Commit 45e6a3fa authored by mrowe@apple.com's avatar mrowe@apple.com

2008-03-03 Mark Rowe <mrowe@apple.com>

        Reviewed by Dan Bernstein.

        Fix http://bugs.webkit.org/show_bug.cgi?id=17313
        Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper

        Node::querySelector and SelectorNodeList were not sufficiently initializing the CSSStyleSelector
        before using it to resolve styles, which lead to it having a stale m_style member in some situations.
        This stale m_style member resulted in a wild store that would write over whatever object now resided
        at the location m_style pointed to.

        Test: fast/dom/SelectorAPI/bug-17313.html

        * dom/Node.cpp:
        (WebCore::Node::querySelector): Call initForStyleResolve to further initialize the CSSStyleSelector.
        * dom/SelectorNodeList.cpp:
        (WebCore::SelectorNodeList::SelectorNodeList): Ditto.

2008-03-03  Mark Rowe  <mrowe@apple.com>

        Reviewed by Dan Bernstein.

        Test for http://bugs.webkit.org/show_bug.cgi?id=17313
        Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper

        * fast/dom/SelectorAPI/bug-17313-expected.txt: Added.
        * fast/dom/SelectorAPI/bug-17313.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@30722 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c1c99561
2008-03-03 Mark Rowe <mrowe@apple.com>
Reviewed by Dan Bernstein.
Test for http://bugs.webkit.org/show_bug.cgi?id=17313
Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper
* fast/dom/SelectorAPI/bug-17313-expected.txt: Added.
* fast/dom/SelectorAPI/bug-17313.html: Added.
2008-03-03 David D. Kilzer <ddkilzer@webkit.org>
Dynamically inserting CSS rule with @media query fails with DOM Exception 12
Test case for bug 17313
The test has passed if reloading the page does not crash.
<script type="text/javascript">
if (window.layoutTestController) {
layoutTestController.waitUntilDone();
layoutTestController.dumpAsText();
}
window.onload = function() {
function doReload() {
window.location = window.location + '?';
}
function doQSA() {
document.querySelectorAll('h1:first-child');
if (window.location.toString().indexOf('?') < 0)
window.setTimeout(doReload, 100);
else if (window.layoutTestController)
layoutTestController.notifyDone();
}
window.setTimeout(doQSA, 100);
}
</script>
<h1>Test case for <a href='http://bugs.webkit.org/show_bug.cgi?id=17313'>bug 17313</a></h1>
<p>The test has passed if reloading the page does not crash.</p>
<input type="hidden">
2008-03-03 Mark Rowe <mrowe@apple.com>
Reviewed by Dan Bernstein.
Fix http://bugs.webkit.org/show_bug.cgi?id=17313
Bug 17313: querySelectorAll() causing crashes when called via dojo.query() wrapper
Node::querySelector and SelectorNodeList were not sufficiently initializing the CSSStyleSelector
before using it to resolve styles, which lead to it having a stale m_style member in some situations.
This stale m_style member resulted in a wild store that would write over whatever object now resided
at the location m_style pointed to.
Test: fast/dom/SelectorAPI/bug-17313.html
* dom/Node.cpp:
(WebCore::Node::querySelector): Call initForStyleResolve to further initialize the CSSStyleSelector.
* dom/SelectorNodeList.cpp:
(WebCore::SelectorNodeList::SelectorNodeList): Ditto.
2008-03-03 Anders Carlsson <andersca@apple.com>
Reviewed by Darin and Sam.
......@@ -1222,6 +1222,7 @@ PassRefPtr<Element> Node::querySelector(const String& selectors, ExceptionCode&
if (n->isElementNode()) {
Element* element = static_cast<Element*>(n);
styleSelector->initElementAndPseudoState(element);
styleSelector->initForStyleResolve(element, 0);
for (CSSSelector* selector = querySelector; selector; selector = selector->next()) {
if (styleSelector->checkSelector(selector))
return element;
......
......@@ -43,7 +43,9 @@ SelectorNodeList::SelectorNodeList(PassRefPtr<Node> rootNode, CSSSelector* query
CSSStyleSelector* styleSelector = document->styleSelector();
for (Node* n = rootNode->firstChild(); n; n = n->traverseNextNode(rootNode.get())) {
if (n->isElementNode()) {
styleSelector->initElementAndPseudoState(static_cast<Element*>(n));
Element* element = static_cast<Element*>(n);
styleSelector->initElementAndPseudoState(element);
styleSelector->initForStyleResolve(element, 0);
for (CSSSelector* selector = querySelector; selector; selector = selector->next()) {
if (styleSelector->checkSelector(selector)) {
m_nodes.append(n);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment