=== WebCore-417.24 === 2006-03-13 Timothy Hatcher Merged fix from TOT to Safari-2-0-branch 2006-02-16 Tim Omernick Reviewed by Geoff. Flash Player 8.0.22 can crash Safari (and WebKit apps) with javascript disabled (7015) Added a test case, manual-tests/NPN_Invoke. This is a skeleton of a Netscape plugin which uses NPN_Invoke() to call the window.alert() JavaScript function. * bridge/mac/MacFrame.mm: (WebCore::MacFrame::windowScriptNPObject): Removed the check Darin added to return 0 when JavaScript is disabled. This method cannot return 0, because plugins are not guaranteed to check for that. Removed my old fix for Radar 4428609 (7015) in favor of a better solution. Instead of creating a "dummy" JSObject to represent the window script object when JavaScript is disabled, we use the new JavaScriptCore bindings API to create a "no script" NPObject. This solution is better because it does not cause entry into any JavaScript interpreter code. * manual-tests/NPN_Invoke: Added. * manual-tests/NPN_Invoke/English.lproj: Added. * manual-tests/NPN_Invoke/English.lproj/Localized.r: Added. * manual-tests/NPN_Invoke/Info.plist: Added. * manual-tests/NPN_Invoke/NPN_Invoke.xcodeproj: Added. * manual-tests/NPN_Invoke/NPN_Invoke.xcodeproj/project.pbxproj: Added. * manual-tests/NPN_Invoke/main.c: Added. * manual-tests/NPN_Invoke/test.html: Added. === WebCore-417.23 === 2006-03-02 Timothy Hatcher Merged fix from TOT to Safari-2-0-branch This also includes the http://bugzilla.opendarwin.org/show_bug.cgi?id=7363 fix REGRESSION (r12872): Repro crash when clicking the Quick Reply box in Gmail 2006-02-17 Vicki Murley Reviewed by Justin. Get rid of handleFocusOut on text fields and textareas - move this functionality to the place where we resign focus on the previous node in setFocusNode. Add isTextField on RenderObject as one way to distinguish from contenteditable elements - Win IE does not fire onChange for contenteditable elements, so we won't either. Also, expose the dirty bit variables previously checked in handleFocusOut methods in isEdited() and setEdited(). Fixes the following bugs: REGRESSION (1.2.2 - 1.3): onChange and onFocus events firing order differs for mouse click and tab (7227) for text fields, onChange should fire before onBlur to match Win IE Test case is on the way. * dom/DocumentImpl.cpp: (WebCore::DocumentImpl::setFocusNode): For textareas and text fields, fire a change event on the node that is resigning focus. Make sure the blur event fires after the change event - 4447009. * rendering/render_form.cpp: (WebCore::RenderLineEdit::slotReturnPressed): Replace call to handleFocusOut with equivalent code. (WebCore::RenderLineEdit::isEdited): Added. (WebCore::RenderLineEdit::setEdited): Added. (WebCore::RenderTextArea::setEdited): Added. * rendering/render_form.h: (WebCore::RenderLineEdit::isTextField): Added. (WebCore::RenderTextArea::isTextArea): Make this non-virtual. (WebCore::RenderTextArea::isEdited): Added. * rendering/render_object.h: (WebCore::RenderObject::isEdited): Added. (WebCore::RenderObject::setEdited): Added. (WebCore::RenderObject::isTextField): Added. * rendering/render_replaced.h: Remove handleFocusOut(). * rendering/render_replaced.cpp: Ditto. (WebCore::RenderWidget::eventFilter): Remove call to handleFocusOut(). Safe to do here, since we call setFocusNode immediately beforehand. === WebCore-417.22 === 2006-02-15 Timothy Hatcher Reviewed by Beth, Geoff, Maciej. Removed #define MALLOC_FAILURE_ACTION abort() letting malloc return NULL Fixes *SecUpd: Tiger* SureSec si#182 safari heap overflow. *SecUpd: Chardonnay* SureSec si#182 safari heap overflow. * khtml/misc/main_thread_malloc.cpp: === WebCore-417.21 === 2006-02-10 Eric Seidel Reviewed by darin. hang in XMLHttpRequest::cancelRequests No test case possible. * khtml/ecma/xmlhttprequest.cpp: (KJS::removeFromRequestsByDocument): (KJS::XMLHttpRequest::removeFromRequestsByDocument): (KJS::XMLHttpRequest::cancelRequests): 2006-02-10 Timothy Hatcher Reviewed by Tim O. Rolling out r11800 and reworked Tim's original fix to call _NPN_DeallocateObject in the destructor. * kwq/KWQKHTMLPart.mm: (KWQKHTMLPart::~KWQKHTMLPart): (KWQKHTMLPart::setView): (KWQKHTMLPart::cleanupPluginRootObjects): === WebCore-417.20 === 2006-02-06 Timothy Hatcher Merged fix from TOT to Safari-2-0-branch 2005-11-01 Justin Garcia Reviewed by darin Fixes Seed: Mail crash adjusting quote level - KHTMLPart::computeAndSetTypingStyle No test cases added, requires Mail * kwq/WebCoreBridge.mm: (-[WebCoreBridge typingStyle]): Crashes were happening after a style was merged with itself. Mail was doing a setTypingStyle with a pointer to our internal typing style. Fix is to only hand out copies of our typingStyle. 