ChangeLog   [plain text]

2012-12-13  Lucas Forschler  <>

    Rollout r145656

2013-04-16  Ryosuke Niwa  <>

        Merge r125955.

    2012-08-17  Alice Cheng  <>

            Preserve styling elements in DeleteSelectionCommand

            Reviewed by Ryosuke Niwa.

            Styling elements (<link> and <style>) can appear inside editable content. To 
            prevent accidental deletion, we move styling elements to rootEditableElement in
            DeleteSelectionCommand undoably.

            Test: editing/execCommand/delete-selection-has-style.html

            * editing/DeleteSelectionCommand.cpp:
            (WebCore::DeleteSelectionCommand::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss): Added to preserve styling elements during the command
            (WebCore::DeleteSelectionCommand::handleGeneralDelete):  Modified to preserve styling elements during the command
            * editing/DeleteSelectionCommand.h:

2013-04-16  Lucas Forschler  <>

        Merge r130313

    2012-10-03  Adam Barth  <>

            Crash when calling during unload

            Reviewed by Nate Chapin.

            Calling results in us nulling out m_documentLoader. This
            code doesn't properly handle that case and crashes.

            Test: fast/parser/document-open-in-unload.html

            * loader/FrameLoader.cpp:

2013-04-16  Lucas Forschler  <>

        Merge r147938

    2013-04-08  Alexey Proskuryakov  <>

            <rdar://problem/12834449> Crashes in WebSocketChannel::processFrame when processing a ping

            Reviewed by Brady Eidson.

            No test, I could never reproduce even manually.

            Calling enqueueRawFrame() could change incoming buffer, so a subsequent skipBuffer()
            would operate on wrong assumptions. This happened because enqueueRawFrame() actually
            tried to process the queue, and send failure sometimed clears m_buffer.

            Fixing this by decoupling enqueuing from sending, and making sure that skipBuffer()
            in ping frame processing case is performed at a safe time.

            * Modules/websockets/WebSocketChannel.cpp:

2013-04-16  Andy Estes  <>

        Merged r142631.

    2013-02-12  Dominic Mazzoni  <>

        ASSERTION FAILED: i < size(), UNKNOWN in WebCore::AccessibilityMenuListPopup::didUpdateActiveOption

        Reviewed by Chris Fleizach.

        Send the accessibility childrenChanged notification in
        HTMLSelectElement::setRecalcListItems instead of in childrenChanged
        so that all possible codepaths are caught.

        Test: accessibility/insert-selected-option-into-select-causes-crash.html

        * html/HTMLSelectElement.cpp:

2013-04-15  Andy Estes  <>

        Merged r139444.

    2013-01-11  Stephen Chenney  <>
        Objects can be re-added to the AXObjectCache during removal

        The problem occurs when a label's corresponding element is a sibling
        that precedes it in the render tree, and the corresponding element is
        removed. The corresponding element's AX render object is removed, but
        then recreated when accessibilityIsIgnored() invokes correspondingControl()
        on the label. The corresponding renderer then has an AX render object
        that survives beyond the deleted renderer, leading to invalid memory

        The solution is to rearrange the calls to delete the renderer's AX
        render object only when we are sure it will no longer be required.

        Reviewed by Simon Fraser.

        Test: accessibility/corresponding-control-deleted-crash.html

        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::willBeDestroyed): Move the call to remove the
        renderer from the AXCache to after the renderer is removed from the
        render tree. This means that the AXObject still exists during renderer
        removal, as we require.

2013-04-15  Andy Estes  <>

        Merged r131670.

    2012-10-17  Tom Sepez  <>

        Crash in ContainerNode::removeAllChildren()

        Reviewed by Eric Carlson.

        This patch makes the errorEventSender added in WebKit Revision 112190 interact
        with the updatedHasPendingLoadEvent() mechanism in the same manner as the other
        existing event senders.

        Test: http/tests/security/video-poster-cross-origin-crash2.html

        * loader/ImageLoader.cpp:
        * loader/ImageLoader.h:

2013-04-15  Andy Estes  <>

        Merged r142063.

    2013-02-06  Tom Sepez  <>

        document.referrer leakage with XSS Auditor page block

        Reviewed by Adam Barth.

        Pass "about:blank" as referrer instead of "" so that the actual page
        is not leaked when empty referrers are replaced later on in the
        * html/parser/XSSAuditorDelegate.cpp:

2013-04-15  Andy Estes  <>

        Merged r139111.

