Removing Attr can delete a wrong Attribute in ElementData
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 May 2013 16:52:30 +0000 (16:52 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 May 2013 16:52:30 +0000 (16:52 +0000)
commitba83998ebc41e59bcbce29498cc9644206b144d5
tree865ce5e3fbd8e2ba0ec4b320f04f226c8fa7556e
parent97a0bba1f58ded58332b213e6ce0df900c0279db
Removing Attr can delete a wrong Attribute in ElementData
https://bugs.webkit.org/show_bug.cgi?id=116077

Source/WebCore:

Reviewed by Benjamin Poulain.

Merge https://chromium.googlesource.com/chromium/blink/+/e861452a292e185501e48940305947aa6a4e23c2
after simplifying and renaming functions to be more WebKit style.

The XML parser can produce elements with attributes whose names have
distinct prefixes, but the same expanded name. When one of these
attributes is put up for adoption, it may be its similarly named
sibling that is removed from its owner element. As a result the
original owner hangs onto the adopted attribute, despite the fact that
it is now in a different document. Sometimes it's just hard to let go.

Test: fast/dom/adopt-attribute-crash.svg

* dom/Element.cpp:
(WebCore::Element::setAttributeNode):
(WebCore::Element::removeAttributeNode):
(WebCore::ElementData::getAttributeItemIndex):
* dom/Element.h:
(ElementData):
(Element):

LayoutTests:

Reviewed by Benjamin Poulain.

Add a regression test by importing
https://chromium.googlesource.com/chromium/blink/+/e861452a292e185501e48940305947aa6a4e23c2

* fast/dom/adopt-attribute-crash-expected.txt: Added.
* fast/dom/adopt-attribute-crash.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@150072 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/adopt-attribute-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/adopt-attribute-crash.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Element.cpp
Source/WebCore/dom/Element.h