HTMLCollection caches incorrect length if item(0) is called before length on an empty...
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 30 Mar 2015 00:33:02 +0000 (00:33 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 30 Mar 2015 00:33:02 +0000 (00:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=143203
Source/WebCore:

rdar://problem/18460462

Reviewed by Antti Koivisto.

Test: fast/dom/htmlcollection-length-after-item-2.html

* dom/CollectionIndexCache.h:
(CollectionIndexCache::nodeAt): If we hit the end looking for index 0, cache a length
of 0, not a length of 1.

LayoutTests:

Reviewed by Antti Koivisto.

* fast/dom/htmlcollection-length-after-item-2-expected.txt: Added.
* fast/dom/htmlcollection-length-after-item-2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@182125 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/htmlcollection-length-after-item-2-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/htmlcollection-length-after-item-2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/CollectionIndexCache.h

index a70edb9..6dfd6db 100644 (file)
@@ -1,3 +1,13 @@
+2015-03-29  Darin Adler  <darin@apple.com>
+
+        HTMLCollection caches incorrect length if item(0) is called before length on an empty collection
+        https://bugs.webkit.org/show_bug.cgi?id=143203
+
+        Reviewed by Antti Koivisto.
+
+        * fast/dom/htmlcollection-length-after-item-2-expected.txt: Added.
+        * fast/dom/htmlcollection-length-after-item-2.html: Added.
+
 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Adopt Array.prototype.includes and String.prototype.includes
diff --git a/LayoutTests/fast/dom/htmlcollection-length-after-item-2-expected.txt b/LayoutTests/fast/dom/htmlcollection-length-after-item-2-expected.txt
new file mode 100644 (file)
index 0000000..e379fd8
--- /dev/null
@@ -0,0 +1,11 @@
+This tests accessing the length after accessing the first item in an empty HTMLCollection doesn't cache a wrong length.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS children = container.children; children.item(0) is null
+PASS children.length is 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/htmlcollection-length-after-item-2.html b/LayoutTests/fast/dom/htmlcollection-length-after-item-2.html
new file mode 100644 (file)
index 0000000..eafbd18
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+
+description("This tests accessing the length after accessing the first item in an empty HTMLCollection doesn't cache a wrong length.");
+
+var container = document.createElement('div');
+var span = document.createElement('span');
+var children;
+shouldBe("children = container.children; children.item(0)", "null");
+shouldBe("children.length", "0");
+
+</script>
+<script src="../../resources/js-test-post.js"></script>
index 7760b51..00874d1 100644 (file)
@@ -1,5 +1,19 @@
 2015-03-29  Darin Adler  <darin@apple.com>
 
+        HTMLCollection caches incorrect length if item(0) is called before length on an empty collection
+        https://bugs.webkit.org/show_bug.cgi?id=143203
+        rdar://problem/18460462
+
+        Reviewed by Antti Koivisto.
+
+        Test: fast/dom/htmlcollection-length-after-item-2.html
+
+        * dom/CollectionIndexCache.h:
+        (CollectionIndexCache::nodeAt): If we hit the end looking for index 0, cache a length
+        of 0, not a length of 1.
+
+2015-03-29  Darin Adler  <darin@apple.com>
+
         Remove unneeded SVG code, including most isSupportedAttribute functions
         https://bugs.webkit.org/show_bug.cgi?id=143194
 
index 5821327..bca2cea 100644 (file)
@@ -204,7 +204,7 @@ inline typename CollectionIndexCache<Collection, Iterator>::NodeType* Collection
     }
     if (m_current == end) {
         // Failed to find the index but at least we now know the size.
-        m_nodeCount = m_currentIndex + 1;
+        m_nodeCount = index ? m_currentIndex + 1 : 0;
         m_nodeCountValid = true;
         return nullptr;
     }