webkitgtk-obsolete:stable.git
6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Fri, 4 Feb 2011 05:09:34 +0000 (10:39 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-11-11  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Adam Barth.

            Not allow drag and drop across different origins.
            https://bugs.webkit.org/show_bug.cgi?id=49098

            Test: http/tests/security/drag-drop-different-origin.html

            * page/DragController.cpp:
            (WebCore::DragController::tryDocumentDrag):
            * page/SecurityOrigin.cpp:
            (WebCore::SecurityOrigin::canDropOnTarget):
            * page/SecurityOrigin.h:
    2010-11-10  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Adam Barth.

            Check that drag and drop is not allowed across different origins.
            https://bugs.webkit.org/show_bug.cgi?id=49098

            * http/tests/security/drag-drop-different-origin-expected.txt: Added.
            * http/tests/security/drag-drop-different-origin.html: Added.
            * http/tests/security/resources/drag-drop.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71925 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Wed, 2 Feb 2011 07:22:08 +0000 (12:52 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    WebCore: ImageDecoderSkia.cpp needs to check for allocator failure when copying
    bitmaps.
    https://bugs.webkit.org/show_bug.cgi?id=46437

    Reviewed by James Robinson.

    * manual-tests/large-size-image-crash.html: Added.
    * manual-tests/resources/large-size-image-crash.gif: Added.
    * platform/image-decoders/ImageDecoder.cpp:
    (WebCore::RGBA32Buffer::copyBitmapData):
    * platform/image-decoders/ImageDecoder.h:
    * platform/image-decoders/gif/GIFImageDecoder.cpp:
    (WebCore::GIFImageDecoder::initFrameBuffer):
    * platform/image-decoders/qt/RGBA32BufferQt.cpp:
    (WebCore::RGBA32Buffer::copyBitmapData):
    * platform/image-decoders/skia/ImageDecoderSkia.cpp:
    (WebCore::RGBA32Buffer::copyBitmapData):

    LayoutTests: This resource should have been in r62399; without it the test no-ops.
    https://bugs.webkit.org/show_bug.cgi?id=41487

    Reviewed by James Robinson.

    * fast/images/resources/large-size-image-crash.jpeg: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68446 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Tue, 1 Feb 2011 07:52:02 +0000 (13:22 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Test case has been modified to suit the WebKit version

    2010-10-27  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Dave Hyatt.

            Add a function to make sure child is allowed before adding to a
            render view.
            https://bugs.webkit.org/show_bug.cgi?id=48328

            Test: fast/inline/inline-child-height-width-calc-crash.html

            * rendering/RenderView.cpp:
            (WebCore::RenderView::isChildAllowed):
            * rendering/RenderView.h:
    2010-10-27  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Dave Hyatt.

            Tests that adding a br element to a new document does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=48328

            * fast/inline/inline-child-height-width-calc-crash-expected.txt: Added.
            * fast/inline/inline-child-height-width-calc-crash.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70681 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Tue, 1 Feb 2011 06:58:10 +0000 (12:28 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Test case has been modified to suit the WebKit version

    2010-12-07  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Nikolas Zimmermann.

            Clear old SVG cursor entry before adding a new one
            https://bugs.webkit.org/show_bug.cgi?id=50549

            Test: svg/css/cursor-replace.svg

            * css/CSSCursorImageValue.cpp:
            (WebCore::CSSCursorImageValue::~CSSCursorImageValue):
            * svg/SVGCursorElement.cpp:
            (WebCore::SVGCursorElement::~SVGCursorElement):
            (WebCore::SVGCursorElement::removeClient):
            (WebCore::SVGCursorElement::removeReferencedElement):
            * svg/SVGCursorElement.h:
            * svg/SVGElement.cpp:
            (WebCore::SVGElement::setCursorElement):
            (WebCore::SVGElement::cursorElementRemoved):
            (WebCore::SVGElement::setCursorImageValue):
            (WebCore::SVGElement::cursorImageElementRemoved):
            * svg/SVGElement.h:
    2010-12-07  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Nikolas Zimmermann.

            Clear old SVG cursor entry before adding a new one
            https://bugs.webkit.org/show_bug.cgi?id=50549

            * svg/css/cursor-replace-expected.txt: Added.
            * svg/css/cursor-replace.svg: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73432 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Tue, 1 Feb 2011 04:05:47 +0000 (09:35 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2011-01-27  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Dave Hyatt.

            Tests that we do not crash when adding a child in a table
            where the before child is not a table section.
            https://bugs.webkit.org/show_bug.cgi?id=53276

            * fast/table/before-child-non-table-section-add-table-crash-expected.txt: Added.
            * fast/table/before-child-non-table-section-add-table-crash.html: Added.
    2011-01-27  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Dave Hyatt.

            If beforeChild is wrapped in an anonymous table section, we need to
            go the parent to find it and use it before adding childs to table.
            https://bugs.webkit.org/show_bug.cgi?id=53276

            We need to make sure that beforeChild's parent is "this" before calling
            RenderBox::addChild. The previous condition in while is too restrictive
            and fails to calculate the right beforeChild value when its display
            style is table caption.
            Test: fast/table/before-child-non-table-section-add-table-crash.html

            * rendering/RenderTable.cpp:
            (WebCore::RenderTable::addChild):

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77141 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Mon, 31 Jan 2011 10:38:09 +0000 (16:08 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2011-01-06  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Simon Fraser.

            Null out the parent stylesheet pointer when a css rule is removed.
            https://bugs.webkit.org/show_bug.cgi?id=51993

            Tests: fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html
                   fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html

            * css/CSSRuleList.cpp:
            (WebCore::CSSRuleList::deleteRule):
            * css/CSSStyleSheet.cpp:
            (WebCore::CSSStyleSheet::deleteRule):
    2011-01-06  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Simon Fraser.

            Tests that we do not crash when accessing a deleted parent stylesheet
            from a removed css rule.
            https://bugs.webkit.org/show_bug.cgi?id=51993

            * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash-expected.txt: Added.
            * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html: Added.
            * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash-expected.txt: Added.
            * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75168 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Mon, 31 Jan 2011 09:23:35 +0000 (14:53 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

commit 005063e17ff45046c76227e0bad8caa471d06032
Author: inferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Dec 10 22:09:37 2010 +0000

    2010-12-10  Emil Eklund  <eae@chromium.org>

            Reviewed by Adam Barth.

            Fix crash in ReplaceSelectionCommand::doApply when selection is modified
            during execution.
            https://bugs.webkit.org/show_bug.cgi?id=50840

            Test: editing/execCommand/insertHTML-mutation-crash.html

            * editing/ReplaceSelectionCommand.cpp:
            (WebCore::ReplaceSelectionCommand::copyStyleToChildren):
            Replaced raw node pointer with RefPtr.

            (WebCore::ReplaceSelectionCommand::doApply):
            Replaced raw node pointer with RefPtr and added null check.
    2010-12-10  Emil Eklund  <eae@chromium.org>

            Reviewed by Adam Barth.

            Add testcase for ReplaceSelectionCommand crash.
            https://bugs.webkit.org/show_bug.cgi?id=50840

            * editing/execCommand/insertHTML-mutation-crash.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73801 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Mon, 31 Jan 2011 08:00:30 +0000 (13:30 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Omit mac specific test cases from the commit

    2011-01-01  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Darin Adler.

            Fixes before child calculation when adding anonymous childs to table parts.
            https://bugs.webkit.org/show_bug.cgi?id=50932

            Fix in r74364 was incomplete. When before child is equal to the table part(to
            which the new child is getting added), it confuses the table part to add it
            incorrectly as an after child. The patch fixes by passing the before child as
            the table part's first child.

            Tests: fast/css-generated-content/table-before-after-child-add.html
                   fast/css-generated-content/table-cell-before-after-child-add.html
                   fast/css-generated-content/table-row-before-after-child-add.html
                   fast/css-generated-content/table-row-before-after-child-add.html

            * rendering/RenderTable.cpp:
            (WebCore::RenderTable::addChild):
            * rendering/RenderTableRow.cpp:
            (WebCore::RenderTableRow::addChild):
            * rendering/RenderTableSection.cpp:
            (WebCore::RenderTableSection::addChild):
    2010-12-20  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Darin Adler.

            Tests that "before" and "after" childs are added to table correctly.
            https://bugs.webkit.org/show_bug.cgi?id=50932

            * fast/css-generated-content/table-before-after-child-add.html: Added.
            * fast/css-generated-content/table-before-child-add.html: Removed.
            * fast/css-generated-content/table-cell-before-after-child-add.html: Added.
            * fast/css-generated-content/table-row-before-after-child-add.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74954 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Fri, 28 Jan 2011 09:53:55 +0000 (15:23 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Test case has been modified to suit the WebKit version

    2010-10-17  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Nikolas Zimmermann.

            Duplicate use element children in shadow tree.
            https://bugs.webkit.org/show_bug.cgi?id=47561

            Test: svg/custom/use-nested-children.svg

            * svg/SVGUseElement.cpp:
            (WebCore::SVGUseElement::expandUseElementsInShadowTree):
    2010-10-17  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Nikolas Zimmermann.

            Duplicate use element children in shadow tree.
            https://bugs.webkit.org/show_bug.cgi?id=47561

            * svg/custom/use-nested-children-expected.txt: Added.
            * svg/custom/use-nested-children.svg: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69936 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Fri, 28 Jan 2011 06:23:24 +0000 (11:53 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2011-01-27  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Dan Bernstein.

            Recalc table sections if needed before calculating the first line
            box baseline.
            https://bugs.webkit.org/show_bug.cgi?id=53265

            When we try to calculate the baseline position of a table cell,
            we recurse through all the child sibling boxes (when children are
            non inline) and add their first linebox baseline values. If one of
            the children is a table with pending section recalc, we will access
            wrong table section values. We recalc table sections if it is needed.

            Test: fast/table/recalc-section-first-body-crash-main.html

            * rendering/RenderTable.cpp:
            (WebCore::RenderTable::firstLineBoxBaseline):
    2011-01-27  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Dan Bernstein.

            Tests that we do not crash when calculating the first line box
            baseline for the table.
            https://bugs.webkit.org/show_bug.cgi?id=53265

            * fast/table/recalc-section-first-body-crash-main-expected.txt: Added.
            * fast/table/recalc-section-first-body-crash-main.html: Added.
            * fast/table/resources/recalc-section-first-body-crash.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76915 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Fri, 21 Jan 2011 09:56:11 +0000 (15:26 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-12-29  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Darin Adler.

            Check SVG element type in FrameView::scrollToAnchor
            https://bugs.webkit.org/show_bug.cgi?id=51718

            Test: svg/custom/scroll-to-anchor-in-symbol.svg

            * page/FrameView.cpp:
            (WebCore::FrameView::scrollToAnchor):
    2010-12-29  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Darin Adler.

            Check SVG element type in FrameView::scrollToAnchor
            https://bugs.webkit.org/show_bug.cgi?id=51718

            * svg/custom/scroll-to-anchor-in-symbol-expected.txt: Added.
            * svg/custom/scroll-to-anchor-in-symbol.svg: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74779 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoComplete the backport and fix regression caused by:
Huzaifa Sidhpurwala [Wed, 19 Jan 2011 08:46:05 +0000 (14:16 +0530)]
Complete the backport and fix regression caused by:
f236c158708a2116a799174bd2722fd721e663c4

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Mon, 17 Jan 2011 08:40:04 +0000 (14:10 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-12-10  Emil Eklund  <eae@chromium.org>

            Reviewed by Adam Barth.

            Fix crash in ReplaceSelectionCommand::doApply when selection is modified
            during execution.
            https://bugs.webkit.org/show_bug.cgi?id=50840

            Test: editing/execCommand/insertHTML-mutation-crash.html

            * editing/ReplaceSelectionCommand.cpp:
            (WebCore::ReplaceSelectionCommand::copyStyleToChildren):
            Replaced raw node pointer with RefPtr.

