Reviewed by Darin Adler.
Layout tests for <rdar://problem/
5088234> REGRESSION: Crash occurs at
WebCore::Node::createRendererIfNeeded() when changing map views with MS
Virtual Earth (http://www.ziprealty.com/)
* fast/dom/mutation-event-remove-inserted-node-expected.txt: Added.
* fast/dom/mutation-event-remove-inserted-node.html: Added.
* fast/dom/script-element-remove-self-expected.txt: Added.
* fast/dom/script-element-remove-self.html: Added.
WebCore:
Reviewed by Darin, landed by Anders.
Manual test case for http://bugs.webkit.org/show_bug.cgi?id=13142
* manual-tests/liveconnect-applet-get-boolean.html: Added.
* manual-tests/resources/CheckerApplet.class: Added.
* manual-tests/resources/CheckerApplet.java: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@20503
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-03-26 Geoffrey Garen <ggaren@apple.com>
+
+ Reviewed by Darin Adler.
+
+ Layout tests for <rdar://problem/5088234> REGRESSION: Crash occurs at
+ WebCore::Node::createRendererIfNeeded() when changing map views with MS
+ Virtual Earth (http://www.ziprealty.com/)
+
+ * fast/dom/mutation-event-remove-inserted-node-expected.txt: Added.
+ * fast/dom/mutation-event-remove-inserted-node.html: Added.
+ * fast/dom/script-element-remove-self-expected.txt: Added.
+ * fast/dom/script-element-remove-self.html: Added.
+
2007-03-26 Mitz Pettel <mitz@webkit.org>
Reviewed and landed by Darin.
--- /dev/null
+This test verifies that a mutation event that removes inserted nodes from the document doesn't crash upon the insertion of a new node into the document.
+
+PASS: You didn't crash.
+
+
--- /dev/null
+<body>
+
+<p>This test verifies that a mutation event that removes inserted nodes from the
+document doesn't crash upon the insertion of a new node into the document.</p>
+<p>PASS: You didn't crash.</p>
+
+<script id="dummy"></script>
+
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function mutationListener(event)
+{
+ var element = event.srcElement;
+ element.parentNode.removeChild(element);
+}
+
+document.body.addEventListener("DOMNodeInserted", mutationListener, false);
+
+/* appendChild */
+document.body.appendChild(document.createElement("script"));
+
+/* insertBefore */
+document.body.insertBefore(document.createElement("script"), document.getElementById("dummy"));
+
+/* replaceChild */
+document.body.replaceChild(document.createElement("script"), document.getElementById("dummy"));
+
+/* Parser-inserted nodes don't fire mutation events. */
+</script>
+
+</body>
--- /dev/null
+This test verifies that a <script> element that removes itself from the document doesn't crash upon insertion into the document.
+
+PASS: You didn't crash.
+
+
--- /dev/null
+<body>
+
+<p>This test verifies that a <script> element that removes itself
+from the document doesn't crash upon insertion into the document.</p>
+<p>PASS: You didn't crash.</p>
+
+<script id="dummy"></script>
+
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+var scriptElement;
+var scriptText = "var self = document.getElementById('script'); self.parentNode.removeChild(self);";
+
+/* appendChild */
+scriptElement = document.createElement("script");
+scriptElement.setAttribute("id", "script");
+scriptElement.appendChild(document.createTextNode(scriptText));
+document.body.appendChild(scriptElement);
+
+/* insertBefore */
+scriptElement = document.createElement("script");
+scriptElement.setAttribute("id", "script");
+scriptElement.appendChild(document.createTextNode(scriptText));
+document.body.insertBefore(scriptElement, document.getElementById("dummy"));
+
+/* replaceChild */
+scriptElement = document.createElement("script");
+scriptElement.setAttribute("id", "script");
+scriptElement.appendChild(document.createTextNode(scriptText));
+document.body.replaceChild(scriptElement, document.getElementById("dummy"));
+</script>
+
+<script id="script">
+/* parser insertion */
+eval(scriptText);
+</script>
+
+</body>
* rendering/RenderReplaced.cpp:
(WebCore::RenderReplaced::selectionRect):
+2007-03-26 Geoffrey Garen <ggaren@apple.com>
+
+ Reviewed by Darin Adler.
+
+ Fixed <rdar://problem/5088234> REGRESSION: Crash occurs at WebCore::Node::
+ createRendererIfNeeded() when changing map views with MS Virtual Earth
+ (http://www.ziprealty.com/)
+
+ The cause of the crash was the insertion of a <script> element whose
+ script removed it from the document. The <script> element would then be
+ garbage when the insertion routine went on to attach() it.
+
+ The solution here is to check that an element is still your child before
+ trying to attach() it. This matches the style of checks we do elsewhere
+ in the node insertion and removal code.
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::insertBefore):
+ (WebCore::ContainerNode::replaceChild):
+ (WebCore::ContainerNode::appendChild):
+
2007-03-26 Geoffrey Garen <ggaren@apple.com>
Removed now-stale #includes of <assert.h>.
dispatchChildInsertionEvents(child.get(), ec);
// Add child to the rendering tree.
- if (attached() && !child->attached())
+ if (attached() && !child->attached() && child->parent() == this)
child->attach();
child = nextChild.release();
dispatchChildInsertionEvents(child.get(), ec);
// Add child to the rendering tree
- if (attached() && !child->attached())
+ if (attached() && !child->attached() && child->parent() == this)
child->attach();
prev = child;
// Dispatch the mutation events
dispatchChildInsertionEvents(child.get(), ec);
-
+
// Add child to the rendering tree
- // ### should we detach() it first if it's already attached?
- if (attached() && !child->attached())
+ if (attached() && !child->attached() && child->parent() == this)
child->attach();
child = nextChild.release();
git://git.webkit.org / WebKit-https.git / commitdiff