2010-08-07 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 7 Aug 2010 17:52:20 +0000 (17:52 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 7 Aug 2010 17:52:20 +0000 (17:52 +0000)
        Reviewed by Dimitri Glazkov.

        Regression: Memory corruption in tree builder
        https://bugs.webkit.org/show_bug.cgi?id=43672

        Turns out this ASSERT was wrong and we need the branch.  Yay for
        test-driven development.

        * html/HTMLTreeBuilder.cpp:
        (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
2010-08-07  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Regression: Memory corruption in tree builder
        https://bugs.webkit.org/show_bug.cgi?id=43672

        * html5lib/resources/adoption02.dat:
        * html5lib/runner-expected-html5.txt:
        * html5lib/runner-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@64913 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/html5lib/resources/adoption02.dat
LayoutTests/html5lib/runner-expected-html5.txt
LayoutTests/html5lib/runner-expected.txt
WebCore/ChangeLog
WebCore/html/HTMLTreeBuilder.cpp

index a8ac09e..b5ff0ef 100644 (file)
@@ -1,3 +1,14 @@
+2010-08-07  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Regression: Memory corruption in tree builder
+        https://bugs.webkit.org/show_bug.cgi?id=43672
+
+        * html5lib/resources/adoption02.dat:
+        * html5lib/runner-expected-html5.txt:
+        * html5lib/runner-expected.txt:
+
 2010-08-07  Dimitri Glazkov  <dglazkov@chromium.org>
 
         [Chromium]: Added port-specific expectations after http://trac.webkit.org/changeset/64901.
index 2121e31..e6e6826 100644 (file)
 |           <script>
 |             "document.getElementById("b").id = "c";document.getElementById("i").id = "j""
 |         "4"
+
+#data
+<a><div><style></style><address><a>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <a>
+|     <div>
+|       <a>
+|         <style>
+|       <address>
+|         <a>
+|         <a>
index 03e7863..ac019ff 100644 (file)
@@ -332,7 +332,7 @@ Expected:
 resources/adoption02.dat:
 2
 
-Test 2 of 2 in resources/adoption02.dat failed. Input:
+Test 2 of 3 in resources/adoption02.dat failed. Input:
 <b id="b">1<i id="i">2<p>3<script>document.getElementById("b").id = "c";document.getElementById("i").id = "j"</script></b>4
 Got:
 | <html>
index 3d208f9..14d3ea5 100644 (file)
@@ -331,7 +331,7 @@ Expected:
 resources/adoption02.dat:
 2
 
-Test 2 of 2 in resources/adoption02.dat failed. Input:
+Test 2 of 3 in resources/adoption02.dat failed. Input:
 <b id="b">1<i id="i">2<p>3<script>document.getElementById("b").id = "c";document.getElementById("i").id = "j"</script></b>4
 Got:
 | <html>
index 61b7c0a..7614d9e 100644 (file)
@@ -1,3 +1,16 @@
+2010-08-07  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Regression: Memory corruption in tree builder
+        https://bugs.webkit.org/show_bug.cgi?id=43672
+
+        Turns out this ASSERT was wrong and we need the branch.  Yay for
+        test-driven development.
+
+        * html/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
+
 2010-08-07  Dirk Schulze  <krit@webkit.org>
 
         Unreviewed build-fix.
index 83f49fe..21716e3 100644 (file)
@@ -1744,8 +1744,9 @@ void HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken& token)
         //        be in HTMLConstructionSite.  My guess is that steps 8--12
         //        should all be in some HTMLConstructionSite function.
         furthestBlockElement->parserAddChild(newElement);
-        if (furthestBlockElement->attached()) {
-            ASSERT(!newElement->attached());
+        if (furthestBlockElement->attached() && !newElement->attached()) {
+            // Notice that newElement might already be attached if, for example, one of the reparented
+            // children is a style element, which attaches itself automatically.
             newElement->attach();
         }
         // 11