            (WebCore::ReplaceSelectionCommand::doApply):
            Replaced raw node pointer with RefPtr and added null check.
    2010-12-10  Emil Eklund  <eae@chromium.org>

            Reviewed by Adam Barth.

            Add testcase for ReplaceSelectionCommand crash.
            https://bugs.webkit.org/show_bug.cgi?id=50840

            * editing/execCommand/insertHTML-mutation-crash.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73801 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Thu, 13 Jan 2011 08:13:14 +0000 (13:43 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-12-29  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Darin Adler.

            Check SVG element type in FrameView::scrollToAnchor
            https://bugs.webkit.org/show_bug.cgi?id=51718

            Test: svg/custom/scroll-to-anchor-in-symbol.svg

            * page/FrameView.cpp:
            (WebCore::FrameView::scrollToAnchor):
    2010-12-29  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Darin Adler.

            Check SVG element type in FrameView::scrollToAnchor
            https://bugs.webkit.org/show_bug.cgi?id=51718

            * svg/custom/scroll-to-anchor-in-symbol-expected.txt: Added.
            * svg/custom/scroll-to-anchor-in-symbol.svg: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74779 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Fri, 31 Dec 2010 10:32:34 +0000 (16:02 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-11-14  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Dimitri Glazkov.

            Event dispatch call can blow away the node's renderer initialized
            before the call in updateSelectionForMouseDrag function. We need
            to initialize it after the call.
            https://bugs.webkit.org/show_bug.cgi?id=49524

            * page/EventHandler.cpp:
            (WebCore::EventHandler::updateSelectionForMouseDrag):

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72013 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Fri, 31 Dec 2010 10:22:12 +0000 (15:52 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-11-09  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Antti Koivisto.

            Call to SVGSMILElement::applyResultsToTarget can blow away the SVGSMILElement.
            Refptr the SVGSMILElement in the ResultElementMap to protect it.
            https://bugs.webkit.org/show_bug.cgi?id=49274

            Test: svg/animations/animate-update-crash.xhtml

            * svg/animation/SMILTimeContainer.cpp:
            (WebCore::SMILTimeContainer::updateAnimations):
    2010-11-09  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Antti Koivisto.

            Tests that updating svg animations does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=49274

            * svg/animations/animate-update-crash-expected.txt: Added.
            * svg/animations/animate-update-crash.xhtml: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71686 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoAdd CVE-2010-4577 to the NEWS file
Huzaifa Sidhpurwala [Thu, 30 Dec 2010 11:20:25 +0000 (16:50 +0530)]
Add CVE-2010-4577 to the NEWS file

6 years agoBump version to 1.2.6. 1.2.6
Gustavo Noronha Silva [Tue, 28 Dec 2010 14:20:51 +0000 (12:20 -0200)]
Bump version to 1.2.6.

6 years agoDocument changes in 1.2.6
Gustavo Noronha Silva [Tue, 28 Dec 2010 12:31:42 +0000 (10:31 -0200)]
Document changes in 1.2.6

6 years ago2010-06-21 Philippe Normand <pnormand@igalia.com>
philn@webkit.org [Tue, 29 Jun 2010 13:58:22 +0000 (13:58 +0000)]
2010-06-21  Philippe Normand  <pnormand@igalia.com>

        Reviewed by Xan Lopez.

        [PNG decoder] direct access to jmpbuf is deprecated in libpng >= 1.4.0beta103
        https://bugs.webkit.org/show_bug.cgi?id=40907

        Define a JMPBUF macro to cope with deprecation of the jmpbuf
        attribute in libpng >= 1.4.

        * platform/image-decoders/png/PNGImageDecoder.cpp:
        (WebCore::decodingFailed):
        (WebCore::PNGImageReader::decode):
        (WebCore::PNGImageDecoder::headerAvailable):
        (WebCore::PNGImageDecoder::rowAvailable):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62114 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Wed, 22 Dec 2010 07:01:53 +0000 (12:31 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-11-24  Cris Neckar  <cdn@chromium.org>

            Reviewed by Adam Barth.

            Added check when parsing local fonts to ensure that a value's unit type is either string or ident.
            https://bugs.webkit.org/show_bug.cgi?id=49883

            Test: fast/css/local_font_invalid.html

            * css/CSSParser.cpp:
            (WebCore::CSSParser::parseFontFaceSrc):
    2010-11-24  Cris Neckar  <cdn@chromium.org>

            Reviewed by Adam Barth.

            Test for crash with invalid local fonts.
            https://bugs.webkit.org/show_bug.cgi?id=49883

            * fast/css/local_font_invalid-expected.txt: Added.
            * fast/css/local_font_invalid.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72685 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Thu, 2 Dec 2010 07:47:36 +0000 (13:17 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-07-17  TJ Lee  <tjlee0909@gmail.com>

            Reviewed by Timothy Hatcher.

            HTMLLinkElement ignores dnsPrefetchingEnabled setting
            https://bugs.webkit.org/show_bug.cgi?id=42500

            Changed the HTML Link tag to check that the browser
            has DNS-prefetching enabled before calling ResourceHandle::prepareForURL.

            There are no test cases for this patch because it was unclear how to test
            this using a layout test. A possible test case would be to
            clear the DNS cache on the client's machine before loading a page with
            <link rel="dns-prefetch" href="SomeSiteThatsNotTheCurrentOne.com"> and
            then check the number of DNS cache entries.

            * html/HTMLLinkElement.cpp:
            (WebCore::HTMLLinkElement::process):

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63622 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Thu, 2 Dec 2010 07:19:03 +0000 (12:49 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

Original author: Anders Carlsson  <andersca@apple.com>

    Add additional check to Text::wholeText.
    <rdar://problem/8304795>

    Reviewed by Darin Adler.

    * dom/Text.cpp:
    (WebCore::Text::wholeText):

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68705 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Thu, 2 Dec 2010 06:55:51 +0000 (12:25 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

Original authors: oliver@apple.com
                  mrowe@apple.com
                  darin@apple.com

        https://bugs.webkit.org/show_bug.cgi?id=41351

        Clamp the number of arguments supported by function.apply

        JavaScriptCore:
        Add clamping logic to function.apply similar to that enforced by firefox.
        We have a smaller clamp than firefox as our calling convention means that stack
        usage is proportional to argument count -- the firefox limit is larger
        than you could actually call.

        Make Arguments::MaxArguments clamping work for numbers >= 0x80000000 in
        the interpreter as well as the JIT.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Arguments.h:
        (JSC::Arguments::):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Be slightly more consistent in using uint32_t to prevent
        warnings about comparisons between signed and unsigned types, and attempts to call an overload
        of std::min that doesn't exist.
        * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute):
        Fix signed integer overflow problem in op_load_varargs handling. 0xFFFFFFFF was read as -1.

        LayoutTests:
        * fast/js/function-apply-many-args-expected.txt: Added.
        * fast/js/function-apply-many-args.html: Added.
        * fast/js/script-tests/function-apply-many-args.js: Added.
        * fast/js/function-apply-expected.txt: Updated to expect success.
        * fast/js/script-tests/function-apply.js: Added test cases.

        Backported from the following development branch commits:
        http://trac.webkit.org/changeset/62432
        http://trac.webkit.org/changeset/62433
        http://trac.webkit.org/changeset/62464
        http://trac.webkit.org/changeset/62456

6 years agoDocument CVE-2010-3119 and CVE-2010-3255 in previous releases.
Huzaifa Sidhpurwala [Thu, 2 Dec 2010 04:13:43 +0000 (09:43 +0530)]
Document CVE-2010-3119 and CVE-2010-3255 in previous releases.

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Wed, 1 Dec 2010 04:08:10 +0000 (09:38 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-10-27  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Dirk Schulze.

            Ignore invalid blend modes
            https://bugs.webkit.org/show_bug.cgi?id=48371

            Test: svg/filters/feBlend-invalid-mode.xhtml

            * platform/graphics/filters/FEBlend.cpp:
            (WebCore::FEBlend::apply):
    2010-10-27  Justin Schuh  <jschuh@chromium.org>

            Reviewed by Dirk Schulze.

            Ignore invalid blend modes
            https://bugs.webkit.org/show_bug.cgi?id=48371

            * svg/filters/feBlend-invalid-mode-expected.txt: Added.
            * svg/filters/feBlend-invalid-mode.xhtml: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70652 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Wed, 1 Dec 2010 04:00:56 +0000 (09:30 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

    2010-10-26  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Adam Barth.

            Protect the frame from being blown away in loadWithDocumentLoader function call.
            dispatchBeforeLoadEvent can cause the frame to be freed, which gets later used in
            continueLoadAfterNavigationPolicy call.
            https://bugs.webkit.org/show_bug.cgi?id=48281

            Test: fast/events/form-iframe-target-before-load-crash.html

            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::loadWithDocumentLoader):
    2010-10-26  Abhishek Arya  <inferno@chromium.org>

            Reviewed by Adam Barth.

            Tests that submit the form on a removed target iframe does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=48281

            * fast/events/form-iframe-target-before-load-crash-expected.txt: Added.
            * fast/events/form-iframe-target-before-load-crash.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70517 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years agoBackport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Wed, 1 Dec 2010 03:52:38 +0000 (09:22 +0530)]
Backport crash fix by Huzaifa Sidhpurwala <huzaifas@redhat.com>

Orginal author: rniwa@webkit.org

    Crash in CompositeEditCommand::splitTreeToNode
    https://bugs.webkit.org/show_bug.cgi?id=48349

    Reviewed by Kent Tamura.

    WebCore:

    The bug was caused by indentIntoBlockquote's passing null pointer to splitTreeToNode.
    Fixed the crash by adding early exits.

    Test: editing/execCommand/indent-node-to-split-to-crash.html

    * editing/CompositeEditCommand.cpp:
    (WebCore::CompositeEditCommand::splitTreeToNode):
    * editing/IndentOutdentCommand.cpp:
    (WebCore::IndentOutdentCommand::indentIntoBlockquote):

    LayoutTests:

    Added a test to ensure WebKit does not crash when indenting.

    * editing/execCommand/indent-node-to-split-to-crash-expected.txt: Added.
    * editing/execCommand/indent-node-to-split-to-crash.html: Added.

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70594 268f45cc-cd09-0410-ab3c-d52691b4dbfc

6 years ago2010-11-30 Huzaifa Sidhpurwala <huzaifas@redhat.com>
Huzaifa Sidhpurwala [Tue, 30 Nov 2010 05:14:19 +0000 (10:44 +0530)]
2010-11-30  Huzaifa Sidhpurwala <huzaifas@redhat.com>

        Backport crash fix for
        https://bugs.webkit.org/show_bug.cgi?id=45611

        Prevent block logical height of a root inline box from overflowing by clamping it
        at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
        removal a floating object.

        Test: fast/overflow/overflow-block-logical-height-crash.html

        * rendering/RootInlineBox.cpp:
        (WebCore::RootInlineBox::alignBoxesInBlockDirection):
2010-11-30 Huzaifa Sidhpurwala <huzaifas@redhat.com>

       Backport crash fix for
       https://bugs.webkit.org/show_bug.cgi?id=45611

       Tests that overflowing the block logical height of a root inline box does not result in crash.

       * fast/overflow/overflow-block-logical-height-crash-expected.txt: Added.
       * fast/overflow/overflow-block-logical-height-crash.html: Added.

Original development branch commit: 7c17fcca4dd5110e8083f3c4fb1f73a37ff9ad1d

7 years agoPreparing the 1.2.5 release. 1.2.5
Gustavo Noronha Silva [Mon, 4 Oct 2010 23:02:08 +0000 (20:02 -0300)]
Preparing the 1.2.5 release.