    2013-01-08  Tom Sepez  <>

        Copy-paste preserves <embed> tags containing active content.

        Reviewed by Ryosuke Niwa.

        Test: editing/pasteboard/paste-noplugin.html

        * dom/FragmentScriptingPermission.h:
        Add new permission to restrict plugin pasting.  Add inline functions to check
        the implications of each permission rather than having a list of raw comparisions
        sprinkled throughout the code. 
        * editing/markup.cpp:
        Revert back to unsafe plugin pasting regardless of caller's intentions when
        the settings allow it.

        * dom/Element.cpp:
        * html/parser/HTMLConstructionSite.cpp:
        * xml/parser/XMLDocumentParserLibxml2.cpp:
        * xml/parser/XMLDocumentParserQt.cpp:
        Use new inline functions to check implications of permissions rather than raw
        * html/parser/HTMLTreeBuilder.cpp:
        Check if plugin pasting is allowed before inserting applet/embed/oject elements.

        * page/
        Declaration of new unsafePluginPastingEnabled setting.

        * platform/mac/
        * platform/blackberry/PasteboardBlackBerry.cpp:
        * platform/chromium/DragDataChromium.cpp:
        * platform/chromium/PasteboardChromium.cpp:
        * platform/gtk/PasteboardGtk.cpp:
        * platform/qt/DragDataQt.cpp:
        * platform/qt/PasteboardQt.cpp:
        * platform/win/ClipboardUtilitiesWin.cpp:
        * platform/wx/PasteboardWx.cpp:
        Pass DisallowScriptingAndPluginContent enum value.
2013-04-15  Roger Fong  <>

        Build fix for r148472.

        * rendering/style/RenderStyle.cpp:
        * rendering/style/RenderStyle.h:

2013-04-15  Roger Fong  <>

        Merged r138821.

    01/04/13 John Mellor  <>

            Clamp font sizes to valid range in RenderStyle::setFontSize

            Reviewed by Emil A Eklund.

            There is a test-case attached to, but I can't
            think of a good way of automatically testing this. Functionality
            shouldn't change on normal pages.

            * rendering/style/RenderStyleConstants.h:
                Add constant for maximum allowed font size.
            * css/StyleResolver.cpp:
                Use constant from RenderStyleConstants.h instead of hardcoding.
            * rendering/style/RenderStyle.cpp:
                Clamp non-finite and out of range font sizes.

2013-04-15  Andy Estes  <>

        Merged r138990.

    2013-01-07  Tom Sepez  <>

        Document::initSecurityContext() gives parent security context to iframes with invalid URLs.

        Reviewed by Adam Barth.

        Change covers the case of an invalid non-empty URL.  We know nothing
        about that kind of URL and choose not to inherit origins.
        * dom/Document.cpp:

2013-04-15  Tim Horton  <>

    Merge r138460.

    2012-12-25  Alexander Pavlov  <>

            Web Inspector: Crash when modifying a rule that has been removed through JavaScript

            Reviewed by Yury Semikhatsky.

            CSSStyleRules should be stored by RefPtr's to avoid using stale pointers to deleted instances.

            Test: inspector/styles/removed-rule-crash.html

            * inspector/InspectorStyleSheet.cpp:
            * inspector/InspectorStyleSheet.h:

2013-04-15  Tim Horton  <>

        Merge r143454.

    2013-02-20  Florin Malita  <>

            Clear SVGPathSeg role on removal.

            Reviewed by Dirk Schulze.

            SVGPathSegListPropertyTearOff::initialize() and SVGPathSegListPropertyTearOff::replaceItem()
            need to clear the context and role for segments being expunged from the list, similarly to
            removeItem(). Otherwise, processIncomingListItemValue() can get confused and attempt to
            remove stale segments.

            Test: svg/dom/SVGPathSegList-crash.html

            * svg/properties/SVGPathSegListPropertyTearOff.cpp:
            * svg/properties/SVGPathSegListPropertyTearOff.h:

2013-04-15  Tim Horton  <>

        Merge r142759.

    2013-02-13  Florin Malita  <>

            [SVG] OOB access in SVGListProperty::replaceItemValues()

            Replacing a list property item with itself should be a no-op. This patch updates the related
            APIs and logic to detect the self-replace case and prevent removal of the item from the list.

            To avoid scanning the list multiple times, removeItemFromList() is updated to operate on
            indices and a findItem() method is added to resolve an item to an index.

