← Back to branch summary

~jconti/ubuntu/oneiric/webkit/fix_doc_path

« back to all changes in this revision

Viewing changes to WebCore/ChangeLog

  • Committer: Bazaar Package Importer
  • Author(s): Robert Ancell
  • Date: 2010-10-18 20:17:09 UTC
  • mfrom: (1.5.15 upstream)
  • Revision ID: james.westby@ubuntu.com-20101018201709-dkathefl8vvl2uxe
Tags: 1.2.5-0ubuntu1
New upstream release

Show diffs side-by-side

added added

removed removed

Lines of Context:
WebCore/ChangeLog
 
1
2010-08-25  Cris Neckar  <cdn@chromium.org>
 
2
 
 
3
        Reviewed by Darin Adler.
 
4
 
 
5
        Added abort condition for RenderCounters when traversing a detached render tree.
 
6
        https://bugs.webkit.org/show_bug.cgi?id=43812
 
7
 
 
8
        Test: fast/css/counters/counter-traverse-object-crash.html
 
9
 
 
10
        * rendering/RenderCounter.cpp:
 
11
        (WebCore::findPlaceForCounter):
 
12
 
 
13
2010-08-23  Abhishek Arya  <inferno@chromium.org>
 
14
 
 
15
        Reviewed by Dimitri Glazkov.
 
16
 
 
17
        Fix security origin calculation in createPattern. Need to use
 
18
        cachedImage->response().url() instead of cachedImage->url().
 
19
        https://bugs.webkit.org/show_bug.cgi?id=44399.
 
20
 
 
21
        Test: http/tests/security/canvas-remote-read-remote-image-redirect.html
 
22
 
 
23
        * html/canvas/CanvasRenderingContext2D.cpp:
 
24
        (WebCore::CanvasRenderingContext2D::createPattern):
 
25
 
 
26
2010-08-20  Tony Chang  <tony@chromium.org>
 
27
 
 
28
        Reviewed by Adam Barth.
 
29
 
 
30
        crash when trying to access a stale Node pointer in FocusController::setFocusedNode
 
31
        https://bugs.webkit.org/show_bug.cgi?id=44226
 
32
 
 
33
        Test: fast/events/focus-change-crash2.html
 
34
 
 
35
        * page/FocusController.cpp:
 
36
        (WebCore::FocusController::setFocusedNode): add a ref to prevent the focused node from being deleted
 
37
 
 
38
2010-08-12  Justin Schuh  <jschuh@chromium.org>
 
39
 
 
40
        Reviewed by Dumitru Daniliuc.
 
41
 
 
42
        Clear PluginData's page pointer on page refresh
 
43
        https://bugs.webkit.org/show_bug.cgi?id=43888
 
44
 
 
45
        Test: plugins/access-after-page-destroyed.html
 
46
 
 
47
        * page/Page.cpp:
 
48
        (WebCore::Page::refreshPlugins):
 
49
 
 
50
2010-07-28  Justin Schuh  <jschuh@chromium.org>
 
51
 
 
52
        Reviewed by Nate Chapin.
 
53
 
 
54
        Clear PluginData's page pointer on Page destruction
 
55
        https://bugs.webkit.org/show_bug.cgi?id=43147
 
56
 
 
57
        Test: plugins/access-after-page-destroyed.html
 
58
 
 
59
        * page/Page.cpp:
 
60
        (WebCore::Page::~Page):
 
61
 
 
62
2010-08-17  Steve Block  <steveblock@google.com>
 
63
 
 
64
        Reviewed by Jeremy Orlow.
 
65
 
 
66
        Geolocation clearWatch() needs to protect against invalid IDs
 
67
        https://bugs.webkit.org/show_bug.cgi?id=44096
 
68
 
 
69
        If the ID passed to clearWatch() is invalid, we early-out.
 
70
 
 
71
        Test: fast/dom/Geolocation/clear-watch-invalid-id-crash.html
 
72
 
 
73
        * page/Geolocation.cpp:
 
74
        (WebCore::Geolocation::Watchers::set):
 
75
        (WebCore::Geolocation::Watchers::remove):
 
76
        (WebCore::Geolocation::watchPosition):
 
77
        (WebCore::Geolocation::clearWatch):
 
78
 
 
79
2010-07-20  Abhishek Arya  <inferno@chromium.org>
 
80
 
 
81
        Reviewed by David Hyatt.
 
82
 
 
83
        Check the node is a text node before doing the static cast
 
84
        for editing commands.
 