7 years agoDocumenting more handled CVEs
Gustavo Noronha Silva [Mon, 4 Oct 2010 23:02:02 +0000 (20:02 -0300)]
Documenting more handled CVEs

7 years ago2010-08-25 Cris Neckar <cdn@chromium.org>
inferno@chromium.org [Wed, 25 Aug 2010 23:10:28 +0000 (23:10 +0000)]
2010-08-25  Cris Neckar  <cdn@chromium.org>

        Reviewed by Darin Adler.

        Added abort condition for RenderCounters when traversing a detached render tree.
        https://bugs.webkit.org/show_bug.cgi?id=43812

        Test: fast/css/counters/counter-traverse-object-crash.html

        * rendering/RenderCounter.cpp:
        (WebCore::findPlaceForCounter):
2010-08-25  Cris Neckar  <cdn@chromium.org>

        Reviewed by Darin Adler.

        Assertion failure in RenderCounter when traversing a detached render trees.
        https://bugs.webkit.org/show_bug.cgi?id=43812

        * fast/css/counters/counter-traverse-object-crash-expected.txt: Added.
        * fast/css/counters/counter-traverse-object-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66052 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-08-23 Abhishek Arya <inferno@chromium.org>
inferno@chromium.org [Mon, 23 Aug 2010 20:03:36 +0000 (20:03 +0000)]
2010-08-23  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Dimitri Glazkov.

        Fix security origin calculation in createPattern. Need to use
        cachedImage->response().url() instead of cachedImage->url().
        https://bugs.webkit.org/show_bug.cgi?id=44399.

        Test: http/tests/security/canvas-remote-read-remote-image-redirect.html

        * html/canvas/CanvasRenderingContext2D.cpp:
        (WebCore::CanvasRenderingContext2D::createPattern):
2010-08-23  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Dimitri Glazkov.

        Tests that calling getImageData(), toDataURL() on a canvas tainted by
        a createPattern of a different origin image using redirects from same origin
        is not allowed.
        https://bugs.webkit.org/show_bug.cgi?id=44399

        * http/tests/security/canvas-remote-read-remote-image-redirect-expected.txt: Added.
        * http/tests/security/canvas-remote-read-remote-image-redirect.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65826 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-08-20 Tony Chang <tony@chromium.org>
tony@chromium.org [Fri, 20 Aug 2010 19:23:56 +0000 (19:23 +0000)]
2010-08-20  Tony Chang  <tony@chromium.org>

        Reviewed by Adam Barth.

        crash when trying to access a stale Node pointer in FocusController::setFocusedNode
        https://bugs.webkit.org/show_bug.cgi?id=44226

        * fast/events/focus-change-crash2-expected.txt: Added.
        * fast/events/focus-change-crash2.html: Added.
2010-08-20  Tony Chang  <tony@chromium.org>

        Reviewed by Adam Barth.

        crash when trying to access a stale Node pointer in FocusController::setFocusedNode
        https://bugs.webkit.org/show_bug.cgi?id=44226

        Test: fast/events/focus-change-crash2.html

        * page/FocusController.cpp:
        (WebCore::FocusController::setFocusedNode): add a ref to prevent the focused node from being deleted

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65748 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-08-12 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Thu, 12 Aug 2010 23:18:08 +0000 (23:18 +0000)]
2010-08-12  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Dumitru Daniliuc.

        Clear PluginData's page pointer on page refresh
        https://bugs.webkit.org/show_bug.cgi?id=43888

        Test: plugins/access-after-page-destroyed.html

        * page/Page.cpp:
        (WebCore::Page::refreshPlugins):
2010-08-12  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Dumitru Daniliuc.

        Clear PluginData's page pointer on page refresh
        https://bugs.webkit.org/show_bug.cgi?id=43888

        * plugins/access-after-page-destroyed.html:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65280 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-28 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Thu, 29 Jul 2010 18:11:09 +0000 (18:11 +0000)]
2010-07-28  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nate Chapin.

        Clear PluginData's page pointer on Page destruction
        https://bugs.webkit.org/show_bug.cgi?id=43147

        Test: plugins/access-after-page-destroyed.html

        * page/Page.cpp:
        (WebCore::Page::~Page):
2010-07-28  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nate Chapin.

        Clear PluginData's page pointer on Page destruction
        https://bugs.webkit.org/show_bug.cgi?id=43147

        * plugins/access-after-page-destroyed-expected.txt: Added.
        * plugins/access-after-page-destroyed.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64293 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-08-17 Steve Block <steveblock@google.com>
steveblock@google.com [Tue, 17 Aug 2010 23:05:42 +0000 (23:05 +0000)]
2010-08-17  Steve Block  <steveblock@google.com>

        Reviewed by Jeremy Orlow.

        Geolocation clearWatch() needs to protect against invalid IDs
        https://bugs.webkit.org/show_bug.cgi?id=44096

        * fast/dom/Geolocation/clear-watch-invalid-id-crash-expected.txt: Added.
        * fast/dom/Geolocation/clear-watch-invalid-id-crash.html: Added.
        * fast/dom/Geolocation/script-tests/clear-watch-invalid-id-crash.js: Added.
        * fast/dom/Geolocation/script-tests/notimer-after-unload.js:
        (document.body.onload):
2010-08-17  Steve Block  <steveblock@google.com>

        Reviewed by Jeremy Orlow.

        Geolocation clearWatch() needs to protect against invalid IDs
        https://bugs.webkit.org/show_bug.cgi?id=44096

        If the ID passed to clearWatch() is invalid, we early-out.

        Test: fast/dom/Geolocation/clear-watch-invalid-id-crash.html

        * page/Geolocation.cpp:
        (WebCore::Geolocation::Watchers::set):
        (WebCore::Geolocation::Watchers::remove):
        (WebCore::Geolocation::watchPosition):
        (WebCore::Geolocation::clearWatch):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65570 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-20 Abhishek Arya <inferno@chromium.org>
inferno@chromium.org [Tue, 20 Jul 2010 21:11:52 +0000 (21:11 +0000)]
2010-07-20  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Check the node is a text node before doing the static cast
        for editing commands.
        https://bugs.webkit.org/show_bug.cgi?id=42655

        Test: editing/execCommand/editing-nontext-node-crash.xhtml

        * editing/DeleteSelectionCommand.cpp:
        (WebCore::DeleteSelectionCommand::fixupWhitespace):
        * editing/InsertLineBreakCommand.cpp:
        (WebCore::InsertLineBreakCommand::doApply):
        * editing/InsertParagraphSeparatorCommand.cpp:
        (WebCore::InsertParagraphSeparatorCommand::doApply):
2010-07-20  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that applying an editing command on a non text node does not
        result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=42655

        * editing/execCommand/editing-nontext-node-crash-expected.txt: Added.
        * editing/execCommand/editing-nontext-node-crash.xhtml: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63773 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoMore CVEs handled by these changes.
Gustavo Noronha Silva [Thu, 30 Sep 2010 18:40:25 +0000 (15:40 -0300)]
More CVEs handled by these changes.

7 years agoJavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=43461
ggaren@apple.com [Thu, 5 Aug 2010 04:52:25 +0000 (04:52 +0000)]
JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=43461
Invalid NaN parsing

Reviewed by Oliver Hunt and Beth Dakin.

* wtf/dtoa.cpp: Turn off the dtoa feature that allows you to specify a
non-standard NaN representation, since our NaN encoding assumes that all
true NaNs have the standard bit pattern.

* API/JSValueRef.cpp:
(JSValueMakeNumber): Don't allow an API client to accidentally specify
a non-standard NaN either.

LayoutTests: https://bugs.webkit.org/show_bug.cgi?id=43461
Crash parsing certain values for NaN

Reviewed by Oliver Hunt and Beth Dakin.

* fast/js/parse-nan.html: Added.
* fast/js/script-tests/parse-nan.js: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64706 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-26 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Mon, 26 Jul 2010 21:36:47 +0000 (21:36 +0000)]
2010-07-26  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Darin Fisher.

        Check history state against origin before setting
        https://bugs.webkit.org/show_bug.cgi?id=42858

        Tests: fast/loader/stateobjects/replacestate-base-illegal.html
               fast/loader/stateobjects/replacestate-base-legal.html

        * page/History.cpp:
        (WebCore::History::urlForState):
        (WebCore::History::stateObjectAdded):
2010-07-26  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Darin Fisher.

        Check history state when base URL is changed
        https://bugs.webkit.org/show_bug.cgi?id=42858

        * fast/loader/stateobjects/replacestate-base-illegal-expected.txt: Added.
        * fast/loader/stateobjects/replacestate-base-illegal.html: Added.
        * fast/loader/stateobjects/replacestate-base-legal-expected.txt: Added.
        * fast/loader/stateobjects/replacestate-base-legal.html: Added.
        * fast/loader/stateobjects/resources/replacestate-base-pass.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64077 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoDocument CVEs handled by the recently cherry-picked commits, and
Gustavo Noronha Silva [Tue, 28 Sep 2010 21:51:33 +0000 (18:51 -0300)]
Document CVEs handled by the recently cherry-picked commits, and
add an update to the CVE that was left out from the 1.2.4 NEWS.

7 years ago2010-07-12 Tony Chang <tony@chromium.org>
tony@chromium.org [Mon, 12 Jul 2010 23:38:39 +0000 (23:38 +0000)]
2010-07-12  Tony Chang  <tony@chromium.org>

        Reviewed by David Hyatt.

        crash in FrameView::detachCustomScrollbars
        https://bugs.webkit.org/show_bug.cgi?id=41196

        * scrollbars/hidden-iframe-scrollbar-crash-expected.txt: Added.
        * scrollbars/hidden-iframe-scrollbar-crash.html: Added.
2010-07-12  Tony Chang  <tony@chromium.org>

        Reviewed by David Hyatt.

        crash in FrameView::detachCustomScrollbars
        https://bugs.webkit.org/show_bug.cgi?id=41196

        Test: scrollbars/hidden-iframe-scrollbar-crash.html

        * page/FrameView.cpp:
        (WebCore::FrameView::detachCustomScrollbars):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63138 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-02 Ojan Vafai <ojan@chromium.org>
ojan@chromium.org [Fri, 9 Jul 2010 00:23:35 +0000 (00:23 +0000)]
2010-07-02  Ojan Vafai  <ojan@chromium.org>

        Reviewed by Adam Barth.

        Crash in RenderObject::containingBlock when clearing selection in a display:none node.
        https://bugs.webkit.org/show_bug.cgi?id=41523

        * editing/selection/crash-on-clear-selection-expected.txt: Added.
        * editing/selection/crash-on-clear-selection.html: Added.
2010-07-02  Ojan Vafai  <ojan@chromium.org>

        Reviewed by Adam Barth.

        Crash in RenderObject::containingBlock when clearing selection in a display:none node.
        https://bugs.webkit.org/show_bug.cgi?id=41523

        updateStyleIfNeeded before clearing the selection in the RenderView. Otherwise,
        m_selectionStart and m_selectionEnd in RenderView point to garbage object.
        This fixes the crash because updateStyleIfNeeded clears the selection before
        clobbering nodes that contain the selection.

        Test: editing/selection/crash-on-clear-selection.html

        * editing/SelectionController.cpp:
        (WebCore::SelectionController::updateAppearance):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62873 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-06-23 Abhishek Arya <inferno@chromium.org>
jschuh@chromium.org [Wed, 23 Jun 2010 21:34:59 +0000 (21:34 +0000)]
2010-06-23  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Kenneth Rohde Christiansen.