            Reviewed by Dirk Schulze.

            No new tests: updated existing tests cover the change.

            * svg/properties/SVGAnimatedListPropertyTearOff.h:
            * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h:
            Add a findItem() delegating method, and update removeItemFromList() to use the new
            index-based API.

            * svg/properties/SVGListProperty.h:
            Updated to handle the no-op case for insertItemBefore() & replaceItem().

            * svg/properties/SVGListPropertyTearOff.h:
            Index-based API updates.

            * svg/properties/SVGPathSegListPropertyTearOff.cpp:
            Detect the self-replace case and return without removing the item from the list.

            * svg/properties/SVGPathSegListPropertyTearOff.h:
            * svg/properties/SVGStaticListPropertyTearOff.h:
            Index-based API updates.

2013-04-15  Timothy Hatcher  <>

        Merge r140127.

    2013-01-18  Yury Semikhatsky  <>

        Web Inspector: make sure InspectorInstrumentationCookie is invalidated if inspected page was destroyed

        Reviewed by Pavel Feldman.

        Made InstrumentingAgents reference counted to make sure it is not deleted while there is
        InspectorInstrumentationCookie with reference to it.

        Introduced InstrumentingAgents::reset that is called from inspector controller destructor
        to double check that references to all deleted agents are cleared.

        InspectorInstrumentationCookie turned from std::pair into a custom class so that
        we can avoid inclusion of InstrumentingAgents.h into InspectorInstrumentation.h

        * inspector/InspectorController.cpp:
        * inspector/InspectorController.h:
        * inspector/InspectorInstrumentation.cpp:
        * inspector/InspectorInstrumentation.h:
        * inspector/InstrumentingAgents.cpp:
        * inspector/InstrumentingAgents.h:
        * inspector/WorkerInspectorController.cpp:
        * inspector/WorkerInspectorController.h:

2013-04-15  Roger Fong  <>

        Merge 133840, 134191, 134197.

    2012-11-12  Ryosuke Niwa  <>

            Build fix after r134191. Turns out that FrameView::performPostLayoutTasks calls FrameSelection::updateAppearance
            in the middle of a layout. So we can't have assertions in recomputeCaretRect and updateAppearance.

            Furthermore, we can't update layout in updateAppearance. So do that in its call sites.
            * editing/FrameSelection.cpp:

    2012-11-09  Ryosuke Niwa  <>

            Multiple Layout Tests (e.g. fast/repaint/japanese-rl-selection-clear.html) is failing after r133840.

            Reviewed by Simon Fraser.

            I overlooked the fact when the selection is null, we still have to invalidate the caret rect that
            previously existed. Revert the optimization added in r133840 to skip caret invalidation when new
            selection is null, and add a special method to be called by FrameLoader prior to destruction instead.
            This will let us avoid doing an extra layout upon destruction and not regress repaint tests.

            Covered by existing tests.

            * editing/FrameSelection.cpp:
            (WebCore::FrameSelection::setSelection): Added DoNotUpdateAppearance option.
            (WebCore::FrameSelection::prepareForDestruction): Added.
            (WebCore::FrameSelection::updateAppearance): Reverted the flawed optimization added in r133840.
            Also, don't update style before updating selection unless text caret is disabled since we always
            update the layout (including style) when text caret is enabled.
            * editing/FrameSelection.h:
            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::clear): Call prepareForDestruction instead of clear to avoid a layout.

    2012-11-07  Ryosuke Niwa  <>

            Crash in WebCore::RenderLayer::normalFlowList

            Reviewed by Simon Fraser.

            Make sure the layout is up to date before re-computing the caret rect.
            Avoid doing the layout when the selection is cleared since we don't can
            since we can always stop the blink timer in that case.

            Unfortunately, we haven't found any reproduction of this crash yet.

            * editing/FrameSelection.cpp:
2013-04-15  Roger Fong  <>

        Merged r138213.

    2013-01-09  Abhishek Arya  <>

            Mitigate out-of-bounds access in InlineIterator

            Reviewed by Levi Weintraub.

            Share code between InlineIterator::current and InlineIterator::previousInSameNode,
            thereby checking for access outside text renderer's length.

            * rendering/InlineIterator.h:

2012-12-13  Lucas Forschler  <>

    Rollout r

2013-04-15  Roger Fong  <>

        Merge r142816.

