Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(852)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/Element.cpp

Issue 398653003: Fix possible crash in Element::normalizeAttributes() (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fix fast/dom/normalize-attributes-mutation-event-crash.html failure Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « LayoutTests/fast/dom/Element/normalize-crash2-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Peter Kelly (pmk@post.com) 4 * (C) 2001 Peter Kelly (pmk@post.com)
5 * (C) 2001 Dirk Mueller (mueller@kde.org) 5 * (C) 2001 Dirk Mueller (mueller@kde.org)
6 * (C) 2007 David Smith (catfish.man@gmail.com) 6 * (C) 2007 David Smith (catfish.man@gmail.com)
7 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013 Apple Inc. All rights reserved. 7 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2013 Apple Inc. All rights reserved.
8 * (C) 2007 Eric Seidel (eric@webkit.org) 8 * (C) 2007 Eric Seidel (eric@webkit.org)
9 * 9 *
10 * This library is free software; you can redistribute it and/or 10 * This library is free software; you can redistribute it and/or
(...skipping 2515 matching lines...) Expand 10 before | Expand all | Expand 10 after
2526 void Element::cancelFocusAppearanceUpdate() 2526 void Element::cancelFocusAppearanceUpdate()
2527 { 2527 {
2528 if (document().focusedElement() == this) 2528 if (document().focusedElement() == this)
2529 document().cancelFocusAppearanceUpdate(); 2529 document().cancelFocusAppearanceUpdate();
2530 } 2530 }
2531 2531
2532 void Element::normalizeAttributes() 2532 void Element::normalizeAttributes()
2533 { 2533 {
2534 if (!hasAttributes()) 2534 if (!hasAttributes())
2535 return; 2535 return;
2536 // attributeCount() cannot be cached before the loop because the attributes 2536 WillBeHeapVector<RefPtrWillBeMember<Attr> >* attrNodes = attrNodeList();
2537 // list is altered while iterating. 2537 if (!attrNodes)
2538 AttributeCollection attributes = this->attributes(); 2538 return;
2539 AttributeCollection::const_iterator end = attributes.end(); 2539 // Copy the Attr Vector because Node::normalize() can fire synchronous JS
2540 for (AttributeCollection::const_iterator it = attributes.begin(); it < end; ++it) { 2540 // events (e.g. DOMSubtreeModified) and a JS listener could add / remove
2541 if (RefPtrWillBeRawPtr<Attr> attr = attrIfExists(it->name())) 2541 // attributes while we are iterating.
2542 attr->normalize(); 2542 WillBeHeapVector<RefPtrWillBeMember<Attr> > attrNodesCopy(*attrNodes);
2543 } 2543 for (size_t i = 0; i < attrNodesCopy.size(); ++i)
2544 attrNodesCopy[i]->normalize();
2544 } 2545 }
2545 2546
2546 void Element::updatePseudoElement(PseudoId pseudoId, StyleRecalcChange change) 2547 void Element::updatePseudoElement(PseudoId pseudoId, StyleRecalcChange change)
2547 { 2548 {
2548 ASSERT(!needsStyleRecalc()); 2549 ASSERT(!needsStyleRecalc());
2549 PseudoElement* element = pseudoElement(pseudoId); 2550 PseudoElement* element = pseudoElement(pseudoId);
2550 if (element && (change == UpdatePseudoElements || element->shouldCallRecalcS tyle(change))) { 2551 if (element && (change == UpdatePseudoElements || element->shouldCallRecalcS tyle(change))) {
2551 2552
2552 // Need to clear the cached style if the PseudoElement wants a recalc so it 2553 // Need to clear the cached style if the PseudoElement wants a recalc so it
2553 // computes a new style. 2554 // computes a new style.
(...skipping 799 matching lines...) Expand 10 before | Expand all | Expand 10 after
3353 3354
3354 void Element::trace(Visitor* visitor) 3355 void Element::trace(Visitor* visitor)
3355 { 3356 {
3356 if (hasRareData()) 3357 if (hasRareData())
3357 visitor->trace(elementRareData()); 3358 visitor->trace(elementRareData());
3358 visitor->trace(m_elementData); 3359 visitor->trace(m_elementData);
3359 ContainerNode::trace(visitor); 3360 ContainerNode::trace(visitor);
3360 } 3361 }
3361 3362
3362 } // namespace WebCore 3363 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/fast/dom/Element/normalize-crash2-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698