        Firing the onchange event on select which changes its size > 1 causes the select
        object to change from a menulist to a listbox. However, when propogating the events,
        we do a bad cast assuming the object will remain a menulist. Added proper checks to
        make sure we check the renderer after the onchange is fired and propogate the event
        based on correct object type.
        https://bugs.webkit.org/show_bug.cgi?id=40828

        Test: fast/events/select-onchange-crash.html

        * dom/SelectElement.cpp:
        (WebCore::SelectElement::setSelectedIndex):
2010-06-23  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Kenneth Rohde Christiansen.

        Tests that we do not crash when onchange handler changes the select from a menu list to a list box.
        https://bugs.webkit.org/show_bug.cgi?id=40828

        * fast/events/select-onchange-crash-expected.txt: Added.
        * fast/events/select-onchange-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61709 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-21 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Thu, 22 Jul 2010 00:58:54 +0000 (00:58 +0000)]
2010-07-21  Justin Schuh  <jschuh@chromium.org>

        Unreviewed. Build fix.

        Removed comment element for test added with:
        http://trac.webkit.org/changeset/63865

        * svg/custom/use-invalid-html-expected.txt:
        * svg/custom/use-invalid-html.xhtml:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63867 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-21 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Thu, 22 Jul 2010 00:36:38 +0000 (00:36 +0000)]
2010-07-21  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Oliver Hunt.

        Prevent DeleteButtonController enable state from changing when not editing
        https://bugs.webkit.org/show_bug.cgi?id=42659

        Test: svg/custom/use-invalid-html.xhtml

        * dom/ContainerNode.cpp:
        (WebCore::ContainerNode::cloneChildNodes):
2010-07-21  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Oliver Hunt.

        Prevent DeleteButtonController enable state from changing when not editing
        https://bugs.webkit.org/show_bug.cgi?id=42659

        * svg/custom/use-invalid-html-expected.txt: Added.
        * svg/custom/use-invalid-html.xhtml: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63865 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-06-10 Tony Chang <tony@chromium.org>
tony@chromium.org [Fri, 11 Jun 2010 00:49:10 +0000 (00:49 +0000)]
2010-06-10  Tony Chang  <tony@chromium.org>

        Reviewed by Kent Tamura.

        crash when focus is changed while trying to focus next element
        https://bugs.webkit.org/show_bug.cgi?id=40407

        * fast/events/focus-change-crash-expected.txt: Added.
        * fast/events/focus-change-crash.html: Added.
2010-06-10  Tony Chang  <tony@chromium.org>

        Reviewed by Kent Tamura.

        crash when focus is changed while trying to focus next element
        https://bugs.webkit.org/show_bug.cgi?id=40407

        Test: fast/events/focus-change-crash.html

        * dom/Element.cpp:
        (WebCore::Element::focus):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@60984 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-08-10 Abhishek Arya <inferno@chromium.org> 1.2.4
inferno@chromium.org [Tue, 10 Aug 2010 20:46:43 +0000 (20:46 +0000)]
2010-08-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Take checks for ruby base existence out of the ASSERTs.
        https://bugs.webkit.org/show_bug.cgi?id=43795

        Test: fast/ruby/ruby-remove-no-base.html

        * rendering/RenderRubyRun.cpp:
        (WebCore::RenderRubyRun::addChild):
        (WebCore::RenderRubyRun::removeChild):
2010-08-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that removing a ruby child which causes merging of ruby base withe
        a non existant base of the right sibling run does not result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=43795

        * fast/ruby/ruby-remove-no-base-expected.txt: Added.
        * fast/ruby/ruby-remove-no-base.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65090 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-26 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Mon, 26 Jul 2010 21:36:47 +0000 (21:36 +0000)]
2010-07-26  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Darin Fisher.

        Check history state against origin before setting
        https://bugs.webkit.org/show_bug.cgi?id=42858

        Tests: fast/loader/stateobjects/replacestate-base-illegal.html
               fast/loader/stateobjects/replacestate-base-legal.html

        * page/History.cpp:
        (WebCore::History::urlForState):
        (WebCore::History::stateObjectAdded):
2010-07-26  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Darin Fisher.

        Check history state when base URL is changed
        https://bugs.webkit.org/show_bug.cgi?id=42858

        * fast/loader/stateobjects/replacestate-base-illegal-expected.txt: Added.
        * fast/loader/stateobjects/replacestate-base-illegal.html: Added.
        * fast/loader/stateobjects/replacestate-base-legal-expected.txt: Added.
        * fast/loader/stateobjects/replacestate-base-legal.html: Added.
        * fast/loader/stateobjects/resources/replacestate-base-pass.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64077 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-20 Abhishek Arya <inferno@chromium.org>
inferno@chromium.org [Tue, 20 Jul 2010 21:11:52 +0000 (21:11 +0000)]
2010-07-20  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Check the node is a text node before doing the static cast
        for editing commands.
        https://bugs.webkit.org/show_bug.cgi?id=42655

        Test: editing/execCommand/editing-nontext-node-crash.xhtml

        * editing/DeleteSelectionCommand.cpp:
        (WebCore::DeleteSelectionCommand::fixupWhitespace):
        * editing/InsertLineBreakCommand.cpp:
        (WebCore::InsertLineBreakCommand::doApply):
        * editing/InsertParagraphSeparatorCommand.cpp:
        (WebCore::InsertParagraphSeparatorCommand::doApply):
2010-07-20  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that applying an editing command on a non text node does not
        result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=42655

        * editing/execCommand/editing-nontext-node-crash-expected.txt: Added.
        * editing/execCommand/editing-nontext-node-crash.xhtml: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63773 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-21 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Thu, 22 Jul 2010 00:36:38 +0000 (00:36 +0000)]
2010-07-21  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Oliver Hunt.

        Prevent DeleteButtonController enable state from changing when not editing
        https://bugs.webkit.org/show_bug.cgi?id=42659

        Test: svg/custom/use-invalid-html.xhtml

        * dom/ContainerNode.cpp:
        (WebCore::ContainerNode::cloneChildNodes):
2010-07-21  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Oliver Hunt.

        Prevent DeleteButtonController enable state from changing when not editing
        https://bugs.webkit.org/show_bug.cgi?id=42659

        * svg/custom/use-invalid-html-expected.txt: Added.
        * svg/custom/use-invalid-html.xhtml: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63865 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoNews and versioning for the 1.2.4 release.
Gustavo Noronha Silva [Fri, 3 Sep 2010 19:30:14 +0000 (16:30 -0300)]
News and versioning for the 1.2.4 release.

7 years ago2010-07-06 Nikolas Zimmermann <nzimmermann@rim.com>
zimmermann@webkit.org [Wed, 7 Jul 2010 14:17:27 +0000 (14:17 +0000)]
2010-07-06  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Dirk Schulze.

        <use> on <font-face> causes crashes, if SVGUseElement gets detached
        https://bugs.webkit.org/show_bug.cgi?id=41621

        Do not call removeFromMappedElementSheet() from the SVGFontFaceElement destructor,
        as that can potentially cause the element to be reattached while destructing.

        In order to fix the crash in the testcase, the order of calling the base-class detach
        method in SVGUseElement and the instance/shadow tree destruction has to be reversed,
        matching the order in removedFromDocument().

        Test: svg/custom/use-font-face-crash.svg

        * svg/SVGFontFaceElement.cpp:
        (WebCore::SVGFontFaceElement::~SVGFontFaceElement): Remove removeFromMappedElementSheet() call.
        * svg/SVGUseElement.cpp:
        (WebCore::SVGUseElement::detach): Reverse order of calling base-class detach method and instance/shadow tree destruction.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62662 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-05 Nikolas Zimmermann <nzimmermann@rim.com>
zimmermann@webkit.org [Mon, 5 Jul 2010 12:27:35 +0000 (12:27 +0000)]
2010-07-05  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Darin Adler.

        Memory corruption with SVG <use> element
        https://bugs.webkit.org/show_bug.cgi?id=40994

        Fix race condition in svgAttributeChanged. Never call svgAttributeChanged() from attributeChanged()
        when we're synchronizing SVG attributes. It leads to either unnecessary extra work being done or
        crashes. Especially together with <polyline>/<polygon> which always synchronize the SVGAnimatedPoints
        datastructure with the points attribute, no matter if there are changes are not. This should be
        furhter optimized, but this fix is sane and fixes the root of the evil races.

        Test: svg/custom/use-property-synchronization-crash.svg

        * svg/SVGElement.cpp:
        (WebCore::SVGElement::attributeChanged):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62482 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-02 Peter Varga <pvarga@inf.u-szeged.hu>
ddkilzer@apple.com [Fri, 2 Jul 2010 16:45:41 +0000 (16:45 +0000)]
2010-07-02  Peter Varga  <pvarga@inf.u-szeged.hu>

        Reviewed by Oliver Hunt.

        The alternativeFrameLocation value is wrong in the emitDisjunction function in
        case of PatternTerm::TypeParentheticalAssertion. This value needs to be
        computed from term.frameLocation instead of term.inputPosition. This mistake caused glibc
        memory corruption in some cases.
        Layout test added for checking of TypeParentheticalAssertion case.
        https://bugs.webkit.org/show_bug.cgi?id=41458

        * yarr/RegexInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::emitDisjunction):
2010-07-02  Peter Varga  <pvarga@inf.u-szeged.hu>

        Reviewed by Oliver Hunt.

        The alternativeFrameLocation value is wrong in the emitDisjunction function in
        case of PatternTerm::TypeParentheticalAssertion. This value needs to be
        computed from term.frameLocation instead of term.inputPosition. This mistake caused glibc
        memory corruption in some cases.
        Layout test added for checking of TypeParentheticalAssertion case.
        https://bugs.webkit.org/show_bug.cgi?id=41458

        * fast/js/regexp-look-ahead-expected.txt: Added.
        * fast/js/regexp-look-ahead.html: Added.
        * fast/js/script-tests/regexp-look-ahead.js: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62386 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoImprove reentrancy logic in polymorphic cache stubs
oliver@apple.com [Thu, 1 Jul 2010 22:02:59 +0000 (22:02 +0000)]
Improve reentrancy logic in polymorphic cache stubs
<https://bugs.webkit.org/show_bug.cgi?id=41482>
<rdar://problem/8094380>

Reviewed by Geoff Garen.

JavaScriptCore:

Make the polymorphic cache stubs handle reentrancy
better.

* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
(JSC::getPolymorphicAccessStructureListSlot):

LayoutTests:

Test cases for cache reentry in the cache code.

* fast/js/reentrant-caching-expected.txt: Added.
* fast/js/reentrant-caching.html: Added.
* fast/js/script-tests/reentrant-caching.js: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62301 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-01 Justin Schuh <jschuh@chromium.org>
jschuh@chromium.org [Thu, 1 Jul 2010 16:55:06 +0000 (16:55 +0000)]
2010-07-01  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Dan Bernstein.

        Prevent crash on counter destruction
        https://bugs.webkit.org/show_bug.cgi?id=40032

        Added counter destruction to RenderWidget::destroy()

        Test: fast/css/counters/destroy-counter-crash.html

        * rendering/RenderWidget.cpp:
        (WebCore::RenderWidget::destroy):
2010-07-01  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Dan Bernstein.

        Prevent crash on counter destruction
        https://bugs.webkit.org/show_bug.cgi?id=40032

        * fast/css/counters/destroy-counter-crash-expected.txt: Added.
        * fast/css/counters/destroy-counter-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62271 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago<rdar://problem/7975842> Certain text is repeated after using splitText()
mitz@apple.com [Tue, 29 Jun 2010 17:42:40 +0000 (17:42 +0000)]
<rdar://problem/7975842> Certain text is repeated after using splitText()

Reviewed by Darin Adler.

WebCore:

Tests: fast/text/setData-dirty-lines.html
       fast/text/splitText-dirty-lines.html

* dom/CharacterData.cpp:
(WebCore::CharacterData::setData): Call RenderText::setTextWithOffset() rather than
setText(), because only the former correctly dirties line boxes.
* dom/Text.cpp:
(WebCore::Text::splitText): Ditto.

