Skip to content
  • darin@apple.com's avatar
    Null-deref when first access to an Attr node is after its Element is destroyed · b3314e50
    darin@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=29748
    
    Patch by Darin Adler <darin@apple.com> on 2009-09-25
    Reviewed by Geoffrey Garen.
    
    WebCore: 
    
    Test: fast/dom/Attr/access-after-element-destruction.html
    
    * bindings/js/JSAttrCustom.cpp:
    (WebCore::JSAttr::markChildren): Added. Keeps the ownerElement alive as
    long as the Attr is alive.
    
    * bindings/js/JSNamedNodeMapCustom.cpp:
    (WebCore::JSNamedNodeMap::markChildren): Added. Keeps the Element alive as
    long as the NamedNodeMap is alive.
    
    * dom/Attr.idl: Added CustomMarkFunction attribute.
    
    * dom/NamedAttrMap.cpp:
    (WebCore::NamedNodeMap::getAttributeItem): Tweaked formatting.
    (WebCore::NamedNodeMap::detachFromElement): Call clearAttributes so we don't
    have attributes hanging around that might need an Attr node created; that way
    we won't crash with a null-dereference trying to deal with one of them. This
    can't happen when working with JavaScript since the Element will be kept
    alive due to the change above.
    (WebCore::NamedNodeMap::addAttribute): Fix function name in comment.
    (WebCore::NamedNodeMap::removeAttribute): Removed unneeded "+ 1" and added
    missing braces.
    
    * dom/NamedAttrMap.h: Made the element function public so it can be used by
    the JavaScript binding to keep the Element alive.
    
    * dom/NamedNodeMap.idl: Added CustomMarkFunction attribute.
    
    LayoutTests: 
    
    * fast/dom/Attr/access-after-element-destruction-expected.txt: Added.
    * fast/dom/Attr/access-after-element-destruction.html: Added.
    * fast/dom/Attr/script-tests/TEMPLATE.html: Copied from LayoutTests/fast/dom/Node/script-tests/TEMPLATE.html.
    * fast/dom/Attr/script-tests/access-after-element-destruction.js: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48769 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    b3314e50