Changeset 199282 in webkit


Ignore:
Timestamp:
Apr 10, 2016 12:49:54 AM (8 years ago)
Author:
Carlos Garcia Campos
Message:

Merge r165044 - REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
https://bugs.webkit.org/show_bug.cgi?id=129550

Reviewed by Andreas Kling.

Source/WebCore:

We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.

Test: fast/dom/uniquing-attributes-via-setAttribute.html

  • dom/Element.cpp:

(WebCore::Element::setAttributeInternal):

LayoutTests:

Added a regression test.

  • fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
  • fast/dom/uniquing-attributes-via-setAttribute.html: Added.
Location:
releases/WebKitGTK/webkit-2.4
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog

    r197294 r199282  
     12014-03-04  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
     4        https://bugs.webkit.org/show_bug.cgi?id=129550
     5
     6        Reviewed by Andreas Kling.
     7
     8        Added a regression test.
     9
     10        * fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
     11        * fast/dom/uniquing-attributes-via-setAttribute.html: Added.
     12
    1132015-02-06  Zalan Bujtas  <zalan@apple.com>
    214

  • releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog

    r199281 r199282  
     12014-03-04  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
     4        https://bugs.webkit.org/show_bug.cgi?id=129550
     5
     6        Reviewed by Andreas Kling.
     7
     8        We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
     9
     10        Test: fast/dom/uniquing-attributes-via-setAttribute.html
     11
     12        * dom/Element.cpp:
     13        (WebCore::Element::setAttributeInternal):
     14
    1152014-03-25  Gabor Rapcsanyi  <rgabor@webkit.org>
    216

  • releases/WebKitGTK/webkit-2.4/Source/WebCore/dom/Element.cpp

    r197293 r199282  
    10571057    AtomicString oldValue = attribute.value();
    10581058    bool valueChanged = newValue != oldValue;
    1059     const QualifiedName& attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
     1059    QualifiedName attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
    10601060
    10611061    if (!inSynchronizationOfLazyAttribute)
Note: See TracChangeset for help on using the changeset viewer.