LayoutTests:

* fast/text/setData-dirty-lines-expected.checksum: Added.
* fast/text/setData-dirty-lines-expected.png: Added.
* fast/text/setData-dirty-lines-expected.txt: Added.
* fast/text/setData-dirty-lines.html: Added.
* fast/text/splitText-dirty-lines-expected.checksum: Added.
* fast/text/splitText-dirty-lines-expected.png: Added.
* fast/text/splitText-dirty-lines-expected.txt: Added.
* fast/text/splitText-dirty-lines.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62134 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago<rdar://problem/8000667> Certain text is repeated before and after a line break
mitz@apple.com [Sat, 26 Jun 2010 00:31:54 +0000 (00:31 +0000)]
<rdar://problem/8000667> Certain text is repeated before and after a line break

Reviewed by Sam Weinig.

WebCore:

Test: fast/text/bidi-explicit-embedding-past-end.html

* platform/text/BidiResolver.h:
(WebCore::::createBidiRunsForLine): Committing explicit embedding past the end of the range
creates BidiRuns up to the end of the range, so at that point, we can stop iterating.

LayoutTests:

* fast/text/bidi-explicit-embedding-past-end-expected.checksum: Added.
* fast/text/bidi-explicit-embedding-past-end-expected.png: Added.
* fast/text/bidi-explicit-embedding-past-end-expected.txt: Added.
* fast/text/bidi-explicit-embedding-past-end.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61921 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoSkip tests that will fail in stable branches
Gustavo Noronha Silva [Fri, 27 Aug 2010 19:38:33 +0000 (16:38 -0300)]
Skip tests that will fail in stable branches

7 years ago2010-06-23 Nikolas Zimmermann <nzimmermann@rim.com>
zimmermann@webkit.org [Wed, 23 Jun 2010 07:11:19 +0000 (07:11 +0000)]
2010-06-23  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Eric Seidel.

        Reproducible crash in com.apple.WebCore 0x01ed3784 WebCore::RenderLineBoxList::appendLineBox(WebCore::InlineFlowBox*) + 36
        https://bugs.webkit.org/show_bug.cgi?id=40953

        REGRESSION (r58209-58231): Memory corruption with invalid SVG
        https://bugs.webkit.org/show_bug.cgi?id=40173

        Fix several crashes, all related to <foreignObject> and/or invalid SVG documents.
        - Only allow <svg> nodes, as direct children of a <foreignObject>, not any other "partial" SVG content.
        - Assure to create RenderSVGRoot objects for <svg> nodes in <foreignObject>, treat them as "outermost SVG elements".
        - Never allow any partial SVG content to appear in any document. Only <svg> elements are allowed.

        Tests: svg/custom/bug45331.svg
               svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg
               svg/foreignObject/no-crash-with-svg-content-in-html-document.svg
               svg/foreignObject/svg-document-as-direct-child.svg
               svg/foreignObject/svg-document-in-html-document.svg
               svg/foreignObject/text-tref-02-b.svg

        * dom/Element.cpp: Added childShouldCreateRenderer, with ENABLE(SVG) guards.
        (WebCore::Element::childShouldCreateRenderer): Only create a renderer for a SVG child, if we're a SVG element, or if the child is a <svg> element.
        * dom/Element.h: Added childShouldCreateRenderer, with ENABLE(SVG) guards.
        * svg/SVGForeignObjectElement.cpp:
        (WebCore::SVGForeignObjectElement::childShouldCreateRenderer): Disallow arbitary SVG content, only <svg> elements are allowed as direct children of a <foreignObject>
        * svg/SVGSVGElement.cpp:
        (WebCore::SVGSVGElement::isOutermostSVG): Be sure to create RenderSVGRoot objects for <svg> elements inside <foreignObject>

2010-06-23  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Eric Seidel.

        Reproducible crash in com.apple.WebCore 0x01ed3784 WebCore::RenderLineBoxList::appendLineBox(WebCore::InlineFlowBox*) + 36
        https://bugs.webkit.org/show_bug.cgi?id=40953

        REGRESSION (r58209-58231): Memory corruption with invalid SVG
        https://bugs.webkit.org/show_bug.cgi?id=40173

        Added several new layout tests covering the crashes with <foreignObject> and/or invalid SVG documents.

        * platform/mac/svg/custom/bug45331-expected.checksum: Added.
        * platform/mac/svg/custom/bug45331-expected.png: Added.
        * platform/mac/svg/custom/bug45331-expected.txt: Added.
        * platform/mac/svg/foreignObject: Added.
        * platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.checksum: Added.
        * platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.png: Added.
        * platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.txt: Added.
        * platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.checksum: Added.
        * platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.png: Added.
        * platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.txt: Added.
        * platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.checksum: Added.
        * platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.png: Added.
        * platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.txt: Added.
        * platform/mac/svg/foreignObject/svg-document-in-html-document-expected.checksum: Added.
        * platform/mac/svg/foreignObject/svg-document-in-html-document-expected.png: Added.
        * platform/mac/svg/foreignObject/svg-document-in-html-document-expected.txt: Added.
        * platform/mac/svg/foreignObject/text-tref-02-b-expected.checksum: Added.
        * platform/mac/svg/foreignObject/text-tref-02-b-expected.png: Added.
        * platform/mac/svg/foreignObject/text-tref-02-b-expected.txt: Added.
        * svg/custom/bug45331.svg: Added.
        * svg/foreignObject: Added.
        * svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg: Added.
        * svg/foreignObject/no-crash-with-svg-content-in-html-document.svg: Added.
        * svg/foreignObject/svg-document-as-direct-child.svg: Added.
        * svg/foreignObject/svg-document-in-html-document.svg: Added.
        * svg/foreignObject/text-tref-02-b.svg: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61667 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-06-11 Simon Fraser <simon.fraser@apple.com>
simon.fraser@apple.com [Sat, 12 Jun 2010 00:54:40 +0000 (00:54 +0000)]
2010-06-11  Simon Fraser  <simon.fraser@apple.com>

        Add expected result missing from the previous commit.

        * svg/text/text-style-invalid-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61051 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-06-10 Abhishek Arya <inferno@chromium.org>
simon.fraser@apple.com [Sat, 12 Jun 2010 00:52:38 +0000 (00:52 +0000)]
2010-06-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Dave Hyatt.

        Do not render CSS Styles :first-letter and :first-line in a SVG text element context.
        https://bugs.webkit.org/show_bug.cgi?id=40031

        Test: svg/text/text-style-invalid.svg

        * rendering/RenderSVGText.cpp:
        (WebCore::RenderSVGText::firstLineBlock):
        (WebCore::RenderSVGText::updateFirstLetter):
        * rendering/RenderSVGText.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61050 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-06-11 Abhishek Arya <inferno@chromium.org>
jhawkins@chromium.org [Fri, 11 Jun 2010 23:33:27 +0000 (23:33 +0000)]
2010-06-11  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Don't process floats if parent node is not a RenderBlock.
        https://bugs.webkit.org/show_bug.cgi?id=40033

        Test: svg/text/clear-floats-crash.svg

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::clearFloats):
2010-06-11  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that we do not crash when clearing floats during SVG load.
        https://bugs.webkit.org/show_bug.cgi?id=40033

        * svg/text/clear-floats-crash-expected.txt: Added.
        * svg/text/clear-floats-crash.svg: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61044 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoDo not fail to build with deprecated symbols.
Gustavo Noronha Silva [Fri, 27 Aug 2010 18:28:42 +0000 (15:28 -0300)]
Do not fail to build with deprecated symbols.

7 years ago2010-06-15 Xan Lopez <xlopez@igalia.com>
xan@webkit.org [Tue, 15 Jun 2010 19:14:38 +0000 (19:14 +0000)]
2010-06-15  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Gustavo Noronha.

        [GTK] Does not compile with -DGSEAL_ENABLE
        https://bugs.webkit.org/show_bug.cgi?id=37851

        Add GSEAL_ENABLE flag when doing debug builds.

        * GNUmakefile.am:

WebCore:

2010-06-15  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Gustavo Noronha.

        [GTK] Does not compile with -DGSEAL_ENABLE
        https://bugs.webkit.org/show_bug.cgi?id=37851

        Fix compilation with GSEAL_ENABLE.

        * platform/gtk/GtkVersioning.h:
        * platform/gtk/PlatformScreenGtk.cpp:
        (WebCore::screenDepth):
        (WebCore::screenDepthPerComponent):
        * platform/gtk/PopupMenuGtk.cpp:
        (WebCore::PopupMenu::show):
        * platform/gtk/ScrollbarGtk.cpp:
        (ScrollbarGtk::detachAdjustment):
        (ScrollbarGtk::updateThumbPosition):
        (ScrollbarGtk::updateThumbProportion):
        * plugins/gtk/PluginViewGtk.cpp:
        (WebCore::PluginView::paint):
        (WebCore::PluginView::initXEvent):
        (WebCore::PluginView::platformGetValue):
        (WebCore::PluginView::platformStart):
        * plugins/gtk/gtk2xtbin.c:
        (gtk_xtbin_realize):
        (gtk_xtbin_new):
        (gtk_xtbin_set_position):
        (gtk_xtbin_unrealize):

WebKit/gtk:

2010-06-15  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Gustavo Noronha.

        [GTK] Does not compile with -DGSEAL_ENABLE
        https://bugs.webkit.org/show_bug.cgi?id=37851

        Fix compilation with GSEAL_ENABLE.

        * WebCoreSupport/ChromeClientGtk.cpp:
        (WebKit::ChromeClient::pageRect):
        (WebKit::ChromeClient::contentsSizeChanged):
        * tests/testdomnode.c:
        (test_dom_node_insertion):
        * webkit/webkitwebview.cpp:
        (webkit_web_view_realize):
        (webkit_web_view_script_dialog):
        (webkit_web_view_drag_end):
        (webkit_web_view_init):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61206 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-06-07 Martin Robinson <mrobinson@igalia.com>
mrobinson@webkit.org [Mon, 7 Jun 2010 15:02:47 +0000 (15:02 +0000)]
2010-06-07  Martin Robinson  <mrobinson@igalia.com>

        Reviewed by Xan Lopez.

        [GTK] gtk_widget_get_window should replace widget->window
        https://bugs.webkit.org/show_bug.cgi?id=40180

        Replace all uses of widget->window with gtk_widget_get_window. For older
        GTK+ versions, #define gtk_widget_get_window in GtkVersioning.h.

        No tests necessary as functionality has not changed.

        * platform/gtk/GtkPluginWidget.cpp:
        (WebCore::GtkPluginWidget::invalidateRect): Replace widget->window use.
        * platform/gtk/GtkVersioning.h: Add gtk_widget_get_window for old GTK+ versions.
        * platform/gtk/PlatformScreenGtk.cpp:
        (WebCore::getVisual): Replace widget->window use.
        (WebCore::screenRect): Ditto.
        * platform/gtk/PopupMenuGtk.cpp:
        (WebCore::PopupMenu::show): Ditto.
        * platform/gtk/WidgetGtk.cpp:
        (WebCore::gdkDrawable): Ditto.
        (WebCore::Widget::setCursor): Ditto.
2010-06-07  Martin Robinson  <mrobinson@igalia.com>

        Reviewed by Xan Lopez.

        [GTK] gtk_widget_get_window should replace widget->window
        https://bugs.webkit.org/show_bug.cgi?id=40180

        Replace uses of widget->window with gtk_widget_get_window.

