diff options
| author | Steve Block <steveblock@google.com> | 2011-02-16 13:06:58 +0000 |
|---|---|---|
| committer | Steve Block <steveblock@google.com> | 2011-02-16 13:10:08 +0000 |
| commit | f7f6d6409be37f76dc308902285d24806dc87ef2 (patch) | |
| tree | f2cb1de65a785a078cb6b0df502f22f31e56f7f4 | |
| parent | a38cdf7feffba4f61bd533e43fcacec7418ea150 (diff) | |
| download | external_webkit-f7f6d6409be37f76dc308902285d24806dc87ef2.zip external_webkit-f7f6d6409be37f76dc308902285d24806dc87ef2.tar.gz external_webkit-f7f6d6409be37f76dc308902285d24806dc87ef2.tar.bz2 | |
Merge WebKit at Chromium 9.0.597.106: Initial merge by Git
Note that we are tracking the Chromium 9.0.597 release branch,
which is WebKit r72805 + stability cherry picks.
This corresponds to r78455 on the 597 release branch.
Change-Id: I72375d9b61a767449086f0c9dc4105b2a6b62ddc
36 files changed, 514 insertions, 109 deletions
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog index ae5f73f..2749f26 100644 --- a/WebCore/ChangeLog +++ b/WebCore/ChangeLog @@ -1,3 +1,234 @@ +2011-01-30 Kenichi Ishibashi <bashi@google.com> + + Reviewed by Kent Tamura. + + Dangling form associated elements should not be registered on the document + https://bugs.webkit.org/show_bug.cgi?id=53223 + + Adds insertedIntoDocument() and remvoedFromDocument() to + FormAssociatedElement class to register the element on the document + if and only if it actually inserted into (removed from) the document. + + Test: fast/forms/dangling-form-element-crash.html + + * html/FormAssociatedElement.cpp: + (WebCore::FormAssociatedElement::insertedIntoDocument): Added. + (WebCore::FormAssociatedElement::removedFromDocument): Ditto. + (WebCore::FormAssociatedElement::insertedIntoTree): Don't register + the element to a document. + (WebCore::FormAssociatedElement::removedFromTree): Don't unregister + the element from a document. + * html/FormAssociatedElement.h: + * html/HTMLFormControlElement.cpp: + (WebCore::HTMLFormControlElement::insertedIntoDocument): Added. + (WebCore::HTMLFormControlElement::removedFromDocument): Ditto. + * html/HTMLFormControlElement.h: + * html/HTMLObjectElement.cpp: + (WebCore::HTMLObjectElement::insertedIntoDocument): Calls + FormAssociatedElement::insertedIntoDocument(). + (WebCore::HTMLObjectElement::removedFromDocument): Calls + FormAssociatedElement::removedFromDocument(). + +2011-02-08 Zhenyao Mo <zmo@google.com> + + Reviewed by Kenneth Russell. + + drawElements should check if a buffer is bound to ELEMENT_ARRAY_BUFFER + https://bugs.webkit.org/show_bug.cgi?id=54017 + + * html/canvas/WebGLRenderingContext.cpp: + (WebCore::WebGLRenderingContext::drawElements): + +2011-02-02 Chris Evans <cevans@chromium.org> + + Reviewed by Darin Fisher. + + window.find() can fail when switching case sensitivity + https://bugs.webkit.org/show_bug.cgi?id=53654 + + Reset the pattern to a safe one when done, to avoid usearch_reset() + indirectly touching the old, stale text pointer. + + Test: fast/text/find-window.html + + * editing/TextIterator.cpp: + (WebCore::SearchBuffer::~SearchBuffer): leave a safe pattern buffer when done. + +2011-02-03 Justin Schuh <jschuh@chromium.org> + + Reviewed by Dirk Schulze. + + startAnimations should use a local, RefCounted Vector. + https://bugs.webkit.org/show_bug.cgi?id=53458 + + Test: svg/custom/use-animation-in-fill.html + + * svg/SVGDocumentExtensions.cpp: + (WebCore::SVGDocumentExtensions::startAnimations): + +2011-02-03 Abhishek Arya <inferno@chromium.org> + + Reviewed by James Robinson. + + Enforce more limits on root inline boxes height calculations. + https://bugs.webkit.org/show_bug.cgi?id=53729 + + Test: fast/overflow/overflow-height-float-not-removed-crash.html + + * rendering/RenderBlock.cpp: + (WebCore::RenderBlock::removeFloatingObject): prevent logicalBottom to + become negative when logicalTop is INT_MAX. + (WebCore::RenderBlock::markLinesDirtyInBlockRange): when logicalBottom + is INT_MAX, we should dirty everything. So, we bail out to make + afterLowest equal to the lastRootBox() or lowestDirstLine. + +2011-01-26 Emil A Eklund <eae@chromium.org> + + Reviewed by Alexey Proskuryakov. + + Remove cached document reference from CSSStyleSheet and XSLStyleSheet. + https://bugs.webkit.org/show_bug.cgi?id=52084 + + Test: fast/dom/css-delete-doc.html + + * css/CSSMediaRule.cpp: + (WebCore::CSSMediaRule::insertRule): + (WebCore::CSSMediaRule::deleteRule): + * css/CSSStyleSheet.cpp: + (WebCore::CSSStyleSheet::CSSStyleSheet): + (WebCore::CSSStyleSheet::document): + * css/CSSStyleSheet.h: + * xml/XSLStyleSheet.h: + (WebCore::XSLStyleSheet::parentStyleSheet): + * xml/XSLStyleSheetLibxslt.cpp: + (WebCore::XSLStyleSheet::XSLStyleSheet): + (WebCore::XSLStyleSheet::cachedResourceLoader): + (WebCore::XSLStyleSheet::setParentStyleSheet): + (WebCore::XSLStyleSheet::ownerDocument): + * xml/XSLStyleSheetQt.cpp: + (WebCore::XSLStyleSheet::XSLStyleSheet): + (WebCore::XSLStyleSheet::cachedResourceLoader): + (WebCore::XSLStyleSheet::ownerDocument): + +2011-01-27 Abhishek Arya <inferno@chromium.org> + + Reviewed by Dave Hyatt. + + If beforeChild is wrapped in an anonymous table section, we need to + go the parent to find it and use it before adding childs to table. + https://bugs.webkit.org/show_bug.cgi?id=53276 + + We need to make sure that beforeChild's parent is "this" before calling + RenderBox::addChild. The previous condition in while is too restrictive + and fails to calculate the right beforeChild value when its display + style is table caption. + Test: fast/table/before-child-non-table-section-add-table-crash.html + + * rendering/RenderTable.cpp: + (WebCore::RenderTable::addChild): + +2011-02-01 Abhishek Arya <inferno@chromium.org> + + Reviewed by Dan Bernstein. + + Do not add a node in the document's stylesheet candidate node list if the + node is already removed from document. + https://bugs.webkit.org/show_bug.cgi?id=53441 + + Test: fast/css/stylesheet-candidate-nodes-crash.xhtml + + * dom/Document.cpp: + (WebCore::Document::addStyleSheetCandidateNode): + +2011-01-31 Abhishek Arya <inferno@chromium.org> + + Reviewed by Dimitri Glazkov. + + Check the textarea node still exists in document before casting + it to HTMLTextAreaElement. + https://bugs.webkit.org/show_bug.cgi?id=53429 + + Test: fast/forms/textarea-node-removed-from-document-crash.html + + * rendering/RenderTextControlMultiLine.cpp: + (WebCore::RenderTextControlMultiLine::~RenderTextControlMultiLine): + +2011-02-02 Jian Li <jianli@chromium.org> + + Reviewed by Kenneth Russell. + + [V8] Accessing DataView with index of -1 returns 0, doesn't throw + https://bugs.webkit.org/show_bug.cgi?id=53559 + + Added test cases to cover this in fast/canvas/webgl/data-view-test.html. + + * html/canvas/DataView.h: + (WebCore::DataView::beyondRange): + +2011-02-06 Andreas Kling <kling@webkit.org> + + Reviewed by Dirk Schulze. + + Fix potential buffer overrun in SVGTextRunWalker::walk() + https://bugs.webkit.org/show_bug.cgi?id=53870 + + A new String was created from a UChar* with a 'length' argument + that could be greater than the number of UChars available. + + * svg/SVGFont.cpp: + (WebCore::SVGTextRunWalker::walk): + +2011-02-02 Cris Neckar <cdn@chromium.org> + + Reviewed by James Robinson. + + Refcount domwindows when dispatching device orientation events. + https://bugs.webkit.org/show_bug.cgi?id=53623 + + Test: fast/events/device-orientation-crash.html + + * dom/DeviceMotionController.cpp: + (WebCore::DeviceMotionController::timerFired): + (WebCore::DeviceMotionController::didChangeDeviceMotion): + * dom/DeviceMotionController.h: + * dom/DeviceOrientationController.cpp: + (WebCore::DeviceOrientationController::timerFired): + (WebCore::DeviceOrientationController::didChangeDeviceOrientation): + * dom/DeviceOrientationController.h: + +2011-01-27 Abhishek Arya <inferno@chromium.org> + + Reviewed by Dan Bernstein. + + Recalc table sections if needed before calculating the first line + box baseline. + https://bugs.webkit.org/show_bug.cgi?id=53265 + + When we try to calculate the baseline position of a table cell, + we recurse through all the child sibling boxes (when children are + non inline) and add their first linebox baseline values. If one of + the children is a table with pending section recalc, we will access + wrong table section values. We recalc table sections if it is needed. + + Test: fast/table/recalc-section-first-body-crash-main.html + + * rendering/RenderTable.cpp: + (WebCore::RenderTable::firstLineBoxBaseline): + +2011-01-27 Cris Neckar <cdn@chromium.org> + + Reviewed by Dimitri Glazkov. + + Clear the parent on a css keyframe's m_style when removing it from the stylesheet. + https://bugs.webkit.org/show_bug.cgi?id=52320 + + Test: fast/css/css-keyframe-style-crash.html + + * css/CSSRuleList.cpp: + (WebCore::CSSRuleList::deleteRule): + * css/WebKitCSSKeyframesRule.cpp: + (WebCore::WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule): + 2011-01-20 Xiaomei Ji <xji@chromium.org> Reviewed by Dan Bernstein. diff --git a/WebCore/bindings/v8/V8NPUtils.cpp b/WebCore/bindings/v8/V8NPUtils.cpp index 8fa19d7..4fb0456 100644 --- a/WebCore/bindings/v8/V8NPUtils.cpp +++ b/WebCore/bindings/v8/V8NPUtils.cpp @@ -65,8 +65,9 @@ void convertV8ObjectToNPVariant(v8::Local<v8::Value> object, NPObject* owner, NP VOID_TO_NPVARIANT(*result); else if (object->IsString()) { v8::String::Utf8Value utf8(object); - char* utf8_chars = strdup(*utf8); - STRINGN_TO_NPVARIANT(utf8_chars, utf8.length(), *result); + char* utf8Chars = reinterpret_cast<char*>(malloc(utf8.length())); + memcpy(utf8Chars, *utf8, utf8.length()); + STRINGN_TO_NPVARIANT(utf8Chars, utf8.length(), *result); } else if (object->IsObject()) { DOMWindow* window = V8Proxy::retrieveWindow(V8Proxy::currentContext()); NPObject* npobject = npCreateV8ScriptObject(0, v8::Handle<v8::Object>::Cast(object), window); diff --git a/WebCore/css/CSSFontFaceSource.cpp b/WebCore/css/CSSFontFaceSource.cpp index 30a0072..d5dc6ec 100644 --- a/WebCore/css/CSSFontFaceSource.cpp +++ b/WebCore/css/CSSFontFaceSource.cpp @@ -168,7 +168,7 @@ SimpleFontData* CSSFontFaceSource::getFontData(const FontDescription& fontDescri #if ENABLE(SVG_FONTS) // In-Document SVG Fonts if (m_svgFontFaceElement) - fontData.set(new SimpleFontData(adoptPtr(new SVGFontData(m_svgFontFaceElement)), fontDescription.computedPixelSize(), syntheticBold, syntheticItalic)); + fontData.set(new SimpleFontData(adoptPtr(new SVGFontData(m_svgFontFaceElement.get())), fontDescription.computedPixelSize(), syntheticBold, syntheticItalic)); #endif } } else { @@ -190,6 +190,16 @@ SimpleFontData* CSSFontFaceSource::getFontData(const FontDescription& fontDescri } #if ENABLE(SVG_FONTS) +SVGFontFaceElement* CSSFontFaceSource::svgFontFaceElement() const +{ + return m_svgFontFaceElement.get(); +} + +void CSSFontFaceSource::setSVGFontFaceElement(PassRefPtr<SVGFontFaceElement> element) +{ + m_svgFontFaceElement = element; +} + bool CSSFontFaceSource::isSVGFontFaceSource() const { return m_svgFontFaceElement || (m_font && m_font->isSVGFont()); diff --git a/WebCore/css/CSSFontFaceSource.h b/WebCore/css/CSSFontFaceSource.h index e2057cc..a5c3e61 100644 --- a/WebCore/css/CSSFontFaceSource.h +++ b/WebCore/css/CSSFontFaceSource.h @@ -63,8 +63,8 @@ public: void pruneTable(); #if ENABLE(SVG_FONTS) - SVGFontFaceElement* svgFontFaceElement() const { return m_svgFontFaceElement; } - void setSVGFontFaceElement(SVGFontFaceElement* element) { m_svgFontFaceElement = element; } + SVGFontFaceElement* svgFontFaceElement() const; + void setSVGFontFaceElement(PassRefPtr<SVGFontFaceElement>); bool isSVGFontFaceSource() const; #endif @@ -75,7 +75,7 @@ private: HashMap<unsigned, SimpleFontData*> m_fontDataTable; // The hash key is composed of size synthetic styles. #if ENABLE(SVG_FONTS) - SVGFontFaceElement* m_svgFontFaceElement; + RefPtr<SVGFontFaceElement> m_svgFontFaceElement; RefPtr<SVGFontElement> m_externalSVGFontElement; #endif }; diff --git a/WebCore/css/CSSMediaRule.cpp b/WebCore/css/CSSMediaRule.cpp index 6348762..46dc780 100644 --- a/WebCore/css/CSSMediaRule.cpp +++ b/WebCore/css/CSSMediaRule.cpp @@ -88,8 +88,8 @@ unsigned CSSMediaRule::insertRule(const String& rule, unsigned index, ExceptionC newRule->setParent(this); unsigned returnedIndex = m_lstCSSRules->insertRule(newRule.get(), index); - // stylesheet() can only return 0 for computed style declarations. - stylesheet()->styleSheetChanged(); + if (stylesheet()) + stylesheet()->styleSheetChanged(); return returnedIndex; } @@ -105,8 +105,8 @@ void CSSMediaRule::deleteRule(unsigned index, ExceptionCode& ec) m_lstCSSRules->deleteRule(index); - // stylesheet() can only return 0 for computed style declarations. - stylesheet()->styleSheetChanged(); + if (stylesheet()) + stylesheet()->styleSheetChanged(); } String CSSMediaRule::cssText() const