REGRESSION (r179497): Crash inside setAttributeNode
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Feb 2017 02:01:26 +0000 (02:01 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Feb 2017 02:01:26 +0000 (02:01 +0000)
commitdef03597297829d79cdd413b54149f6789771b22
tree1d24fb54f6ca4ed2d33dd3b913f7ee5ebc9b8c13
parent2dccb0ee1ad0dedde0b63d4ccee955c61a91ba4e
REGRESSION (r179497): Crash inside setAttributeNode
https://bugs.webkit.org/show_bug.cgi?id=168161
<rdar://problem/30451581>

Reviewed by Andreas Kling.

Source/WebCore:

The bug was caused by setAttributeNode calling setAttributeInternal with the same element data as the one used
to call removeAttributeInternal despite of the fact removeAttributeInternal could have invoked arbitrary scripts
and mutated element's m_elementData.

Fixed the bug by calling with setAttributeInternal with the result of new invocation of ensureUniqueElementData().

Test: fast/dom/Attr/make-unique-element-data-while-replacing-attr.html

* dom/Element.cpp:
(WebCore::Element::setAttributeNode):

LayoutTests:

Added a regression test.

* fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt: Added.
* fast/dom/Attr/make-unique-element-data-while-replacing-attr.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@212214 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Element.cpp