast/parser/residual-style-hang.html
+
+ * html/HTMLParser.cpp:
+ (WebCore::HTMLParser::handleResidualStyleCloseTagAcrossBlocks):
+ Limit the number of iterations of the main loop to 5.
+
+ The reason this limit is necessary is that otherwise, N misnested open tags followed
+ by N misnested close tags will cause O(N^2) of work due to cloning and attaching subtrees;
+ at a fixed limit, the cost is at worst O(N).
+
+ The code that was in the loop originally ran exactly once - the loop was added in
+ r21472 to fix <https://bugs.webkit.org/show_bug.cgi?id=13603>. I have verified that
+ with the iteration limit, the bug is still fixed, both with the original test case
+ and with the layout tests tht were added.
+
+2010-01-22 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=34008
+ Assertion failure in KURL::setProtocol when running DOM Fuzzer
+
+ Test: fast/dom/Window/invalid-protocol.html
+
+ * bindings/js/JSLocationCustom.cpp: (WebCore::JSLocation::setProtocol): Raise an exception
+ if KURL::setProtocol fails.
+
+ * html/HTMLAnchorElement.cpp: (WebCore::HTMLAnchorElement::setProtocol): Move argument
+ tweaking logic into KURL. This way, the ':' trick applies to both JSLocation and
+ HTMLAnchorElement, matching IE (but not Firefox). IE behavior is more permissive, and even
+ more logical in my opinion.
+
+ * loader/FrameLoader.cpp: (WebCore::FrameLoader::iconURL): Assert that setting protocol
+ succeeded.
+
+ * platform/KURL.cpp: (WebCore::KURL::setProtocol): Remove everything past ':', if present.
+ Return false if the protocol to set is not valid.
+ (WebCore::isValidProtocol): Made this work correctly for empty strings.
+
+ * platform/KURL.h: isValidProtocol() is now static in KURL.cpp, it's only used in setProtocol().
+
+ * platform/KURLGoogle.cpp:
+ (WebCore::KURL::setProtocol): Always return true. This should hopefully prevent Chromium build
+ breakage, alhough tests will likely fail.
+ (WebCore::isValidProtocol): Removed, as this isn't used at the moment.
+
+ * websockets/WebSocketHandshake.cpp: (WebCore::WebSocketHandshake::httpURLForAuthenticationAndCookies):
+ Assert that setting protocol succeeded.
+
+2010-01-18 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=33815
+ Crash when using DOMTimer from a detached frame
+
+ Test: fast/dom/Window/timer-null-script-execution-context.html
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::setTimeout):
+ (WebCore::JSDOMWindow::setInterval):
+ * page/DOMWindow.h:
+ * page/DOMWindow.idl:
+ Make setTimer and setInterval raise an exception. It is not specified in HTML5, but both
+ IE and Firefox do raise an exception in this situation, although different ones.
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::setTimeout): Raise INVALID_ACCESS_ERR if script execution context is
+ null (meaning that the window is detached).
+ (WebCore::DOMWindow::setInterval): Ditto.
+ (WebCore::DOMWindow::clearTimeout): Silently return early if there is no script execution
+ context.
+ (WebCore::DOMWindow::clearInterval): Ditto.
+ Raise INVALID_ACCESS_ERR if script execution context is null (meaning .
+
+2010-01-04 Darin Adler <darin@apple.com>
+
+ Reviewed by Dan Bernstein.
+
+ Reentrancy problem with selection in some edge cases.
+ https://bugs.webkit.org/show_bug.cgi?id=32842