        * WebCoreSupport/ChromeClientGtk.cpp:
        (WebKit::ChromeClient::invalidateContentsAndWindow): Replace widget->window uses.
        (WebKit::ChromeClient::scroll): Ditto.
        (WebKit::widgetScreenPosition): Ditto.
        * WebCoreSupport/DragClientGtk.cpp: Move gtk_widget_get_window define to GtkVersioning.h.
        * webkit/webkitwebview.cpp:
        (webkit_web_view_popup_menu_handler): Replace widget->window uses.
        (webkit_web_view_button_press_event): Ditto.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@60785 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-06-10 Tony Chang <tony@chromium.org>
tony@chromium.org [Fri, 11 Jun 2010 00:49:10 +0000 (00:49 +0000)]
2010-06-10  Tony Chang  <tony@chromium.org>

        Reviewed by Kent Tamura.

        crash when focus is changed while trying to focus next element
        https://bugs.webkit.org/show_bug.cgi?id=40407

        * fast/events/focus-change-crash-expected.txt: Added.
        * fast/events/focus-change-crash.html: Added.
2010-06-10  Tony Chang  <tony@chromium.org>

        Reviewed by Kent Tamura.

        crash when focus is changed while trying to focus next element
        https://bugs.webkit.org/show_bug.cgi?id=40407

        Test: fast/events/focus-change-crash.html

        * dom/Element.cpp:
        (WebCore::Element::focus):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@60984 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoPreparing the 1.2.3 release 1.2.3
Gustavo Noronha Silva [Thu, 15 Jul 2010 20:46:15 +0000 (17:46 -0300)]
Preparing the 1.2.3 release

7 years ago2010-05-14 Abhishek Arya <inferno@chromium.org>
eric@webkit.org [Fri, 14 May 2010 22:14:46 +0000 (22:14 +0000)]
2010-05-14  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that large colspan in a fixed table layout does not result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=38261

        * fast/table/fixed-table-layout-large-colspan-crash-expected.txt: Added.
        * fast/table/fixed-table-layout-large-colspan-crash.html: Added.
2010-05-14  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Move the m_width(Length) and m_columns(RenderTable::ColumnStruct)
        vector out-of-bounds check out of the ASSERT into the main code.
        https://bugs.webkit.org/show_bug.cgi?id=38261

        Test: fast/table/fixed-table-layout-large-colspan-crash.html

        * rendering/FixedTableLayout.cpp:
        (WebCore::FixedTableLayout::calcWidthArray):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59495 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoWebCore: Fix for <rdar://problem/8009118> Crash in WebCore::toAlphabetic()
bdakin@apple.com [Fri, 21 May 2010 19:53:29 +0000 (19:53 +0000)]
WebCore: Fix for <rdar://problem/8009118> Crash in WebCore::toAlphabetic()
while running MangleMe
-and corresponding-
https://bugs.webkit.org/show_bug.cgi?id=39508

Reviewed by Darin Adler.

The math was slightly off here, and we wound up trying to access an
array at index -1 in some cases. We need to decrement numberShadow
rather than subtracting one from the result of the modulo
operation.

* rendering/RenderListMarker.cpp:
(WebCore::toAlphabeticOrNumeric):

LayoutTests: Test for <rdar://problem/8009118> Crash in WebCore::toAlphabetic()
while running MangleMe
-and corresponding-
https://bugs.webkit.org/show_bug.cgi?id=39508

Reviewed by Darin Adler.

* fast/lists/alpha-boundary-values.html: Added.
* platform/mac/fast/lists/alpha-boundary-values-expected.checksum: Added.
* platform/mac/fast/lists/alpha-boundary-values-expected.png: Added.
* platform/mac/fast/lists/alpha-boundary-values-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59950 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-05-20 Marcus Bulach <bulach@chromium.org>
steveblock@google.com [Thu, 20 May 2010 20:10:12 +0000 (20:10 +0000)]
2010-05-20  Marcus Bulach  <bulach@chromium.org>

        Reviewed by Steve Block.

        Ensure timers are stopped on Geolocation::disconnectFrame()
        https://bugs.webkit.org/show_bug.cgi?id=39388

        fast/dom/Geolocation/notimer-after-unload.html, plus it should be possible to re-enable Gtk LayoutTests.

        * page/Geolocation.cpp:
        (WebCore::Geolocation::disconnectFrame):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59859 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-03-22 Darin Adler <darin@apple.com>
darin@apple.com [Mon, 22 Mar 2010 17:51:57 +0000 (17:51 +0000)]
2010-03-22  Darin Adler  <darin@apple.com>

        Reviewed by Dan Bernstein.

        TextBreakIteratorICU.cpp is incompatible with new UBreakIterator type in ICU 4.4
        https://bugs.webkit.org/show_bug.cgi?id=36381

        * platform/text/TextBreakIteratorICU.cpp:
        (WebCore::setUpIterator): Use reinterpret_cast instead of static_cast or relying
        on conversion to void*.
        (WebCore::textBreakFirst): Ditto.
        (WebCore::textBreakLast): Ditto.
        (WebCore::textBreakNext): Ditto.
        (WebCore::textBreakPrevious): Ditto.
        (WebCore::textBreakPreceding): Ditto.
        (WebCore::textBreakFollowing): Ditto.
        (WebCore::textBreakCurrent): Ditto.
        (WebCore::isTextBreak): Ditto.
        (WebCore::setUpIteratorWithRules): Ditto.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56345 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago<rdar://problem/8007953> Textarea using custom font appears blank
mitz@apple.com [Fri, 21 May 2010 00:37:06 +0000 (00:37 +0000)]
<rdar://problem/8007953> Textarea using custom font appears blank

Reviewed by Dave Hyatt.

WebCore:

Test: fast/css/font-face-in-shadow-DOM.html

When a remote font is loaded, CSSFontSelector forces a style recalc, which replaces all
RenderSyles that have FontFallbackLists referencing the placeholder font with fresh
RenderStyles. However, it does not descend into shadow DOM trees, so those may end up with
styles that still reference the placeholder font.

The fix is to add RenderObject::requiresForcedStyleRecalcPropagation() and have it return
true from renderers that maintain shadow DOM trees or otherwise keep their own RenderStyles.

* dom/Element.cpp:
(WebCore::Element::recalcStyle): Check if forced style recalc needs to propagated.
* rendering/RenderButton.h:
(WebCore::RenderButton::requiresForcedStyleRecalcPropagation):
* rendering/RenderDataGrid.h:
(WebCore::RenderDataGrid::requiresForcedStyleRecalcPropagation):
* rendering/RenderFileUploadControl.h:
(WebCore::RenderFileUploadControl::requiresForcedStyleRecalcPropagation):
* rendering/RenderListItem.h:
(WebCore::RenderListItem::requiresForcedStyleRecalcPropagation):
* rendering/RenderMedia.h:
(WebCore::RenderMedia::requiresForcedStyleRecalcPropagation):
* rendering/RenderMenuList.h:
(WebCore::RenderMenuList::RenderMenuList::requiresForcedStyleRecalcPropagation):
* rendering/RenderObject.h:
(WebCore::RenderObject::requiresForcedStyleRecalcPropagation):
* rendering/RenderProgress.h:
(WebCore::RenderProgress::requiresForcedStyleRecalcPropagation):
* rendering/RenderSlider.h:
(WebCore::RenderSlider::requiresForcedStyleRecalcPropagation):
* rendering/RenderTextControl.h:
(WebCore::RenderTextControl::requiresForcedStyleRecalcPropagation):

LayoutTests:

* fast/css/font-face-in-shadow-DOM.html: Added.
* platform/mac/fast/css/font-face-in-shadow-DOM-expected.checksum: Added.
* platform/mac/fast/css/font-face-in-shadow-DOM-expected.png: Added.
* platform/mac/fast/css/font-face-in-shadow-DOM-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59876 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-05-19 Abhishek Arya <inferno@chromium.org>
yaar@chromium.org [Wed, 19 May 2010 23:59:08 +0000 (23:59 +0000)]
2010-05-19  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Check that the node is a text node before doing a static cast
        to a Text class pointer.
        https://bugs.webkit.org/show_bug.cgi?id=38626

        Test: fast/text/text-transform-nontext-node-crash.xhtml

        * rendering/RenderText.cpp:
        (WebCore::RenderText::originalText):
        * rendering/RenderTextFragment.cpp:
        (WebCore::RenderTextFragment::originalText):
        (WebCore::RenderTextFragment::previousCharacter):
2010-05-19  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that text transformation applied to a non-text node
        does not result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=38626

        * fast/text/text-transform-nontext-node-crash-expected.txt: Added.
        * fast/text/text-transform-nontext-node-crash.xhtml: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59795 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-05-12 Abhishek Arya <inferno@chromium.org>
darin@apple.com [Wed, 12 May 2010 18:13:00 +0000 (18:13 +0000)]
2010-05-12  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Darin Adler.

        HTML Entity Escape the contents of a textarea node when accessed via the innerHTML and outerHTML node properties.
        https://bugs.webkit.org/show_bug.cgi?id=38922

        Test: fast/encoding/textnode-XSS.html

        * editing/markup.cpp:
        (WebCore::appendStartMarkup):
2010-05-12  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Darin Adler.

        Tests that accessing the innerHTML property of a text node encodes
        entities properly. Update existing test to fix the innerHTML result.
        https://bugs.webkit.org/show_bug.cgi?id=38922

        * fast/innerHTML/innerHTML-special-elements-expected.txt: Added.
        * fast/innerHTML/innerHTML-special-elements.html: Added.

        * fast/parser/comment-in-textarea-expected.txt: Update test expectation.
        * fast/parser/script-tests/comment-in-textarea.js: Update test by
        replacing with html entities of <, > chars in textarea innerHTML result.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59241 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-05-12 James Robinson <jamesr@chromium.org>
jamesr@google.com [Wed, 12 May 2010 20:51:06 +0000 (20:51 +0000)]
2010-05-12  James Robinson  <jamesr@chromium.org>

        Patch by Dan Bernstein.

        Reviewed by David Hyatt.

        Fix marking the layout root's parent as needing layout
        https://bugs.webkit.org/show_bug.cgi?id=37760

        If an element gets marked as needing layout due to the recalcStyle()
        call in FrameView::layout(), the m_layoutSchedulingEnabled flag will
        be set to false.  It's possible at this point that a parent of the
        existing FrameView::m_layoutRoot will be marked as needing layout.

        This patch updates FrameView::scheduleRelayoutOfSubtree to account
        for this case.

        Manual test only due to subtle timing issues.

        * manual-tests/layoutroot_detach.xml: Added.
        * page/FrameView.cpp:
        (WebCore::FrameView::scheduleRelayoutOfSubtree):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59263 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
jchaffraix@webkit.org [Wed, 28 Apr 2010 16:29:22 +0000 (16:29 +0000)]
[XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
https://bugs.webkit.org/show_bug.cgi?id=37781
<rdar://problem/7905150>

Reviewed by Alexey Proskuryakov.

WebCore:

Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html
       http/tests/xmlhttprequest/access-control-preflight-credential-sync.html

Rolling the patch in as I could not reproduce Qt results locally.

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the
credential from the request here to avoid forgetting to do so in the different code path.
(WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the
"Origin" header.
(WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have
been removed so that we don't leak them. Also tweaked a comment to make it clear that
the URL check has issue when credential is involved.

LayoutTests:

Test that doing a cross-origin request with a preflight check does
not raise a NETWORK_ERR exception and does not send the credentials.

* http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-preflight-credential-async.html: Added.
* http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-preflight-credential-sync.html: Added.
* http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php: Added.

* platform/mac-tiger/Skipped:
* platform/qt/Skipped:
Added those 2 tests to the Skipped lists.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@58409 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoWebCore: Fix for https://bugs.webkit.org/show_bug.cgi?id=38583
weinig@apple.com [Tue, 11 May 2010 00:08:33 +0000 (00:08 +0000)]
WebCore: Fix for https://bugs.webkit.org/show_bug.cgi?id=38583
<rdar://problem/7948784> Crash in Element::normalizeAttributes.