    2013-02-13  Abhishek Arya  <>

            ASSERTION FAILED: !object || object->isBox(), Bad cast in RenderBox::computeLogicalHeight

            Reviewed by Levi Weintraub.

            Make sure that body renderer is not an inline-block display
            when determining that it stretches to viewport or when paginated
            content needs base height.

            Test: fast/block/body-inline-block-crash.html

            * rendering/RenderBox.cpp:
            * rendering/RenderBox.h:

2013-04-15  Roger Fong  <>

        Merge r142922.

    2013-02-14  Abhishek Arya  <>

            Bad cast in RenderBlock::splitBlocks.

            Reviewed by Levi Weintraub.

            Test: fast/multicol/remove-child-split-flow-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks): rename gIsInColumnFlowSplit to gColumnFlowSplitEnabled
            and use it to decide when to do the column flow split or not.
            (WebCore::RenderBlock::removeChild): Do not allow column flow split inside removeChild
            since we might be merging anonymous blocks.

2013-04-15  Roger Fong  <>

        Merge r138988.

    2013-01-07  Abhishek Arya  <>

            Heap-buffer-overflow in WebCore::RenderBlock::clone.

            Reviewed by Julien Chaffraix.

            Add a global in RenderBlock to prevent recursion inside splitFlow.
            While inside splitFlow (multi-column handling), we move many children
            using fullRemoveInsert=true, causing RenderBlock::addChild to be called
            and recursing in splitFlow. This messes the tree splitting happening in
            RenderBlock::splitBlocks and can cause bad casts.

            Test: fast/multicol/recursive-split-flow-crash.html

            * rendering/RenderBlock.cpp:

2013-04-13  Lucas Forschler  <>

        Merge r136845

    2012-12-06  Stephen Chenney  <>

            SVG <use> element inside an svg-as-image fails

            Reviewed by Eric Seidel.

            Upon redraw, SVGImage calls layout on the document it is drawing into
            the image if the image, provided it believes the redraw does not need
            to be delayed. Unfortunately, when an SVG <use> element is modified
            (by animation, say) and regenerates its shadow tree, the destructors
            invoke redraw, causing the SVGImage to call layout on something that
            is in the process of being deleted. That's bad.

            This change causes SVGImage to always delay the redraw. It is the most robust
            way to protect against this problem, as there may be any number of
            ways to cause this issue (a node being deleted in an svg-as-image
            target) and this protects against them all.

            The test case crashes in Asan Chromium.

            Test: svg/as-image/animated-use-as-image-crash.html

            * svg/graphics/SVGImageCache.cpp:
            (WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer.

2013-04-12  Ryosuke Niwa  <>

        Merge 140893

    2013-01-30  Kentaro Hara  <>

            Remove InjectedScript::wrapSerializedObject()

            Reviewed by Abhishek Arya.

            InjectedScript::wrapSerializedObject() is unused.
            (This is one of steps to remove raw pointers of SerializedScriptValue*,
            which can be a security concern.)

            * inspector/InjectedScript.cpp:
            * inspector/InjectedScript.h:

2013-04-12  Ryosuke Niwa  <>

        Merge 141315

    2013-01-30  Kentaro Hara  <>

            isSameAsCurrentState() should take SerializedScriptValue* instead of PassRefPtr

            Reviewed by Darin Adler.

            Applied Darin's comment:

            No tests. No change in behavior.

            * bindings/js/JSPopStateEventCustom.cpp:
            * bindings/v8/custom/V8PopStateEventCustom.cpp:
            * page/History.cpp:
            * page/History.h:

2013-04-12  Ryosuke Niwa  <>

        Merge 140886

    2013-01-25  Kentaro Hara  <>

            Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent

            Reviewed by Abhishek Arya.

            If you use a raw SerializedScriptValue* for serialize()/deserialize(),
            it can potentially cause a use-after-free. This is because serialize()/
            deserialize() can destruct a RefPtr of the SerializedScriptValue*,
            depending on data that is serialized/deserialized. So we should keep a
            RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
            (See for more details.)

            No tests. This is just a just-in-case fix.

            * dom/PopStateEvent.h:
            * page/History.cpp:
            * page/History.h:

2013-04-12  Ryosuke Niwa  <>

        Merge r140892

    2013-01-25  Kentaro Hara  <>

            Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators

            Reviewed by Abhishek Arya.