85
        https://bugs.webkit.org/show_bug.cgi?id=42655
 
86
 
 
87
        Test: editing/execCommand/editing-nontext-node-crash.xhtml
 
88
 
 
89
        * editing/DeleteSelectionCommand.cpp:
 
90
        (WebCore::DeleteSelectionCommand::fixupWhitespace):
 
91
        * editing/InsertLineBreakCommand.cpp:
 
92
        (WebCore::InsertLineBreakCommand::doApply):
 
93
        * editing/InsertParagraphSeparatorCommand.cpp:
 
94
        (WebCore::InsertParagraphSeparatorCommand::doApply):
 
95
 
 
96
2010-07-26  Justin Schuh  <jschuh@chromium.org>
 
97
 
 
98
        Reviewed by Darin Fisher.
 
99
 
 
100
        Check history state against origin before setting
 
101
        https://bugs.webkit.org/show_bug.cgi?id=42858
 
102
 
 
103
        Tests: fast/loader/stateobjects/replacestate-base-illegal.html
 
104
               fast/loader/stateobjects/replacestate-base-legal.html
 
105
 
 
106
        * page/History.cpp:
 
107
        (WebCore::History::urlForState):
 
108
        (WebCore::History::stateObjectAdded):
 
109
 
 
110
2010-07-12  Tony Chang  <tony@chromium.org>
 
111
 
 
112
        Reviewed by David Hyatt.
 
113
 
 
114
        crash in FrameView::detachCustomScrollbars
 
115
        https://bugs.webkit.org/show_bug.cgi?id=41196
 
116
 
 
117
        Test: scrollbars/hidden-iframe-scrollbar-crash.html
 
118
 
 
119
        * page/FrameView.cpp:
 
120
        (WebCore::FrameView::detachCustomScrollbars):
 
121
 
 
122
2010-07-02  Ojan Vafai  <ojan@chromium.org>
 
123
 
 
124
        Reviewed by Adam Barth.
 
125
 
 
126
        Crash in RenderObject::containingBlock when clearing selection in a display:none node.
 
127
        https://bugs.webkit.org/show_bug.cgi?id=41523
 
128
 
 
129
        updateStyleIfNeeded before clearing the selection in the RenderView. Otherwise,
 
130
        m_selectionStart and m_selectionEnd in RenderView point to garbage object.
 
131
        This fixes the crash because updateStyleIfNeeded clears the selection before
 
132
        clobbering nodes that contain the selection.
 
133
 
 
134
        Test: editing/selection/crash-on-clear-selection.html
 
135
 
 
136
        * editing/SelectionController.cpp:
 
137
        (WebCore::SelectionController::updateAppearance):
 
138
 
 
139
2010-06-23  Abhishek Arya  <inferno@chromium.org>
 
140
 
 
141
        Reviewed by Kenneth Rohde Christiansen.
 
142
 
 
143
        Firing the onchange event on select which changes its size > 1 causes the select
 
144
        object to change from a menulist to a listbox. However, when propogating the events,
 
145
        we do a bad cast assuming the object will remain a menulist. Added proper checks to
 
146
        make sure we check the renderer after the onchange is fired and propogate the event
 
147
        based on correct object type.
 
148
        https://bugs.webkit.org/show_bug.cgi?id=40828 
 
149
 
 
150
        Test: fast/events/select-onchange-crash.html
 
151
 
 
152
        * dom/SelectElement.cpp:
 
153
        (WebCore::SelectElement::setSelectedIndex):
 
154
 
 
155
2010-07-21  Justin Schuh  <jschuh@chromium.org>
 
156
 
 
157
        Reviewed by Oliver Hunt.
 
158
 
 
159
        Prevent DeleteButtonController enable state from changing when not editing
 
160
        https://bugs.webkit.org/show_bug.cgi?id=42659
 
161
 
 
162
        Test: svg/custom/use-invalid-html.xhtml
 
163
 
 
164
        * dom/ContainerNode.cpp:
 
165
        (WebCore::ContainerNode::cloneChildNodes):
 
166
 
 
167
2010-06-10  Tony Chang  <tony@chromium.org>
 
168
 
 
169
        Reviewed by Kent Tamura.
 
170
 
 
171
        crash when focus is changed while trying to focus next element
 
172
        https://bugs.webkit.org/show_bug.cgi?id=40407
 
173
 
 
174
        Test: fast/events/focus-change-crash.html
 
175
 
 
176
        * dom/Element.cpp:
 
177
        (WebCore::Element::focus):
 
178
 
1
179
2010-08-10  Abhishek Arya  <inferno@chromium.org>
2
180
 
3
181
        Reviewed by David Hyatt.