WebCore:
authordglazkov@chromium.org <dglazkov@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 6 Apr 2009 18:01:17 +0000 (18:01 +0000)
committerdglazkov@chromium.org <dglazkov@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 6 Apr 2009 18:01:17 +0000 (18:01 +0000)
2009-04-06  Dave Moore  <davemoore@google.com>

        Reviewed by Dimitri Glazkov.

        https://bugs.webkit.org/show_bug.cgi?id=25031
        Make the V8 element collections check for named properties *before*
        checking if there are any elements with the same name. Otherwise
        it is both incorrect and slow.

        Test: fast/dom/HTMLSelectElement/length-not-overridden.html

        Both of these interceptors were attempting to find an element in the
        collection that had a name or id of the property name before checking
        for a JS property with that name.
        * bindings/v8/V8Collection.h:
        (WebCore::collectionNamedPropertyGetter):
        (WebCore::nodeCollectionNamedPropertyGetter):

LayoutTests:

2009-04-06  Dave Moore  <davemoore@google.com>

        Reviewed by Dimitri Glazkov.

        https://bugs.webkit.org/show_bug.cgi?id=25031
        Test for ensuring that named elements don't override properties on collections

        * fast/dom/HTMLSelectElement/length-not-overridden-expected.txt: Added.
        * fast/dom/HTMLSelectElement/length-not-overridden.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@42247 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/HTMLSelectElement/length-not-overridden-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/HTMLSelectElement/length-not-overridden.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/bindings/v8/V8Collection.h

index 9dd3185..55ba09c 100644 (file)
@@ -1,3 +1,13 @@
+2009-04-06  Dave Moore  <davemoore@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        https://bugs.webkit.org/show_bug.cgi?id=25031
+        Test for ensuring that named elements don't override properties on collections
+
+        * fast/dom/HTMLSelectElement/length-not-overridden-expected.txt: Added.
+        * fast/dom/HTMLSelectElement/length-not-overridden.html: Added.
+
 2009-04-06  Simon Fraser  <simon.fraser@apple.com>
 
         Reviewed by Darin Adler
diff --git a/LayoutTests/fast/dom/HTMLSelectElement/length-not-overridden-expected.txt b/LayoutTests/fast/dom/HTMLSelectElement/length-not-overridden-expected.txt
new file mode 100644 (file)
index 0000000..7e456d2
--- /dev/null
@@ -0,0 +1,4 @@
+This tests that the length property is not overriden by having an option with the name 'length'.
+
+Select Element Test Passed
+Options Collection Test Passed
diff --git a/LayoutTests/fast/dom/HTMLSelectElement/length-not-overridden.html b/LayoutTests/fast/dom/HTMLSelectElement/length-not-overridden.html
new file mode 100644 (file)
index 0000000..d471c4a
--- /dev/null
@@ -0,0 +1,37 @@
+<html>
+    <head>
+        <script>
+            function log(msg)
+            {
+                document.getElementById('console').appendChild(document.createTextNode(msg + '\n'));
+            }
+
+            function test()
+            {
+                if (window.layoutTestController)
+                    layoutTestController.dumpAsText();
+
+                var sl = document.getElementById("sl");
+
+                // This checks that the select element's length property is still '1',
+                // even though there is an option with the same name
+                if (sl.length == 1)
+                    log("Select Element Test Passed");
+                else
+                    log("Select Element Test Failed");
+
+                // This checks that the option collection's length property is still '1',
+                // even though there is an option with the same name
+                if (sl.options.length == 1)
+                    log("Options Collection Test Passed");
+                else
+                    log("Options Collection Test Failed");
+            }
+        </script>
+    </head>
+    <body onload="test()">
+        This tests that the length property is not overriden by having an option with the name 'length'.<br>
+        <select id="sl"><option value="Length" name="length" /></select>
+        <pre id="console"></pre>
+    </body>
+</html>
index e0554db..972f409 100644 (file)
@@ -1,3 +1,21 @@
+2009-04-06  Dave Moore  <davemoore@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        https://bugs.webkit.org/show_bug.cgi?id=25031
+        Make the V8 element collections check for named properties *before*
+        checking if there are any elements with the same name. Otherwise
+        it is both incorrect and slow.
+
+        Test: fast/dom/HTMLSelectElement/length-not-overridden.html
+
+        Both of these interceptors were attempting to find an element in the
+        collection that had a name or id of the property name before checking
+        for a JS property with that name.
+        * bindings/v8/V8Collection.h:
+        (WebCore::collectionNamedPropertyGetter):
+        (WebCore::nodeCollectionNamedPropertyGetter):
+
 2009-04-06  Simon Fraser  <simon.fraser@apple.com>
 
         Reviewed by Darin Adler
index bc6dcc8..cba7769 100644 (file)
@@ -71,6 +71,15 @@ namespace WebCore {
     // A template of named property accessor of collections.
     template<class Collection, class ItemType> static v8::Handle<v8::Value> collectionNamedPropertyGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
     {
+        v8::Handle<v8::Value> value = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
+
+        if (!value.IsEmpty())
+            return value;
+
+        // Search local callback properties next to find IDL defined
+        // properties.
+        if (info.Holder()->HasRealNamedCallbackProperty(name))
+            return notHandledByInterceptor();
         return getNamedPropertyOfCollection<Collection, ItemType>(name, info.Holder(), info.Data());
     }
 
@@ -79,6 +88,15 @@ namespace WebCore {
     {
         ASSERT(V8Proxy::MaybeDOMWrapper(info.Holder()));
         ASSERT(V8Proxy::GetDOMWrapperType(info.Holder()) == V8ClassIndex::NODE);
+        v8::Handle<v8::Value> value = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
+
+        if (!value.IsEmpty())
+            return value;
+
+        // Search local callback properties next to find IDL defined
+        // properties.
+        if (info.Holder()->HasRealNamedCallbackProperty(name))
+            return notHandledByInterceptor();
         Collection* collection = V8Proxy::DOMWrapperToNode<Collection>(info.Holder());
         String propertyName = toWebCoreString(name);
         void* implementation = collection->namedItem(propertyName);