Reviewed by Darin Adler.

Test: fast/dom/Element/normalize-crash.html

* dom/Element.cpp:
(WebCore::Element::normalizeAttributes): Copy attributes to a vector
before iterating.
* dom/NamedAttrMap.cpp:
(WebCore::NamedNodeMap::copyAttributesToVector): Added.
* dom/NamedAttrMap.h:

LayoutTests: Test for https://bugs.webkit.org/show_bug.cgi?id=38583
<rdar://problem/7948784> Crash in Element::normalizeAttributes.

Reviewed by Darin Adler.

* fast/dom/Element/normalize-crash-expected.txt: Added.
* fast/dom/Element/normalize-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59109 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago Reviewed by Darin Adler.
ap@apple.com [Mon, 10 May 2010 22:13:36 +0000 (22:13 +0000)]
    Reviewed by Darin Adler.

        Based on a patch by Eric Seidel.

        https://bugs.webkit.org/show_bug.cgi?id=28697
        <rdar://problem/7946578> WebKit crash on WebCore::Node::nodeIndex()

        It's not OK to call ContainerNode::willRemoveChild() in a loop, because Range code assumes
        that it can adjust start and end position to any node except for the one being removed -
        so these notifications cannot be batched.

        Test: fast/dom/Range/remove-all-children-crash.html

        * dom/ContainerNode.cpp:
        (WebCore::willRemoveChild): Removed unused ExceptionCode.
        (WebCore::willRemoveChildren): New function, used in removeChildren() case.
        (WebCore::ContainerNode::removeChild): ExceptionCode return was always 0, don't bother with it.
        (WebCore::ContainerNode::removeChildren): Call willRemoveChildrenFromNode.
        (WebCore::dispatchChildRemovalEvents): Moved some logic out into willRemoveChildrenFromNode
        and willRemoveChild.

        * dom/Document.cpp:
        (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case.

        * dom/Document.h:
        (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case.

        * dom/Range.h:
        * dom/Range.cpp:
        (WebCore::boundaryNodeChildrenWillBeRemoved): New function, used in removeChildren() case.
        (WebCore::Range::nodeChildrenWillBeRemoved): Ditto.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59098 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-04-20 Justin Schuh <jschuh@chromium.org>
japhet@chromium.org [Tue, 20 Apr 2010 21:42:20 +0000 (21:42 +0000)]
2010-04-20  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Adam Barth.

        Invalid cast due to <video> inside <foreignObject> inside <svg> inside <img>
        https://bugs.webkit.org/show_bug.cgi?id=37331

        Added a setting to enable/disable media per-page and have the SVGImage
        disable media for its dummy page. Also found and fixed a related bad
        cast in the V8 bindings (JSC had a custom wrapper for this already).

        Tests: media/svg-as-image-with-media-blocked.html

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@57922 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-04-02 Justin Schuh <jschuh@chromium.org>
abarth@webkit.org [Sat, 3 Apr 2010 04:20:26 +0000 (04:20 +0000)]
2010-04-02  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Alexey Proskuryakov.

        XHR allows arbitrary XSRF across domains
        https://bugs.webkit.org/show_bug.cgi?id=36843

        Added a one-line change to prevent bypassing the XDC check on
        synchronous preflighted requests. Added layout tests to cover
        variations of this problem.

        * http/tests/xmlhttprequest/access-control-preflight-async-header-denied-expected.txt: Added.
        * http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html: Added.
        * http/tests/xmlhttprequest/access-control-preflight-async-method-denied-expected.txt: Added.
        * http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html: Added.
        * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied-expected.txt: Added.
        * http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html: Added.
        * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied-expected.txt: Added.
        * http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html: Added.
        * http/tests/xmlhttprequest/resources/access-control-preflight-denied-xsrf.php: Added.
2010-04-02  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Alexey Proskuryakov.

        XHR allows arbitrary XSRF across domains
        https://bugs.webkit.org/show_bug.cgi?id=36843

        Added a one-line change to prevent bypassing the XDC check on
        synchronous preflighted requests. Added layout tests to cover
        variations of this problem.

        Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
               http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
               http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
               http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html

        * loader/DocumentThreadableLoader.cpp:
        (WebCore::DocumentThreadableLoader::preflightFailure):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@57041 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago Reviewed by Adele Peterson.
ap@apple.com [Wed, 5 May 2010 18:17:52 +0000 (18:17 +0000)]
    Reviewed by Adele Peterson.

        https://bugs.webkit.org/show_bug.cgi?id=26824
        <rdar://problem/7018610> EventHandler can operate on a wrong frame if focus changes during
        keyboard event dispatch.

        EventHandler object is tied to a frame, so it's wrong for it to continue processing a keyboard
        event if focused frame changes between keydown and keypress.

        * manual-tests/focus-change-between-key-events.html: Added.

        * page/EventHandler.cpp: (WebCore::EventHandler::keyEvent): Bail out early if focused frame
        changes while dispatching keydown. Also made similar changes for Windows to maintain matching
        behavior, even though EventHandler was re-entered anyway due to WM_KEYDOWN and WM_CHAR being
        separate events.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@58829 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-05-03 Abhishek Arya <inferno@chromium.org>
abarth@webkit.org [Mon, 3 May 2010 21:50:27 +0000 (21:50 +0000)]
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Tests that javascript cannot access clipboard.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        * editing/execCommand/clipboard-access-expected.txt: Added.
        * editing/execCommand/clipboard-access.html: Added.
        * editing/execCommand/script-tests/clipboard-access.js: Added.
        (enabled):
        (whenEnabled):
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Add support for controlling clipboard access from javascript.
        Clipboard access from javascript is disabled by default.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        Test: editing/execCommand/clipboard-access.html

        * WebCore.base.exp:
        * editing/EditorCommand.cpp:
        (WebCore::supportedCopyCut):
        (WebCore::supportedPaste):
        (WebCore::createCommandMap):
        * page/Settings.cpp:
        (WebCore::Settings::Settings):
        (WebCore::Settings::setJavaScriptCanAccessClipboard):
        * page/Settings.h:
        (WebCore::Settings::javaScriptCanAccessClipboard):
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Add support for controlling clipboard access from javascript.
        Clipboard access from javascript is disabled by default.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        * public/WebSettings.h:
        * src/WebSettingsImpl.cpp:
        (WebKit::WebSettingsImpl::setJavaScriptCanAccessClipboard):
        * src/WebSettingsImpl.h:
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Add support for controlling clipboard access from javascript.
        Clipboard access from javascript is disabled by default.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        * webkit/webkitwebsettings.cpp:
        (webkit_web_settings_class_init):
        (webkit_web_settings_set_property):
        (webkit_web_settings_get_property):
        (webkit_web_settings_copy):
        * webkit/webkitwebview.cpp:
        (webkit_web_view_update_settings):
        (webkit_web_view_settings_notify):
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Add support for controlling clipboard access from javascript.
        Clipboard access from javascript is disabled by default.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        * WebView/WebPreferenceKeysPrivate.h:
        * WebView/WebPreferences.mm:
        (+[WebPreferences initialize]):
        (-[WebPreferences javaScriptCanAccessClipboard]):
        (-[WebPreferences setJavaScriptCanAccessClipboard:]):
        * WebView/WebPreferencesPrivate.h:
        * WebView/WebView.mm:
        (-[WebView _preferencesChangedNotification:]):
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Add support for controlling clipboard access from javascript.
        Clipboard access from javascript is disabled by default.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        * Api/qwebsettings.cpp:
        (QWebSettingsPrivate::apply):
        * Api/qwebsettings.h:
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Add support for controlling clipboard access from javascript.
        Clipboard access from javascript is disabled by default.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        * Interfaces/IWebPreferencesPrivate.idl:
        * WebPreferenceKeysPrivate.h:
        * WebPreferences.cpp:
        (WebPreferences::initializeDefaultSettings):
        (WebPreferences::javaScriptCanAccessClipboard):
        (WebPreferences::setJavaScriptCanAccessClipboard):
        * WebPreferences.h:
        * WebView.cpp:
        (WebView::notifyPreferencesChanged):
2010-05-03  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        Add support for controlling clipboard access from javascript.
        Clipboard access from javascript is enabled in test framework.
        https://bugs.webkit.org/show_bug.cgi?id=27751

        * DumpRenderTree/LayoutTestController.cpp:
        (setJavaScriptCanAccessClipboardCallback):
        (LayoutTestController::staticFunctions):
        * DumpRenderTree/LayoutTestController.h:
        * DumpRenderTree/chromium/LayoutTestController.cpp:
        (LayoutTestController::LayoutTestController):
        (LayoutTestController::setJavaScriptCanAccessClipboard):
        (LayoutTestController::overridePreference):
        * DumpRenderTree/chromium/LayoutTestController.h:
        * DumpRenderTree/chromium/TestShell.cpp:
        (TestShell::resetWebSettings):
        * DumpRenderTree/gtk/DumpRenderTree.cpp:
        (resetDefaultsToConsistentValues):
        * DumpRenderTree/gtk/LayoutTestControllerGtk.cpp:
        (LayoutTestController::setJavaScriptCanAccessClipboard):
        * DumpRenderTree/mac/DumpRenderTree.mm:
        (resetDefaultsToConsistentValues):
        * DumpRenderTree/mac/LayoutTestControllerMac.mm:
        (LayoutTestController::setJavaScriptCanAccessClipboard):
        * DumpRenderTree/qt/DumpRenderTreeQt.cpp:
        (WebCore::WebPage::WebPage):
        (WebCore::WebPage::resetSettings):
        * DumpRenderTree/qt/LayoutTestControllerQt.cpp:
        (LayoutTestController::setJavaScriptCanAccessClipboard):
        * DumpRenderTree/qt/LayoutTestControllerQt.h:
        * DumpRenderTree/win/DumpRenderTree.cpp:
        (resetDefaultsToConsistentValues):
        * DumpRenderTree/win/LayoutTestControllerWin.cpp:
        (LayoutTestController::setJavaScriptCanAccessClipboard):
        * DumpRenderTree/wx/LayoutTestControllerWx.cpp:
        (LayoutTestController::setJavaScriptCanAccessClipboard):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@58703 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago Reviewed by Darin Adler.
ap@apple.com [Wed, 5 May 2010 23:24:39 +0000 (23:24 +0000)]
    Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=38260
        <rdar://problem/7917548> Fix whitespace removing in deprecatedParseURL().

        Broken all the way since r4 (yes, that's a revision number).

        Test: http/tests/security/xss-DENIED-javascript-with-spaces.html

        * css/CSSHelper.cpp: (WebCore::deprecatedParseURL): Fixed loop conditions for remaining length.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@58844 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-04-14 Justin Schuh <jschuh@chromium.org>
abarth@webkit.org [Thu, 15 Apr 2010 03:11:31 +0000 (03:11 +0000)]
2010-04-14  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Adam Barth.

        Javascript URL can be set as iframe.src via multiple DOM aliases
        https://bugs.webkit.org/show_bug.cgi?id=37031

        Moved frame/iframe checks from Attr to Node on inherited members.
        Node child manipulation methods now return NOT_SUPPORTED_ERR if used
        on a frame/iframe src attribute.
        NamedNodeMap set methods now perform frame/iframe src checks.
        Moved allowSettingSrcToJavascriptURL static helper function from
        JSElementCustom.cpp to exported function in JSDOMBinding.h.

