WebKit GIT trees - WebKit-https.git/commit

REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
https://bugs.webkit.org/show_bug.cgi?id=129550

Reviewed by Andreas Kling.

Source/WebCore:

We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.

Test: fast/dom/uniquing-attributes-via-setAttribute.html

* dom/Element.cpp:
(WebCore::Element::setAttributeInternal):

LayoutTests:

Added a regression test.

* fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
* fast/dom/uniquing-attributes-via-setAttribute.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@165044 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 4 Mar 2014 09:45:55 +0000 (09:45 +0000)
committer	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 4 Mar 2014 09:45:55 +0000 (09:45 +0000)
commit	ab77a6f7c302da18bd4d7fc27f8a13905d7eb851
tree	680ce3699fb44ebf8c716c570bf05feabb397580	tree \| snapshot
parent	cf4a2dd531524de609d5c2b30ab88a5a7386077e	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt	[new file with mode: 0644]	blob
LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/dom/Element.cpp		diff \| blob \| history