Changeset 93481 in webkit


Ignore:
Timestamp:
Aug 20, 2011 11:11:55 AM (13 years ago)
Author:
Darin Adler
Message:

If Range::insertNode is passed an empty document fragment, it creates a broken DOM tree
https://bugs.webkit.org/show_bug.cgi?id=65015

Reviewed by Alexey Proskuryakov.

Source/WebCore:

Test: fast/dom/Range/insertNode-empty-fragment-crash.html

  • dom/Range.cpp: (WebCore::Range::insertNode): Don't adjust the range after insertion

if we didn't add anything. Otherwise the code will put a wrong "child before" value into
the range end boundary point.

LayoutTests:

  • fast/dom/Range/insertNode-empty-fragment-crash-expected.txt: Added.
  • fast/dom/Range/insertNode-empty-fragment-crash.html: Added.
Location:
trunk
Files:
2 added
9 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r93479 r93481  
     12011-08-20  Darin Adler  <darin@apple.com>
     2
     3        If Range::insertNode is passed an empty document fragment, it creates a broken DOM tree
     4        https://bugs.webkit.org/show_bug.cgi?id=65015
     5
     6        Reviewed by Alexey Proskuryakov.
     7
     8        * fast/dom/Range/insertNode-empty-fragment-crash-expected.txt: Added.
     9        * fast/dom/Range/insertNode-empty-fragment-crash.html: Added.
     10
    1112011-08-20  Balazs Kelemen  <kbalazs@webkit.org>
    212

  • trunk/Source/WebCore/ChangeLog

    r93477 r93481  
     12011-08-20  Darin Adler  <darin@apple.com>
     2
     3        If Range::insertNode is passed an empty document fragment, it creates a broken DOM tree
     4        https://bugs.webkit.org/show_bug.cgi?id=65015
     5
     6        Reviewed by Alexey Proskuryakov.
     7
     8        Test: fast/dom/Range/insertNode-empty-fragment-crash.html
     9
     10        * dom/Range.cpp: (WebCore::Range::insertNode): Don't adjust the range after insertion
     11        if we didn't add anything. Otherwise the code will put a wrong "child before" value into
     12        the range end boundary point.
     13
    1142011-08-20  Ken Buchanan  <kenrb@chromium.org>
    215

  • trunk/Source/WebCore/dom/Element.cpp

    r93087 r93481  
    131131}
    132132   
    133 NodeRareData* Element::createRareData()
    134 {
    135     return new ElementRareData;
     133OwnPtr<NodeRareData> Element::createRareData()
     134{
     135    return adoptPtr(new ElementRareData);
    136136}
    137137

  • trunk/Source/WebCore/dom/Element.h

    r93071 r93481  
    428428
    429429    QualifiedName m_tagName;
    430     virtual NodeRareData* createRareData();
     430    virtual OwnPtr<NodeRareData> createRareData();
    431431
    432432    ElementRareData* rareData() const;

  • trunk/Source/WebCore/dom/Node.cpp

    r93385 r93481  
    537537   
    538538    ASSERT(!NodeRareData::rareDataMap().contains(this));
    539     NodeRareData* data = createRareData();
     539    NodeRareData* data = createRareData().leakPtr();
    540540    NodeRareData::rareDataMap().set(this, data);
    541541    setFlag(HasRareDataFlag);
     
    543543}
    544544   
    545 NodeRareData* Node::createRareData()
    546 {
    547     return new NodeRareData;
     545OwnPtr<NodeRareData> Node::createRareData()
     546{
     547    return adoptPtr(new NodeRareData);
    548548}
    549549

  • trunk/Source/WebCore/dom/Node.h

    r93276 r93481  
    676676    virtual void derefEventTarget();
    677677
    678     virtual NodeRareData* createRareData();
     678    virtual OwnPtr<NodeRareData> createRareData();
    679679    bool rareDataFocused() const;
    680680

  • trunk/Source/WebCore/dom/Range.cpp

    r93269 r93481  
    44 * (C) 2000 Frederik Holljen (frederik.holljen@hig.no)
    55 * (C) 2001 Peter Kelly (pmk@post.com)
    6  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
     6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
    77 *
    88 * This library is free software; you can redistribute it and/or
     
    10491049        // This special case doesn't seem to match the DOM specification, but it's currently required
    10501050        // to pass Acid3. We might later decide to remove this.
    1051         if (collapsed)
     1051        if (collapsed && numNewChildren)
    10521052            m_end.set(m_start.container(), startOffset + numNewChildren, lastChild.get());
    10531053    }

  • trunk/Source/WebCore/page/animation/AnimationController.cpp

    r91999 r93481  
    456456
    457457AnimationController::AnimationController(Frame* frame)
    458     : m_data(new AnimationControllerPrivate(frame))
     458    : m_data(adoptPtr(new AnimationControllerPrivate(frame)))
    459459{
    460460}
     
    462462AnimationController::~AnimationController()
    463463{
    464     delete m_data;
    465464}
    466465

  • trunk/Source/WebCore/page/animation/AnimationController.h

    r86981 r93481  
    3232#include "CSSPropertyNames.h"
    3333#include <wtf/Forward.h>
     34#include <wtf/OwnPtr.h>
    3435
    3536namespace WebCore {
     
    7879
    7980private:
    80     AnimationControllerPrivate* m_data;
     81    OwnPtr<AnimationControllerPrivate> m_data;
    8182};
    8283
Note: See TracChangeset for help on using the changeset viewer.