        * bindings/js/JSAttrCustom.cpp:
        (WebCore::JSAttr::setValue):
        * bindings/js/JSDOMBinding.cpp:
        (WebCore::allowSettingSrcToJavascriptURL):
        * bindings/js/JSDOMBinding.h:
        * bindings/js/JSElementCustom.cpp:
        * bindings/js/JSNamedNodeMapCustom.cpp:
        (WebCore::JSNamedNodeMap::setNamedItem):
        (WebCore::JSNamedNodeMap::setNamedItemNS):
        * bindings/js/JSNodeCustom.cpp:
        (WebCore::isAttrFrameSrc):
        (WebCore::JSNode::setNodeValue):
        (WebCore::JSNode::setTextContent):
        (WebCore::JSNode::insertBefore):
        (WebCore::JSNode::replaceChild):
        (WebCore::JSNode::removeChild):
        (WebCore::JSNode::appendChild):
        * bindings/v8/custom/V8AttrCustom.cpp:
        * bindings/v8/custom/V8NamedNodeMapCustom.cpp:
        (WebCore::V8NamedNodeMap::setNamedItemNSCallback):
        (WebCore::V8NamedNodeMap::setNamedItemCallback):
        (WebCore::toV8):
        * bindings/v8/custom/V8NodeCustom.cpp:
        (WebCore::isFrameSrc):
        (WebCore::V8Node::textContentAccessorSetter):
        (WebCore::V8Node::nodeValueAccessorSetter):
        (WebCore::V8Node::insertBeforeCallback):
        (WebCore::V8Node::replaceChildCallback):
        (WebCore::V8Node::removeChildCallback):
        (WebCore::V8Node::appendChildCallback):
        * dom/Attr.idl:
        * dom/NamedNodeMap.idl:
        * dom/Node.idl:
2010-04-14  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Adam Barth.

        Fix frame/iframe src setting for JavaScript URLs
        https://bugs.webkit.org/show_bug.cgi?id=37031

        * http/tests/security/xss-DENIED-iframe-src-alias-expected.txt:
        * http/tests/security/xss-DENIED-iframe-src-alias.html:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@57627 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-03-26 Justin Schuh <jschuh@chromium.org>
abarth@webkit.org [Sat, 27 Mar 2010 02:15:16 +0000 (02:15 +0000)]
2010-03-26  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Adam Barth.

        Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
        https://bugs.webkit.org/show_bug.cgi?id=36502

        Overrode inherited nodeValue and textContent in Attr.idl so they proxy
        to value, which performs a security check.

        * http/tests/security/xss-DENIED-iframe-src-alias-expected.txt: Added.
        * http/tests/security/xss-DENIED-iframe-src-alias.html: Added.
2010-03-26  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Adam Barth.

        Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
        https://bugs.webkit.org/show_bug.cgi?id=36502

        Overrode inherited nodeValue and textContent in Attr.idl so they proxy
        to value, which performs a security check.

        Test: http/tests/security/xss-DENIED-iframe-src-alias.html

        * bindings/js/JSAttrCustom.cpp:
        (WebCore::JSAttr::nodeValue):
        (WebCore::JSAttr::setNodeValue):
        (WebCore::JSAttr::textContent):
        (WebCore::JSAttr::setTextContent):
        * bindings/v8/custom/V8AttrCustom.cpp:
        (WebCore::V8Attr::nodeValueAccessorSetter):
        (WebCore::V8Attr::nodeValueAccessorGetter):
        (WebCore::V8Attr::textContentAccessorSetter):
        (WebCore::V8Attr::textContentAccessorGetter):
        * dom/Attr.idl:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56651 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago<rdar://problem/7898436> :after content is duplicated
mitz@apple.com [Sat, 24 Apr 2010 00:16:30 +0000 (00:16 +0000)]
<rdar://problem/7898436> :after content is duplicated

Reviewed by Simon Fraser.

WebCore:

Test: fast/css-generated-content/after-duplicated-after-split.html

* rendering/RenderInline.cpp:
(WebCore::RenderInline::splitInlines): Pass the correct owner of the child list.

LayoutTests:

* fast/css-generated-content/after-duplicated-after-split.html: Added.
* platform/mac/fast/css-generated-content/after-duplicated-after-split-expected.checksum: Added.
* platform/mac/fast/css-generated-content/after-duplicated-after-split-expected.png: Added.
* platform/mac/fast/css-generated-content/after-duplicated-after-split-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@58201 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-03-30 Chris Evans <cevans@chromium.org>
abarth@webkit.org [Tue, 30 Mar 2010 21:51:52 +0000 (21:51 +0000)]
2010-03-30  Chris Evans  <cevans@chromium.org>

        Reviewed by Adam Barth.

        Add test for SVG pattern canvas tainting.

        https://bugs.webkit.org/show_bug.cgi?id=36838

        * fast/canvas/svg-taint.html: Added
        * fast/canvas/svg-taint-expected.txt: Added
        * fast/canvas/resources/empty.svg: Added
2010-03-30  Chris Evans  <cevans@chromium.org>

        Reviewed by Adam Barth.

        Taint the canvas if an SVG-derived pattern is rendered into it.

        https://bugs.webkit.org/show_bug.cgi?id=36838

        Test: fast/canvas/svg-taint.html

        * html/canvas/CanvasRenderingContext2D.cpp:
        (WebCore::CanvasRenderingContext2D::createPattern):
          Take into account the image's hasSingleSecurityOrigin() property.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56810 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-03-22 Darin Fisher <darin@chromium.org>
darin@chromium.org [Mon, 22 Mar 2010 22:57:29 +0000 (22:57 +0000)]
2010-03-22  Darin Fisher  <darin@chromium.org>

        Reviewed by Brady Eidson.

        HistoryController::replaceState() should modify m_currentItem
        instead of the current HistoryItem of the BackForwardList.

        https://bugs.webkit.org/show_bug.cgi?id=36435

        Test: fast/loader/stateobjects/replacestate-in-iframe.html

        * loader/HistoryController.cpp:
        (WebCore::HistoryController::replaceState):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56365 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoAdd missing file from r56186.
mitz@apple.com [Thu, 18 Mar 2010 23:23:09 +0000 (23:23 +0000)]
Add missing file from r56186.

* fast/dynamic/float-remove-above-line-2-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56202 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoWebCore: <rdar://problem/7761400> Rework the fix for
mitz@apple.com [Thu, 18 Mar 2010 20:33:17 +0000 (20:33 +0000)]
WebCore: <rdar://problem/7761400> Rework the fix for
https://bugs.webkit.org/show_bug.cgi?id=18722

Reviewed by Darin Adler.

Test: fast/dynamic/float-remove-above-line-2.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeFloatingObject): Treat 0- and less-than-0-height floats
as having a height of 1 so that they intersect with the line they originate on.
(WebCore::RenderBlock::clearFloats): Use numeric_limits.
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlock::layoutInlineChildren): Removed the intersection checks here,
so that a float is always included in the float list of the line it originates on, even
if it does not intersect that line. This ensures that every float is accounted for, which
is necessary during incremental layout when adding floats from clean lines.

LayoutTests: Additional test for <rdar://problem/7761400>

Reviewed by Darin Adler.

* fast/dynamic/float-remove-above-line-2.html: Copied from LayoutTests/fast/dynamic/float-remove-above-line.html.
* fast/dynamic/float-remove-above-line-expected.txt: Updated.
* fast/dynamic/float-remove-above-line.html: Fixed inconsequential typo in end tag.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56186 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-03-19 Shinichiro Hamaji <hamaji@chromium.org>
hamaji@chromium.org [Sat, 20 Mar 2010 05:29:01 +0000 (05:29 +0000)]
2010-03-19  Shinichiro Hamaji  <hamaji@chromium.org>

        Reviewed by Dan Bernstein.

        WebCore::RenderButton::styleDidChange ReadAV@NULL (6739b7fe455ecb54a6812c0866c3b47c)
        https://bugs.webkit.org/show_bug.cgi?id=34641

        * fast/css/first-letter-block-form-controls-crash-expected.txt: Added.
        * fast/css/first-letter-block-form-controls-crash.html: Added.
2010-03-19  Shinichiro Hamaji  <hamaji@chromium.org>

        Reviewed by Dan Bernstein.

        WebCore::RenderButton::styleDidChange ReadAV@NULL (6739b7fe455ecb54a6812c0866c3b47c)
        https://bugs.webkit.org/show_bug.cgi?id=34641

        Don't dig into buttons and menu lists when finding which element
        should be modified by :first-letter pseudo class.  Even before
        this change, we didn't dig into inline buttons and menu lists as
        they are replaced so this issue wasn't found long time.

        Test: fast/css/first-letter-block-form-controls-crash.html

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::updateFirstLetter):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56297 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoRemove Geolocation.lastPosition, no longer in the spec.
darin@apple.com [Thu, 18 Mar 2010 20:42:11 +0000 (20:42 +0000)]
Remove Geolocation.lastPosition, no longer in the spec.
https://bugs.webkit.org/show_bug.cgi?id=36255
rdar://problem/7746357

Reviewed by Kenneth Rohde Christiansen.

* WebCore.base.exp: Updated since Geolocation's destructor is now non-virtual.

* page/Geolocation.cpp:
(WebCore::Geolocation::lastPosition): Add an assertion; it's only legal to
call this if access to the location is allowed.

* page/Geolocation.h: Removed unneeded includes. Made destructor non-virtual,
although it will still be virtual if any of the base classes have a virtual
destructor. Made lastPosition, isAllowed, and isDenied functions private.
Removed unused suspend, resume, setShouldClearCache, shouldClearCache,
and frame functions.

* page/Geolocation.idl: Removed lastPosition read-only attribute. No longer in
the Geolocation specification.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56188 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoNEWS for 1.2.2 1.1.2 1.2.2
Gustavo Noronha Silva [Fri, 9 Jul 2010 19:53:31 +0000 (16:53 -0300)]
NEWS for 1.2.2

7 years agoOne more NULL check to avoid crashing with page cache on
Gustavo Noronha Silva [Fri, 9 Jul 2010 18:49:43 +0000 (15:49 -0300)]
One more NULL check to avoid crashing with page cache on

7 years ago2010-07-07 Gustavo Noronha Silva <gustavo.noronha@collabora.co.uk>
kov@webkit.org [Wed, 7 Jul 2010 15:32:23 +0000 (15:32 +0000)]
2010-07-07  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>

        Reviewed by Xan Lopez.

        [GTK] Scrollbars sometimes go dead and stop scrolling the view
        https://bugs.webkit.org/show_bug.cgi?id=41711

        Rework the setGtkAdjustment function slightly, make it have an
        early return, and be more readable.

        * platform/gtk/ScrollViewGtk.cpp:
        (WebCore::ScrollView::setGtkAdjustments):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62671 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-06 Gustavo Noronha Silva <gustavo.noronha@collabora.co.uk>
kov@webkit.org [Tue, 6 Jul 2010 23:20:22 +0000 (23:20 +0000)]
2010-07-06  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>

        Unreviewed.

        Fixes regression on API test by disabling the scrollbars before
        configuring the adjustments.

        * platform/gtk/ScrollViewGtk.cpp:
        (WebCore::ScrollView::setGtkAdjustments):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62604 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago2010-07-06 Gustavo Noronha Silva <gustavo.noronha@collabora.co.uk>
kov@webkit.org [Tue, 6 Jul 2010 22:32:21 +0000 (22:32 +0000)]
2010-07-06 Gustavo Noronha Silva <gustavo.noronha@collabora.co.uk>

        Reviewed by Xan Lopez.

        [GTK] Scrollbars sometimes go dead and stop scrolling the view
        https://bugs.webkit.org/show_bug.cgi?id=41711

        Fixes GtkScrolledWindow scrollbars not actually scrolling the page
        in certain conditions. No tests because it is hard to reproduce,
        and depends on interaction with a widget that is outside of the
        WebView, which is tricky.

        * platform/gtk/ScrollViewGtk.cpp:
        (WebCore::ScrollView::setGtkAdjustments):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62598 268f45cc-cd09-0410-ab3c-d52691b4dbfc