2006-02-06 Timothy Hatcher Merged fix from TOT to Safari-2-0-branch 2006-01-16 Tim Omernick Reviewed by John Sullivan. WebCore part of NPAPI ref count behavior differs with Mozilla * bridge/mac/MacFrame.mm: (MacFrame::setView): Call _NPN_DeallocateObject() instead of _NPN_ReleaseObject() so that we don't leak if a plugin fails to release the window script object properly. Our old NPN_GetValue() did not properly retain the returned window script object. Because of this, many plugins have WebKit-specific workarounds to not release said window script object. Forcibly deallocating it here should prevent any such issues. This shouldn't cause any problems for plugins, since they should already be stopped and destroyed at this point. This also fixes a preexisting leak of the window script NPObject -- it was never actually being freed! === WebCore-417.19 === 2006-01-18 Timothy Hatcher Merged fix from TOT to Safari-2-0-branch 2006-01-17 Beth Dakin Reviewed by Hyatt and Darin Fix for REGRESSION: crash at webmail.aol.com when deleting mail in khtml::RenderTableCell::collapsedBottomBorder() const + 232 RenderTableCell::collapsedBottomBorder() gets nextCell by calling table()->cellBelow(this). In the case of the crash, cellBelow() returns a pointer to a table cell that was already destroyed. cellBelow() thinks that the pointer is still good because the grid of cells has not been updated because all of this code is called through the hitTest and the hitTest does not update the layout. The fix that I have is simply it have the hitTest call updateLayout(). This is the only change in behavior. The rest of the patch preserves behavior for simulated clicks. fast/events/stopPropagation-submit caught this problem that arose from calling updateLayout() in the hitTest; we should always have an x and y position of 0 for simulated clicks. This preserves that behavior by keeping track of whether a click is simulated or not. * khtml/html/HTMLInputElementImpl.cpp: (DOM::HTMLInputElementImpl::defaultEventHandler): If the click is simulated, set xPos and yPos to 0. * khtml/html/html_elementimpl.cpp: (HTMLElementImpl::setContentEditable): Fix spacing. (HTMLElementImpl::click): It isn't necessary to check if there is a renderer. * khtml/rendering/render_layer.cpp: (khtml::RenderLayer::hitTest): Call updateLayout(). * khtml/xml/NodeImpl.cpp: (WebCore::NodeImpl::dispatchSimulatedMouseEvent): Set isSimulated to true. (WebCore::NodeImpl::dispatchMouseEvent): Keep track of isSimulated. * khtml/xml/NodeImpl.h: Same. * khtml/xml/dom2_eventsimpl.cpp: (DOM::MouseRelatedEventImpl::MouseRelatedEventImpl): Add isSimulated to MouseRelatedEventImpl(). (DOM::MouseRelatedEventImpl::computePositions): Only change the offsets if it's not simulated. (DOM::MouseEventImpl::MouseEventImpl): Add isSimulated to MouseEventImpl() * khtml/xml/dom2_eventsimpl.h: (DOM::MouseRelatedEventImpl::isSimulated): Declarations of isSimulated (DOM::MouseEventImpl::isSimulated): Same. === WebCore-417.18.1 === 2006-01-05 Adele Peterson Merged fix from TOT to Safari-2-0-branch 2005-10-25 Beth Dakin Reviewed by Maciej Fix for SureSec si#182 safari heap overflow. When a table has a really huge rowSpan, Safari used to crash because the malloc of the grid for the table failed. This fix just checks for the success of the malloc. * khtml/rendering/render_table.cpp: (RenderTableSection::ensureRows): Return false if the grid resize is not successful. (RenderTableSection::addCell): Return early if ensureRows() returned false. * khtml/rendering/render_table.h: Make ensureRows() return a bool instead of void. === WebCore-417.18 === 2005-12-23 Geoffrey Garen - Fixed REGRESSION: Reproducible crash while viewing Opera's "why we're better than Safari" site, http://www.howtocreate.co.uk/browserSpeed.html, in khtml::RenderBlock::nodeAtPoint Fix by Darin, reviewed and landed by me. * khtml/rendering/render_container.cpp: (RenderContainer::updatePseudoChild): Don't have the parent call removeChild, because the child calls parent()->removeChild() on itself in detach(). === WebCore-417.17 === 2005-12-21 Adele Peterson Reviewed by Tim Hatcher. Fix for Seed: Radio buttons behave incorrectly in Gmail settings * khtml/html/html_formimpl.cpp: (DOM::HTMLFormElementImpl::registerFormElement): If this form element is already checked in the default form, remove it from m_selectedRadioButtons and add it for the new form. === WebCore-417.16 === 2005-12-20 Adele Peterson Reviewed by Darin. Fix for REGRESSION: