Changeset 30722 in webkit


Ignore:
Timestamp:
Mar 3, 2008 2:43:57 PM (16 years ago)
Author:
mrowe@apple.com
Message:

2008-03-03 Mark Rowe <mrowe@apple.com>

Reviewed by Dan Bernstein.

Fix http://bugs.webkit.org/show_bug.cgi?id=17313
Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper

Node::querySelector and SelectorNodeList were not sufficiently initializing the CSSStyleSelector
before using it to resolve styles, which lead to it having a stale m_style member in some situations.
This stale m_style member resulted in a wild store that would write over whatever object now resided
at the location m_style pointed to.

Test: fast/dom/SelectorAPI/bug-17313.html

  • dom/Node.cpp: (WebCore::Node::querySelector): Call initForStyleResolve to further initialize the CSSStyleSelector.
  • dom/SelectorNodeList.cpp: (WebCore::SelectorNodeList::SelectorNodeList): Ditto.

2008-03-03 Mark Rowe <mrowe@apple.com>

Reviewed by Dan Bernstein.

Test for http://bugs.webkit.org/show_bug.cgi?id=17313
Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper

  • fast/dom/SelectorAPI/bug-17313-expected.txt: Added.
  • fast/dom/SelectorAPI/bug-17313.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r30715 r30722  
     12008-03-03  Mark Rowe  <mrowe@apple.com>
     2
     3        Reviewed by Dan Bernstein.
     4
     5        Test for http://bugs.webkit.org/show_bug.cgi?id=17313
     6        Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper
     7
     8        * fast/dom/SelectorAPI/bug-17313-expected.txt: Added.
     9        * fast/dom/SelectorAPI/bug-17313.html: Added.
     10
    1112008-03-03  David D. Kilzer  <ddkilzer@webkit.org>
    212
  • trunk/WebCore/ChangeLog

    r30720 r30722  
     12008-03-03  Mark Rowe  <mrowe@apple.com>
     2
     3        Reviewed by Dan Bernstein.
     4
     5        Fix http://bugs.webkit.org/show_bug.cgi?id=17313
     6        Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper
     7
     8        Node::querySelector and SelectorNodeList were not sufficiently initializing the CSSStyleSelector
     9        before using it to resolve styles, which lead to it having a stale m_style member in some situations.
     10        This stale m_style member resulted in a wild store that would write over whatever object now resided
     11        at the location m_style pointed to.
     12
     13        Test: fast/dom/SelectorAPI/bug-17313.html
     14
     15        * dom/Node.cpp:
     16        (WebCore::Node::querySelector): Call initForStyleResolve to further initialize the CSSStyleSelector.
     17        * dom/SelectorNodeList.cpp:
     18        (WebCore::SelectorNodeList::SelectorNodeList): Ditto.
     19
    1202008-03-03  Anders Carlsson  <andersca@apple.com>
    221
  • trunk/WebCore/dom/Node.cpp

    r30431 r30722  
    12231223            Element* element = static_cast<Element*>(n);
    12241224            styleSelector->initElementAndPseudoState(element);
     1225            styleSelector->initForStyleResolve(element, 0);
    12251226            for (CSSSelector* selector = querySelector; selector; selector = selector->next()) {
    12261227                if (styleSelector->checkSelector(selector))
  • trunk/WebCore/dom/SelectorNodeList.cpp

    r30096 r30722  
    4444    for (Node* n = rootNode->firstChild(); n; n = n->traverseNextNode(rootNode.get())) {
    4545        if (n->isElementNode()) {
    46             styleSelector->initElementAndPseudoState(static_cast<Element*>(n));
     46            Element* element = static_cast<Element*>(n);
     47            styleSelector->initElementAndPseudoState(element);
     48            styleSelector->initForStyleResolve(element, 0);
    4749            for (CSSSelector* selector = querySelector; selector; selector = selector->next()) {
    4850                if (styleSelector->checkSelector(selector)) {
Note: See TracChangeset for help on using the changeset viewer.