diff --git a/WebCore/css/CSSRuleList.cpp b/WebCore/css/CSSRuleList.cpp index 0a312af..da65632 100644 --- a/WebCore/css/CSSRuleList.cpp +++ b/WebCore/css/CSSRuleList.cpp @@ -22,8 +22,10 @@ #include "config.h" #include "CSSRuleList.h" +#include "CSSMutableStyleDeclaration.h" #include "CSSRule.h" #include "StyleList.h" +#include "WebKitCSSKeyframeRule.h" namespace WebCore { @@ -76,6 +78,11 @@ void CSSRuleList::deleteRule(unsigned index) return; } + if (m_lstCSSRules[index]->isKeyframeRule()) { + if (CSSMutableStyleDeclaration* style = static_cast<WebKitCSSKeyframeRule*>(m_lstCSSRules[index].get())->style()) + style->setParent(0); + } + m_lstCSSRules[index]->setParent(0); m_lstCSSRules.remove(index); } diff --git a/WebCore/css/CSSStyleSheet.cpp b/WebCore/css/CSSStyleSheet.cpp index d5487a1..16c2ba8 100644 --- a/WebCore/css/CSSStyleSheet.cpp +++ b/WebCore/css/CSSStyleSheet.cpp @@ -53,7 +53,6 @@ static bool isAcceptableCSSStyleSheetParent(Node* parentNode) CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset) : StyleSheet(parentSheet, href, baseURL) - , m_document(parentSheet ? parentSheet->document() : 0) , m_charset(charset) , m_loadCompleted(false) , m_strictParsing(!parentSheet || parentSheet->useStrictParsing()) @@ -64,7 +63,6 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, con CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, const String& charset) : StyleSheet(parentNode, href, baseURL) - , m_document(parentNode->document()) , m_charset(charset) , m_loadCompleted(false) , m_strictParsing(false) @@ -82,7 +80,6 @@ CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& , m_hasSyntacticallyValidCSSHeader(true) { CSSStyleSheet* parentSheet = ownerRule ? ownerRule->parentStyleSheet() : 0; - m_document = parentSheet ? parentSheet->document() : 0; m_isUserStyleSheet = parentSheet ? parentSheet->isUserStyleSheet() : false; } @@ -233,6 +230,24 @@ void CSSStyleSheet::checkLoaded() m_loadCompleted = ownerNode() ? ownerNode()->sheetLoaded() : true; } +Document* CSSStyleSheet::document() +{ + StyleBase* styleObject = this; + while (styleObject) { + if (styleObject->isCSSStyleSheet()) { + Node* ownerNode = static_cast<CSSStyleSheet*>(styleObject)->ownerNode(); + if (ownerNode) + return ownerNode->document(); + } + if (styleObject->isRule()) + styleObject = static_cast<CSSRule*>(styleObject)->parentStyleSheet(); + else + styleObject = styleObject->parent(); + } + + return 0; +} + void CSSStyleSheet::styleSheetChanged() { StyleBase* root = this; diff --git a/WebCore/css/CSSStyleSheet.h b/WebCore/css/CSSStyleSheet.h index 725518f..062886a 100644 --- a/WebCore/css/CSSStyleSheet.h +++ b/WebCore/css/CSSStyleSheet.h @@ -87,7 +87,7 @@ public: virtual void checkLoaded(); - Document* document() { return m_document; } + Document* document(); const String& charset() const { return m_charset; } @@ -112,7 +112,6 @@ private: virtual bool isCSSStyleSheet() const { return true; } virtual String type() const { return "text/css"; } - Document* m_document; OwnPtr<CSSNamespace> m_namespaces; String m_charset; bool m_loadCompleted : 1; diff --git a/WebCore/css/WebKitCSSKeyframesRule.cpp b/WebCore/css/WebKitCSSKeyframesRule.cpp index 23f9f34..bf0c463 100644 --- a/WebCore/css/WebKitCSSKeyframesRule.cpp +++ b/WebCore/css/WebKitCSSKeyframesRule.cpp @@ -24,12 +24,13 @@ */ #include "config.h" +#include "WebKitCSSKeyframesRule.h" +#include "CSSMutableStyleDeclaration.h" #include "CSSParser.h" -#include "WebKitCSSKeyframesRule.h" -#include "WebKitCSSKeyframeRule.h" #include "CSSRuleList.h" #include "StyleSheet.h" +#include "WebKitCSSKeyframeRule.h" namespace WebCore { @@ -45,8 +46,13 @@ WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule() if (length == 0) return; - for (int i = 0; i < length; i++) + for (int i = 0; i < length; i++) { + if (m_lstCSSRules->item(i)->isKeyframeRule()) { + if (CSSMutableStyleDeclaration* style = static_cast<WebKitCSSKeyframeRule*>(m_lstCSSRules->item(i))->style()) + style->setParent(0); + } m_lstCSSRules->item(i)->setParent(0); + } } String WebKitCSSKeyframesRule::name() const diff --git a/WebCore/dom/DeviceMotionController.cpp b/WebCore/dom/DeviceMotionController.cpp index 3385167..28e201e 100644 --- a/WebCore/dom/DeviceMotionController.cpp +++ b/WebCore/dom/DeviceMotionController.cpp @@ -54,7 +54,7 @@ void DeviceMotionController::timerFired(Timer<DeviceMotionController>* timer) RefPtr<DeviceMotionData> deviceMotionData = m_client ? m_client->currentDeviceMotion() : DeviceMotionData::create(); RefPtr<DeviceMotionEvent> event = DeviceMotionEvent::create(eventNames().devicemotionEvent, deviceMotionData.get()); - Vector<DOMWindow*> listenersVector; + Vector<RefPtr<DOMWindow> > listenersVector; copyToVector(m_newListeners, listenersVector); m_newListeners.clear(); for (size_t i = 0; i < listenersVector.size(); ++i) @@ -100,7 +100,7 @@ void DeviceMotionController::removeAllListeners(DOMWindow* window) void DeviceMotionController::didChangeDeviceMotion(DeviceMotionData* deviceMotionData) { RefPtr<DeviceMotionEvent> event = DeviceMotionEvent::create(eventNames().devicemotionEvent, deviceMotionData); - Vector<DOMWindow*> listenersVector; + Vector<RefPtr<DOMWindow> > listenersVector; copyToVector(m_listeners, listenersVector); for (size_t i = 0; i < listenersVector.size(); ++i) listenersVector[i]->dispatchEvent(event); diff --git a/WebCore/dom/DeviceMotionController.h b/WebCore/dom/DeviceMotionController.h index 70c948e..80c9d94 100644 --- a/WebCore/dom/DeviceMotionController.h +++ b/WebCore/dom/DeviceMotionController.h @@ -52,9 +52,9 @@ private: void timerFired(Timer<DeviceMotionController>*); DeviceMotionClient* m_client; - typedef HashCountedSet<DOMWindow*> ListenersCountedSet; + typedef HashCountedSet<RefPtr<DOMWindow> > ListenersCountedSet; ListenersCountedSet m_listeners; - typedef HashSet<DOMWindow*> ListenersSet; + typedef HashSet<RefPtr<DOMWindow> > ListenersSet; ListenersSet m_newListeners; Timer<DeviceMotionController> m_timer; }; diff --git a/WebCore/dom/DeviceOrientationController.cpp b/WebCore/dom/DeviceOrientationController.cpp index 60fcf13..da42bec 100644 --- a/WebCore/dom/DeviceOrientationController.cpp +++ b/WebCore/dom/DeviceOrientationController.cpp @@ -54,7 +54,7 @@ void DeviceOrientationController::timerFired(Timer<DeviceOrientationController>* RefPtr<DeviceOrientation> orientation = m_client->lastOrientation(); RefPtr<DeviceOrientationEvent> event = DeviceOrientationEvent::create(eventNames().deviceorientationEvent, orientation.get()); - Vector<DOMWindow*> listenersVector; + Vector<RefPtr<DOMWindow> > listenersVector; copyToVector(m_newListeners, listenersVector); m_newListeners.clear(); for (size_t i = 0; i < listenersVector.size(); ++i) @@ -102,7 +102,7 @@ void DeviceOrientationController::removeAllListeners(DOMWindow* window) void DeviceOrientationController::didChangeDeviceOrientation(DeviceOrientation* orientation) { RefPtr<DeviceOrientationEvent> event = DeviceOrientationEvent::create(eventNames().deviceorientationEvent, orientation); - Vector<DOMWindow*> listenersVector; + Vector<RefPtr<DOMWindow> > listenersVector; copyToVector(m_listeners, listenersVector); for (size_t i = 0; i < listenersVector.size(); ++i) listenersVector[i]->dispatchEvent(event); diff --git a/WebCore/dom/DeviceOrientationController.h b/WebCore/dom/DeviceOrientationController.h index 4fa9006..5e06771 100644 --- a/WebCore/dom/DeviceOrientationController.h +++ b/WebCore/dom/DeviceOrientationController.h @@ -55,9 +55,9 @@ private: Page* m_page; DeviceOrientationClient* m_client; - typedef HashCountedSet<DOMWindow*> ListenersCountedSet; + typedef HashCountedSet<RefPtr<DOMWindow> > ListenersCountedSet; ListenersCountedSet m_listeners; - typedef HashSet<DOMWindow*> ListenersSet; + typedef HashSet<RefPtr<DOMWindow> > ListenersSet; ListenersSet m_newListeners; Timer<DeviceOrientationController> m_timer; }; diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp index 400d917..f01ae32 100644 --- a/WebCore/dom/Document.cpp +++ b/WebCore/dom/Document.cpp @@ -2990,6 +2990,9 @@ void Document::styleSelectorChanged(StyleSelectorUpdateFlag updateFlag) void Document::addStyleSheetCandidateNode(Node* node, bool createdByParser) { + if (!node->inDocument()) + return; + // Until the <body> exists, we have no choice but to compare document positions, // since styles outside of the body and head continue to be shunted into the head // (and thus can shift to end up before dynamically added DOM content that is also diff --git a/WebCore/editing/TextIterator.cpp b/WebCore/editing/TextIterator.cpp index 2ea16fb..182742e 100644 --- a/WebCore/editing/TextIterator.cpp +++ b/WebCore/editing/TextIterator.cpp @@ -1869,6 +1869,11 @@ inline SearchBuffer::SearchBuffer(const String& target, bool isCaseSensitive) inline SearchBuffer::~SearchBuffer() { + // Leave the static object pointing to a valid string. + UErrorCode status = U_ZERO_ERROR; + usearch_setPattern(WebCore::searcher(), &newlineCharacter, 1, &status); + ASSERT(status == U_ZERO_ERROR); + unlockSearcher(); } diff --git a/WebCore/history/HistoryItem.cpp b/WebCore/history/HistoryItem.cpp index 34b54a1..2c1ffb3 100644 --- a/WebCore/history/HistoryItem.cpp +++ b/WebCore/history/HistoryItem.cpp @@ -60,6 +60,8 @@ HistoryItem::HistoryItem() , m_visitCount(0) , m_itemSequenceNumber(generateSequenceNumber()) , m_documentSequenceNumber(generateSequenceNumber()) + , m_next(0) + , m_prev(0) { } @@ -74,6 +76,8 @@ HistoryItem::HistoryItem(const String& urlString, const String& title, double ti , m_visitCount(0) , m_itemSequenceNumber(generateSequenceNumber()) , m_documentSequenceNumber(generateSequenceNumber()) + , m_next(0) + , m_prev(0) { iconDatabase()->retainIconForPageURL(m_urlString); } @@ -90,6 +94,8 @@ HistoryItem::HistoryItem(const String& urlString, const String& title, const Str , m_visitCount(0) , m_itemSequenceNumber(generateSequenceNumber()) , m_documentSequenceNumber(generateSequenceNumber()) + , m_next(0) + , m_prev(0) { iconDatabase()->retainIconForPageURL(m_urlString); } @@ -107,6 +113,8 @@ HistoryItem::HistoryItem(const KURL& url, const String& target, const String& pa , m_visitCount(0) , m_itemSequenceNumber(generateSequenceNumber()) , m_documentSequenceNumber(generateSequenceNumber()) + , m_next(0) + , m_prev(0) { iconDatabase()->retainIconForPageURL(m_urlString); } @@ -159,6 +167,38 @@ PassRefPtr<HistoryItem> HistoryItem::copy() const return adoptRef(new HistoryItem(*this)); } +void HistoryItem::reset() +{ + iconDatabase()->releaseIconForPageURL(m_urlString); + + m_urlString = String(); + m_originalURLString = String(); + m_referrer = String(); + m_target = String(); + m_parent = String(); + m_title = String(); + m_displayTitle = String(); + + m_lastVisitedTime = 0; + m_lastVisitWasHTTPNonGet = false; + + m_lastVisitWasFailure = false; + m_isTargetItem = false; + m_visitCount = 0; + m_dailyVisitCounts.clear(); + m_weeklyVisitCounts.clear(); + + m_redirectURLs.clear(); + + m_itemSequenceNumber = generateSequenceNumber(); + + m_stateObject = 0; + m_documentSequenceNumber = generateSequenceNumber(); + + m_formData = 0; + m_formContentType = String(); +} + const String& HistoryItem::urlString() const { return m_urlString; diff --git a/WebCore/history/HistoryItem.h b/WebCore/history/HistoryItem.h index ef9ac23..285f3d7 100644 --- a/WebCore/history/HistoryItem.h +++ b/WebCore/history/HistoryItem.h @@ -88,6 +88,9 @@ public: PassRefPtr<HistoryItem> copy() const; + // Resets the HistoryItem to its initial state, as returned by create(). + void reset(); + const String& originalURLString() const; const String& urlString() const; const String& title() const; @@ -141,7 +144,7 @@ public: void setDocumentSequenceNumber(long long number) { m_documentSequenceNumber = number; } long long documentSequenceNumber() const { return m_documentSequenceNumber; } - + void setFormInfoFromRequest(const ResourceRequest&); void setFormData(PassRefPtr<FormData>); void setFormContentType(const String&); @@ -251,11 +254,19 @@ private: OwnPtr<Vector<String> > m_redirectURLs; + // If two HistoryItems have the same item sequence number, then they are + // clones of one another. Traversing history from one such HistoryItem to + // another is a no-op. HistoryItem clones are created for parent and + // sibling frames when only a subframe navigates. long long m_itemSequenceNumber; + // If two HistoryItems have the same document sequence number, then they + // refer to the same instance of a document. Traversing history from one + // such HistoryItem to another preserves the document. + long long m_documentSequenceNumber; + // Support for HTML5 History RefPtr<SerializedScriptValue> m_stateObject; - long long m_documentSequenceNumber; // info used to repost form data RefPtr<FormData> m_formData; diff --git a/WebCore/html/HTMLFormControlElement.cpp b/WebCore/html/HTMLFormControlElement.cpp index daf4b93..88b47ac 100644 --- a/WebCore/html/HTMLFormControlElement.cpp +++ b/WebCore/html/HTMLFormControlElement.cpp @@ -162,7 +162,6 @@ void HTMLFormControlElement::willMoveToNewOwnerDocument() void HTMLFormControlElement::insertedIntoTree(bool deep) { if (fastHasAttribute(formAttr)) { - document()->registerFormElementWithFormAttribute(this); Element* element = document()->getElementById(fastGetAttribute(formAttr)); if (element && element->hasTagName(formTag)) { if (m_form) @@ -196,9 +195,6 @@ static inline Node* findRoot(Node* n) void HTMLFormControlElement::removedFromTree(bool deep) { - if (fastHasAttribute(formAttr)) - document()->unregisterFormElementWithFormAttribute(this); - // If the form and element are both in the same tree, preserve the connection to the form. // Otherwise, null out our form and remove ourselves from the form's list of elements. if (m_form && findRoot(this) != findRoot(m_form)) { @@ -209,6 +205,20 @@ void HTMLFormControlElement::removedFromTree(bool deep) HTMLElement::removedFromTree(deep); } +void HTMLFormControlElement::insertedIntoDocument() +{ + if (fastHasAttribute(formAttr)) + document()->registerFormElementWithFormAttribute(this); + HTMLElement::insertedIntoDocument(); +} + +void HTMLFormControlElement::removedFromDocument() +{ + if (fastHasAttribute(formAttr)) + document()->unregisterFormElementWithFormAttribute(this); + HTMLElement::removedFromDocument(); +} + const AtomicString& HTMLFormControlElement::formControlName() const { const AtomicString& name = fastGetAttribute(nameAttr); diff --git a/WebCore/html/HTMLFormControlElement.h b/WebCore/html/HTMLFormControlElement.h index c5ed013..f006e65 100644 --- a/WebCore/html/HTMLFormControlElement.h +++ b/WebCore/html/HTMLFormControlElement.h @@ -109,6 +109,8 @@ protected: virtual void attach(); virtual void insertedIntoTree(bool deep); virtual void removedFromTree(bool deep); + virtual void insertedIntoDocument(); + virtual void removedFromDocument(); virtual void willMoveToNewOwnerDocument(); virtual bool isKeyboardFocusable(KeyboardEvent*) const; diff --git a/WebCore/html/canvas/DataView.h b/WebCore/html/canvas/DataView.h index 0681341..1c76c28 100755 --- a/WebCore/html/canvas/DataView.h +++ b/WebCore/html/canvas/DataView.h @@ -75,7 +75,7 @@ private: DataView(PassRefPtr<ArrayBuffer>, unsigned byteOffset, unsigned byteLength); template<typename T> - inline bool beyondRange(unsigned byteOffset) const { return byteOffset + sizeof(T) > m_byteLength; } + inline bool beyondRange(unsigned byteOffset) const { return byteOffset >= m_byteLength || byteOffset + sizeof(T) > m_byteLength; } template<typename T> T getData(unsigned byteOffset, bool littleEndian, ExceptionCode&) const; diff --git a/WebCore/html/canvas/WebGLRenderingContext.cpp b/WebCore/html/canvas/WebGLRenderingContext.cpp index 3dd1453..237d80c 100644 --- a/WebCore/html/canvas/WebGLRenderingContext.cpp +++ b/WebCore/html/canvas/WebGLRenderingContext.cpp @@ -1146,6 +1146,11 @@ void WebGLRenderingContext::drawElements(unsigned long mode, long count, unsigne if (!count) return; + if (!m_boundElementArrayBuffer) { + m_context->synthesizeGLError(GraphicsContext3D::INVALID_OPERATION); + return; + } + long numElements = 0; if (!isErrorGeneratedOnOutOfBoundsAccesses()) { // Ensure we have a valid rendering state diff --git a/WebCore/loader/HistoryController.cpp b/WebCore/loader/HistoryController.cpp index ff733a9..0919a59 100644 --- a/WebCore/loader/HistoryController.cpp +++ b/WebCore/loader/HistoryController.cpp @@ -248,6 +248,10 @@ void HistoryController::updateForBackForwardNavigation() // Must grab the current scroll position before disturbing it if (!m_frameLoadComplete) saveScrollPositionAndViewStateToItem(m_previousItem.get()); + + // When traversing history, we may end up redirecting to a different URL + // this time (e.g., due to cookies). See http://webkit.org/b/49654. + updateCurrentItem(); } void HistoryController::updateForReload() @@ -262,11 +266,11 @@ void HistoryController::updateForReload() if (m_frame->loader()->loadType() == FrameLoadTypeReload || m_frame->loader()->loadType() == FrameLoadTypeReloadFromOrigin) saveScrollPositionAndViewStateToItem(m_currentItem.get()); - - // Sometimes loading a page again leads to a different result because of cookies. Bugzilla 4072 - if (m_frame->loader()->documentLoader()->unreachableURL().isEmpty()) - m_currentItem->setURL(m_frame->loader()->documentLoader()->requestURL()); } + + // When reloading the page, we may end up redirecting to a different URL + // this time (e.g., due to cookies). See http://webkit.org/b/4072. + updateCurrentItem(); } // There are 3 things you might think of as "history", all of which are handled by these functions. @@ -298,9 +302,9 @@ void HistoryController::updateForStandardLoad(HistoryUpdateType updateType) if (Page* page = m_frame->page()) page->setGlobalHistoryItem(needPrivacy ? 0 : page->backForward()->currentItem()); } - } else if (frameLoader->documentLoader()->unreachableURL().isEmpty() && m_currentItem) { - m_currentItem->setURL(frameLoader->documentLoader()->url()); - m_currentItem->setFormInfoFromRequest(frameLoader->documentLoader()->request()); + } else { + // The client redirect replaces the current history item. + updateCurrentItem(); } if (!historyURL.isEmpty() && !needPrivacy) { @@ -337,14 +341,12 @@ void HistoryController::updateForRedirectWithLockedBackForwardList() page->setGlobalHistoryItem(needPrivacy ? 0 : page->backForward()->currentItem()); } } - if (m_currentItem) { - m_currentItem->setURL(m_frame->loader()->documentLoader()->url()); - m_currentItem->setFormInfoFromRequest(m_frame->loader()->documentLoader()->request()); - } + // The client redirect replaces the current history item. + updateCurrentItem(); } else { Frame* parentFrame = m_frame->tree()->parent(); if (parentFrame && parentFrame->loader()->history()->m_currentItem) - parentFrame->loader()->history()->m_currentItem->setChildItem(createItem(true)); + parentFrame->loader()->history()->m_currentItem->setChildItem(createItem()); } if (!historyURL.isEmpty() && !needPrivacy) { @@ -453,12 +455,13 @@ void HistoryController::setProvisionalItem(HistoryItem* item) m_provisionalItem = item; } -PassRefPtr<HistoryItem> HistoryController::createItem(bool useOriginal) +void HistoryController::initializeItem(HistoryItem* item) { DocumentLoader* documentLoader = m_frame->loader()->documentLoader(); - - KURL unreachableURL = documentLoader ? documentLoader->unreachableURL() : KURL(); - + ASSERT(documentLoader); + + KURL unreachableURL = documentLoader->unreachableURL(); + KURL url; KURL originalURL; @@ -466,15 +469,10 @@ PassRefPtr<HistoryItem> HistoryController::createItem(bool useOriginal) url = unreachableURL; originalURL = unreachableURL; } else { - originalURL = documentLoader ? documentLoader->originalURL() : KURL(); - if (useOriginal) - url = originalURL; - else if (documentLoader) - url = documentLoader->requestURL(); + url = documentLoader->url(); + originalURL = documentLoader->originalURL(); } - LOG(History, "WebCoreHistory: Creating item for %s", url.string().ascii().data()); - // Frames that have never successfully loaded any content // may have no URL at all. Currently our history code can't // deal with such things, so we nip that in the bud here. @@ -487,21 +485,25 @@ PassRefPtr<HistoryItem> HistoryController::createItem(bool useOriginal) Frame* parentFrame = m_frame->tree()->parent(); String parent = parentFrame ? parentFrame->tree()->uniqueName() : ""; - String title = documentLoader ? documentLoader->title() : ""; + String title = documentLoader->title(); - RefPtr<HistoryItem> item = HistoryItem::create(url, m_frame->tree()->uniqueName(), parent, title); + item->setURL(url); + item->setTarget(m_frame->tree()->uniqueName()); + item->setParent(parent); + item->setTitle(title); item->setOriginalURLString(originalURL.string()); - if (!unreachableURL.isEmpty() || !documentLoader || documentLoader->response().httpStatusCode() >= 400) + if (!unreachableURL.isEmpty() || documentLoader->response().httpStatusCode() >= 400) item->setLastVisitWasFailure(true); // Save form state if this is a POST - if (documentLoader) { - if (useOriginal) - item->setFormInfoFromRequest(documentLoader->originalRequest()); - else - item->setFormInfoFromRequest(documentLoader->request()); - } + item->setFormInfoFromRequest(documentLoader->request()); +} + +PassRefPtr<HistoryItem> HistoryController::createItem() +{ + RefPtr<HistoryItem> item = HistoryItem::create(); + initializeItem(item.get()); // Set the item for which we will save document state m_frameLoadComplete = false; @@ -513,7 +515,7 @@ PassRefPtr<HistoryItem> HistoryController::createItem(bool useOriginal) PassRefPtr<HistoryItem> HistoryController::createItemTree(Frame* targetFrame, bool clipAtTarget) { - RefPtr<HistoryItem> bfItem = createItem(m_frame->tree()->parent() ? true : false); + RefPtr<HistoryItem> bfItem = createItem(); if (!m_frameLoadComplete) saveScrollPositionAndViewStateToItem(m_previousItem.get()); @@ -647,6 +649,31 @@ void HistoryController::updateBackForwardListClippedAtTarget(bool doClip) page->backForward()->addItem(topItem.release()); } +void HistoryController::updateCurrentItem() +{ + if (!m_currentItem) + return; + + DocumentLoader* documentLoader = m_frame->loader()->documentLoader(); + + if (!documentLoader->unreachableURL().isEmpty()) + return; + + if (m_currentItem->url() != documentLoader->url()) { + // We ended up on a completely different URL this time, so the HistoryItem + // needs to be re-initialized. Preserve the isTargetItem flag as it is a + // property of how this HistoryItem was originally created and is not + // dependent on the document. + bool isTargetItem = m_currentItem->isTargetItem(); + m_currentItem->reset(); + initializeItem(m_currentItem.get()); + m_currentItem->setIsTargetItem(isTargetItem); + } else { + // Even if the final URL didn't change, the form data may have changed. + m_currentItem->setFormInfoFromRequest(documentLoader->request()); + } +} + void HistoryController::pushState(PassRefPtr<SerializedScriptValue> stateObject, const String& title, const String& urlString) { if (!m_currentItem) diff --git a/WebCore/loader/HistoryController.h b/WebCore/loader/HistoryController.h index 1bf5072..01f093c 100644 --- a/WebCore/loader/HistoryController.h +++ b/WebCore/loader/HistoryController.h @@ -84,12 +84,14 @@ public: void replaceState(PassRefPtr<SerializedScriptValue>, const String& title, const String& url); private: - PassRefPtr<HistoryItem> createItem(bool useOriginal); + void initializeItem(HistoryItem*); + PassRefPtr<HistoryItem> createItem(); PassRefPtr<HistoryItem> createItemTree(Frame* targetFrame, bool clipAtTarget); void recursiveGoToItem(HistoryItem*, HistoryItem*, FrameLoadType); bool currentFramesMatchItem(HistoryItem*) const; void updateBackForwardListClippedAtTarget(bool doClip); + void updateCurrentItem(); Frame* m_frame; diff --git a/WebCore/page/animation/AnimationController.cpp b/WebCore/page/animation/AnimationController.cpp index e8e990c..613aee6 100644 --- a/WebCore/page/animation/AnimationController.cpp +++ b/WebCore/page/animation/AnimationController.cpp @@ -145,16 +145,16 @@ void AnimationControllerPrivate::fireEventsAndUpdateStyle() bool updateStyle = !m_eventsToDispatch.isEmpty() || !m_nodeChangesToDispatch.isEmpty(); // fire all the events - Vector<EventToDispatch>::const_iterator eventsToDispatchEnd = m_eventsToDispatch.end(); - for (Vector<EventToDispatch>::const_iterator it = m_eventsToDispatch.begin(); it != eventsToDispatchEnd; ++it) { + Vector<EventToDispatch> eventsToDispatch = m_eventsToDispatch; + m_eventsToDispatch.clear(); + Vector<EventToDispatch>::const_iterator eventsToDispatchEnd = eventsToDispatch.end(); + for (Vector<EventToDispatch>::const_iterator it = eventsToDispatch.begin(); it != eventsToDispatchEnd; ++it) { if (it->eventType == eventNames().webkitTransitionEndEvent) it->element->dispatchEvent(WebKitTransitionEvent::create(it->eventType, it->name, it->elapsedTime)); else it->element->dispatchEvent(WebKitAnimationEvent::create(it->eventType, it->name, it->elapsedTime)); } - m_eventsToDispatch.clear(); - // call setChanged on all the elements Vector<RefPtr<Node> >::const_iterator nodeChangesToDispatchEnd = m_nodeChangesToDispatch.end(); for (Vector<RefPtr<Node> >::const_iterator it = m_nodeChangesToDispatch.begin(); it != nodeChangesToDispatchEnd; ++it) diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp index 4609f1b..22e8afb 100644 --- a/WebCore/rendering/RenderBlock.cpp +++ b/WebCore/rendering/RenderBlock.cpp @@ -117,6 +117,7 @@ RenderBlock::RenderBlock(Node* node) , m_continuation(0) , m_rareData(0) , m_lineHeight(-1) + , m_beingDestroyed(false) { setChildrenInline(true); } @@ -151,6 +152,9 @@ RenderBlock::~RenderBlock() void RenderBlock::destroy() { + // Mark as being destroyed to avoid trouble with merges in removeChild(). + m_beingDestroyed = true; + // Make sure to destroy anonymous children first while they are still connected to the rest of the tree, so that they will // properly dirty line boxes that they are removed from. Effects that do :before/:after only on hover could crash otherwise. children()->destroyLeftoverChildren(); @@ -930,8 +934,8 @@ static bool canMergeContiguousAnonymousBlocks(RenderObject* oldChild, RenderObje if (oldChild->documentBeingDestroyed() || oldChild->isInline() || oldChild->virtualContinuation()) return false; - if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation())) - || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation()))) + if ((prev && (!prev->isAnonymousBlock() || toRenderBlock(prev)->continuation() || toRenderBlock(prev)->beingDestroyed())) + || (next && (!next->isAnonymousBlock() || toRenderBlock(next)->continuation() || toRenderBlock(next)->beingDestroyed()))) return false; // FIXME: This check isn't required when inline run-ins can't be split into continuations. @@ -1007,10 +1011,6 @@ void RenderBlock::removeChild(RenderObject* oldChild) nextBlock->deleteLineBoxTree(); nextBlock->destroy(); next = 0; - - // FIXME: Revert the continuation change done above. - if (oldChildBlock) - oldChildBlock->setContinuation(0); } } @@ -3033,7 +3033,7 @@ void RenderBlock::removeFloatingObject(RenderBox* o) // Special-case zero- and less-than-zero-height floats: those don't touch // the line that they're on, but it still needs to be dirtied. This is // accomplished by pretending they have a height of 1. - logicalBottom = max(logicalBottom, logicalTop + 1); + logicalBottom = max(logicalBottom, logicalTop == numeric_limits<int>::max() ? logicalTop : logicalTop + 1); markLinesDirtyInBlockRange(0, logicalBottom); } m_floatingObjects->removeRef(it.current()); @@ -3807,7 +3807,7 @@ void RenderBlock::markLinesDirtyInBlockRange(int logicalTop, int logicalBottom, RootInlineBox* lowestDirtyLine = lastRootBox(); RootInlineBox* afterLowest = lowestDirtyLine; - while (lowestDirtyLine && lowestDirtyLine->blockLogicalHeight() >= logicalBottom) { + while (lowestDirtyLine && lowestDirtyLine->blockLogicalHeight() >= logicalBottom && logicalBottom < numeric_limits<int>::max()) { afterLowest = lowestDirtyLine; lowestDirtyLine = lowestDirtyLine->prevRootBox(); } diff --git a/WebCore/rendering/RenderBlock.h b/WebCore/rendering/RenderBlock.h index 5153218..cc06954 100644 --- a/WebCore/rendering/RenderBlock.h +++ b/WebCore/rendering/RenderBlock.h @@ -55,6 +55,7 @@ public: RenderObjectChildList* children() { return &m_children; } virtual void destroy(); + bool beingDestroyed() const { return m_beingDestroyed; } // These two functions are overridden for inline-block. virtual int lineHeight(bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const; @@ -717,7 +718,8 @@ private: RenderObjectChildList m_children; RenderLineBoxList m_lineBoxes; // All of the root line boxes created for this block flow. For example, <div>Hello<br>world.</div> will have two total lines for the <div>. - mutable int m_lineHeight; + mutable int m_lineHeight : 31; + bool m_beingDestroyed : 1; // RenderRubyBase objects need to be able to split and merge, moving their children around // (calling moveChildTo, moveAllChildrenTo, and makeChildrenNonInline). diff --git a/WebCore/rendering/RenderBox.cpp b/WebCore/rendering/RenderBox.cpp index ebd7d54..140d326 100644 --- a/WebCore/rendering/RenderBox.cpp +++ b/WebCore/rendering/RenderBox.cpp @@ -227,26 +227,30 @@ void RenderBox::removeFloatingOrPositionedChildFromBlockLists() return; if (isFloating()) { - RenderBlock* outermostBlock = containingBlock(); - for (RenderBlock* p = outermostBlock; p && !p->isRenderView(); p = p->containingBlock()) { - if (p->containsFloat(this)) - outermostBlock = p; + RenderBlock* parentBlock = 0; + for (RenderObject* curr = parent(); curr && !curr->isRenderView(); curr = curr->parent()) { + if (curr->isRenderBlock()) { + RenderBlock* currBlock = toRenderBlock(curr); + if (currBlock->containsFloat(this)) + parentBlock = currBlock; + else + break; + } } - if (outermostBlock) { - RenderObject* parent = outermostBlock->parent(); + if (parentBlock) { + RenderObject* parent = parentBlock->parent(); if (parent && parent->isFlexibleBox()) - outermostBlock = toRenderBlock(parent); + parentBlock = toRenderBlock(parent); - outermostBlock->markAllDescendantsWithFloatsForLayout(this, false); + parentBlock->markAllDescendantsWithFloatsForLayout(this, false); } } if (isPositioned()) { - RenderObject* p; - for (p = parent(); p; p = p->parent()) { - if (p->isRenderBlock()) - toRenderBlock(p)->removePositionedObject(this); + for (RenderObject* curr = parent(); curr; curr = curr->parent()) { + if (curr->isRenderBlock()) + toRenderBlock(curr)->removePositionedObject(this); } } } diff --git a/WebCore/rendering/RenderTable.cpp b/WebCore/rendering/RenderTable.cpp index 43b6b03..521dea1 100644 --- a/WebCore/rendering/RenderTable.cpp +++ b/WebCore/rendering/RenderTable.cpp @@ -167,7 +167,7 @@ void RenderTable::addChild(RenderObject* child, RenderObject* beforeChild) if (!wrapInAnonymousSection) { // If the next renderer is actually wrapped in an anonymous table section, we need to go up and find that. - while (beforeChild && !beforeChild->isTableSection() && !beforeChild->isTableCol() && beforeChild->style()->display() != TABLE_CAPTION) + while (beforeChild && beforeChild->parent() != this) beforeChild = beforeChild->parent(); RenderBox::addChild(child, beforeChild); @@ -1172,6 +1172,8 @@ int RenderTable::firstLineBoxBaseline() const if (isWritingModeRoot()) return -1; + recalcSectionsIfNeeded(); + RenderTableSection* firstNonEmptySection = m_head ? m_head : (m_firstBody ? m_firstBody : m_foot); if (firstNonEmptySection && !firstNonEmptySection->numRows()) firstNonEmptySection = sectionBelow(firstNonEmptySection, true); diff --git a/WebCore/rendering/RenderTextControlMultiLine.cpp b/WebCore/rendering/RenderTextControlMultiLine.cpp index eaa7eca..1a7ba36 100644 --- a/WebCore/rendering/RenderTextControlMultiLine.cpp +++ b/WebCore/rendering/RenderTextControlMultiLine.cpp @@ -41,7 +41,7 @@ RenderTextControlMultiLine::RenderTextControlMultiLine(Node* node, bool placehol RenderTextControlMultiLine::~RenderTextControlMultiLine() { - if (node()) + if (node() && node()->inDocument()) static_cast<HTMLTextAreaElement*>(node())->rendererWillBeDestroyed(); } diff --git a/WebCore/svg/SVGDocumentExtensions.cpp b/WebCore/svg/SVGDocumentExtensions.cpp index 3fd9761..7f7ba67 100644 --- a/WebCore/svg/SVGDocumentExtensions.cpp +++ b/WebCore/svg/SVGDocumentExtensions.cpp @@ -93,8 +93,12 @@ void SVGDocumentExtensions::startAnimations() // FIXME: Eventually every "Time Container" will need a way to latch on to some global timer // starting animations for a document will do this "latching" #if ENABLE(SVG_ANIMATION) - HashSet<SVGSVGElement*>::iterator end = m_timeContainers.end(); - for (HashSet<SVGSVGElement*>::iterator itr = m_timeContainers.begin(); itr != end; ++itr) + // FIXME: We hold a ref pointers to prevent a shadow tree from getting removed out from underneath us. + // In the future we should refactor the use-element to avoid this. See https://webkit.org/b/53704 + Vector<RefPtr<SVGSVGElement> > timeContainers; + timeContainers.appendRange(m_timeContainers.begin(), m_timeContainers.end()); + Vector<RefPtr<SVGSVGElement> >::iterator end = timeContainers.end(); + for (Vector<RefPtr<SVGSVGElement> >::iterator itr = timeContainers.begin(); itr != end; ++itr) (*itr)->timeContainer()->begin(); #endif } diff --git a/WebCore/svg/SVGFont.cpp b/WebCore/svg/SVGFont.cpp index 898c259..25dbbe3 100644 --- a/WebCore/svg/SVGFont.cpp +++ b/WebCore/svg/SVGFont.cpp @@ -241,7 +241,7 @@ struct SVGTextRunWalker { { ASSERT(0 <= from && from <= to && to - from <= run.length()); - const String text = Font::normalizeSpaces(String(run.data(from), run.length())); + const String text = Font::normalizeSpaces(String(run.data(from), to - from)); Vector<SVGGlyphIdentifier::ArabicForm> chars(charactersWithArabicForm(text, run.rtl())); SVGGlyphIdentifier identifier; diff --git a/WebCore/svg/SVGFontFaceElement.cpp b/WebCore/svg/SVGFontFaceElement.cpp index 515ce04..97f457d 100644 --- a/WebCore/svg/SVGFontFaceElement.cpp +++ b/WebCore/svg/SVGFontFaceElement.cpp @@ -262,6 +262,11 @@ String SVGFontFaceElement::fontFamily() const return m_styleDeclaration->getPropertyValue(CSSPropertyFontFamily); } +SVGFontElement* SVGFontFaceElement::associatedFontElement() const +{ + return m_fontElement.get(); +} + void SVGFontFaceElement::rebuildFontFace() { ASSERT(inDocument()); diff --git a/WebCore/svg/SVGFontFaceElement.h b/WebCore/svg/SVGFontFaceElement.h index 3ee71d8..ead2e1f 100644 --- a/WebCore/svg/SVGFontFaceElement.h +++ b/WebCore/svg/SVGFontFaceElement.h @@ -47,7 +47,7 @@ namespace WebCore { int descent() const; String fontFamily() const; - SVGFontElement* associatedFontElement() const { return m_fontElement; } + SVGFontElement* associatedFontElement() const; void rebuildFontFace(); void removeFromMappedElementSheet(); @@ -63,7 +63,7 @@ namespace WebCore { RefPtr<CSSFontFaceRule> m_fontFaceRule; RefPtr<CSSMutableStyleDeclaration> m_styleDeclaration; - SVGFontElement* m_fontElement; + RefPtr<SVGFontElement> m_fontElement; }; } // namespace WebCore diff --git a/WebCore/xml/XSLStyleSheet.h b/WebCore/xml/XSLStyleSheet.h index 4312771..b36ac1d 100644 --- a/WebCore/xml/XSLStyleSheet.h +++ b/WebCore/xml/XSLStyleSheet.h @@ -79,7 +79,8 @@ public: CachedResourceLoader* cachedResourceLoader(); - Document* ownerDocument() { return m_ownerDocument; } + Document* ownerDocument(); + XSLStyleSheet* parentStyleSheet() const { return m_parentStyleSheet; } void setParentStyleSheet(XSLStyleSheet* parent); #if USE(QXMLQUERY) diff --git a/WebCore/xml/XSLStyleSheetLibxslt.cpp b/WebCore/xml/XSLStyleSheetLibxslt.cpp index 3fb9eb5..447ba1e 100644 --- a/WebCore/xml/XSLStyleSheetLibxslt.cpp +++ b/WebCore/xml/XSLStyleSheetLibxslt.cpp @@ -57,7 +57,6 @@ namespace WebCore { XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& originalURL, const KURL& finalURL) : StyleSheet(parentRule, originalURL, finalURL) - , m_ownerDocument(0) , m_embedded(false) , m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them. , m_stylesheetDoc(0) @@ -68,7 +67,6 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& originalUR XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& originalURL, const KURL& finalURL, bool embedded) : StyleSheet(parentNode, originalURL, finalURL) - , m_ownerDocument(parentNode->document()) , m_embedded(embedded) , m_processed(true) // The root sheet starts off processed. , m_stylesheetDoc(0) @@ -130,9 +128,10 @@ void XSLStyleSheet::clearDocuments() CachedResourceLoader* XSLStyleSheet::cachedResourceLoader() { - if (!m_ownerDocument) + Document* document = ownerDocument(); + if (!document) return 0; - return m_ownerDocument->cachedResourceLoader(); + return document->cachedResourceLoader(); } bool XSLStyleSheet::parseString(const String& string, bool) @@ -258,8 +257,16 @@ xsltStylesheetPtr XSLStyleSheet::compileStyleSheet() void XSLStyleSheet::setParentStyleSheet(XSLStyleSheet* parent) { m_parentStyleSheet = parent; - if (parent) - m_ownerDocument = parent->ownerDocument(); +} + +Document* XSLStyleSheet::ownerDocument() +{ + for (XSLStyleSheet* styleSheet = this; styleSheet; styleSheet = styleSheet->parentStyleSheet()) { + Node* node = styleSheet->ownerNode(); + if (node) + return node->document(); + } + return 0; } xmlDocPtr XSLStyleSheet::locateStylesheetSubResource(xmlDocPtr parentDoc, const xmlChar* uri) diff --git a/WebCore/xml/XSLStyleSheetQt.cpp b/WebCore/xml/XSLStyleSheetQt.cpp index 0523560..0d41d1f 100644 --- a/WebCore/xml/XSLStyleSheetQt.cpp +++ b/WebCore/xml/XSLStyleSheetQt.cpp @@ -35,7 +35,6 @@ namespace WebCore { XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& originalURL, const KURL& finalURL, bool embedded) : StyleSheet(parentNode, originalURL, finalURL) - , m_ownerDocument(parentNode->document()) , m_embedded(embedded) { } @@ -63,9 +62,10 @@ void XSLStyleSheet::clearDocuments() CachedResourceLoader* XSLStyleSheet::cachedResourceLoader() { - if (!m_ownerDocument) + Document* document = ownerDocument(); + if (!document) return 0; - return m_ownerDocument->cachedResourceLoader(); + return document->cachedResourceLoader(); } bool XSLStyleSheet::parseString(const String& string, bool) @@ -88,6 +88,12 @@ void XSLStyleSheet::loadChildSheet(const String&) notImplemented(); } +Document* XSLStyleSheet::ownerDocument() +{ + Node* node = ownerNode(); + return node ? node->document() : 0; +} + void XSLStyleSheet::setParentStyleSheet(XSLStyleSheet*) { notImplemented(); |