https://bugs.webkit.org/show_bug.cgi?id=129550
Reviewed by Andreas Kling.
Source/WebCore:
We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
Test: fast/dom/uniquing-attributes-via-setAttribute.html
* dom/Element.cpp:
(WebCore::Element::setAttributeInternal):
LayoutTests:
Added a regression test.
* fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
* fast/dom/uniquing-attributes-via-setAttribute.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@165044
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2014-03-04 Ryosuke Niwa <rniwa@webkit.org>
+
+ REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+ https://bugs.webkit.org/show_bug.cgi?id=129550
+
+ Reviewed by Andreas Kling.
+
+ Added a regression test.
+
+ * fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
+ * fast/dom/uniquing-attributes-via-setAttribute.html: Added.
+
2014-03-03 Myles C. Maxfield <mmaxfield@apple.com>
Space between double underlines does not scale with font size
--- /dev/null
+Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.
+
+PASS. WebKit didn't crash.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<p>Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.</p>
+<div></div>
+<script>
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var div = document.querySelector('div');
+div.setAttribute('name', 'a');
+
+var divClone = div.cloneNode(true);
+document.body.appendChild(divClone);
+
+div.setAttribute('name', 'b');
+divClone.setAttribute('name', 'b');
+
+document.write("PASS. WebKit didn't crash.");
+
+</script>
+</body>
+</html>
+2014-03-04 Ryosuke Niwa <rniwa@webkit.org>
+
+ REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+ https://bugs.webkit.org/show_bug.cgi?id=129550
+
+ Reviewed by Andreas Kling.
+
+ We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
+
+ Test: fast/dom/uniquing-attributes-via-setAttribute.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::setAttributeInternal):
+
2014-03-04 Hyowon Kim <hw1008.kim@samsung.com>
Move EvasGLContext and EvasGLSurface files into the efl common directory.
const Attribute& attribute = attributeAt(index);
AtomicString oldValue = attribute.value();
bool valueChanged = newValue != oldValue;
- const QualifiedName& attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
+ QualifiedName attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
if (!inSynchronizationOfLazyAttribute)
willModifyAttribute(attributeName, oldValue, newValue);
git://git.webkit.org / WebKit-https.git / commitdiff