            If you use a raw SerializedScriptValue* for serialize()/deserialize(),
            it can potentially cause a use-after-free. This is because serialize()/
            deserialize() can destruct a RefPtr of the SerializedScriptValue*,
            depending on data that is serialized/deserialized. So we should keep a
            RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
            (See for more details.)

            No tests. This is just a just-in-case fix.

            * Modules/intents/Intent.h:
            * Modules/intents/IntentRequest.cpp:
            * Modules/intents/IntentRequest.h:
            * Modules/intents/IntentResultCallback.h:
            * bindings/scripts/
            * bindings/scripts/
            * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp:
            * dom/MessagePortChannel.h:

2013-04-12  Ryosuke Niwa  <>

        Merge r140891

    2013-01-25  Kentaro Hara  <>

            Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent

            Reviewed by Abhishek Arya.

            If you use a raw SerializedScriptValue* for serialize()/deserialize(),
            it can potentially cause a use-after-free. This is because serialize()/
            deserialize() can destruct a RefPtr of the SerializedScriptValue*,
            depending on data that is serialized/deserialized. So we should keep a
            RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
            (See for more details.)

            No tests. This is just a just-in-case fix. I couldn't find any bug
            even in an ASAN build.

            * bindings/js/JSMessageEventCustom.cpp:
            * bindings/v8/custom/V8MessageEventCustom.cpp:
            * dom/MessageEvent.h:

2013-04-12  Ryosuke Niwa  <>

        Merge r140748.

    2013-01-24  Kentaro Hara  <>

            Regression(r107058): Use-after-free in SerializedScriptValue::deserialize

            Reviewed by Abhishek Arya.

            Imagine the following call path:

            (1) history.state is accessed.
            (2) V8History::stateAccessorGetter() calls History::state(), which calls
            (3) HistoryItem holds m_stateObject as RefPtr<SerializedScriptValue>,
            but HistoryItem::stateObject() returns SerializedScriptValue*.
            (4) V8History::stateAccessorGetter calls SerializedScriptValue::deserialize()
            for the SerializedScriptValue* obtained in (3).
            (5) SerializedScriptValue::deserialize() can call history.replaceState()
            in its deserialization process (See the test case in the Chromium bug).
            (6) history.replaceState() replaces HistoryItem::m_stateObject.
            This replacement destructs the original HistoryItem::m_stateObject.
            (7) The current deserialization process can crash due to the premature destruction.

            To avoid the problem, we have to pass PassRefPtr<SerializedScriptValue> around
            instead of SerializedScriptValue*.

            Test: fast/history/replacestate-nocrash.html

            * bindings/v8/custom/V8HistoryCustom.cpp:
            * history/HistoryItem.h:
            * loader/FrameLoader.cpp:
            * loader/FrameLoader.h:
            * page/History.cpp:
            * page/History.h:

2013-04-12  Lucas Forschler  <>

        Merge r129814

    2012-09-27  Levi Weintraub  <>

            REGRESSION(r129186): Pressing enter at the end of a line deletes the line

            Reviewed by Ryosuke Niwa.

            r129186 exposed incorrect behavior in RenderText whereby RenderText's lines were
            dirtied but the renderer wasn't marked for layout. Rich text editing in GMail exposed
            this behavior. RenderText::setTextWithOffset is called with a text string identical
            to the current text. It still dirties lines, then calls setText, which has a check
            for the case when the strings are the same and returns early and doesn't mark us as
            needing layout.

            This change adds the same early bailing logic in setText to setTextWithOffset, but
            forces setText to work its magic whenever we dirty lines there (and avoid double-
            checking that the strings are equal).

            * rendering/RenderText.cpp:

2013-04-12  Roger Fong  <>

        Merge r143565.

    2013-02-20  Wei James  <>
            ChannelMergerNode may need check for deferred updating of output channels
            There can in rare cases be a slight delay before the output bus is updated
            to the new number of channels because of tryLocks() in the context's
            updating system. So need to check the channel number before processing.
            Reviewed by Chris Rogers.
            * Modules/webaudio/ChannelMergerNode.cpp:
            * Modules/webaudio/ChannelMergerNode.h:

2013-04-12  Tim Horton  <> 

        Merge r132856

    2012-10-25  Stephen Chenney  <>

            feImage should not be allowed to self reference

            Reviewed by Eric Seidel.

            Add cycle detection for SVG filter application, and also fix a problem
            with graphics context restore when filters are applied. This also
            converts the flags in FilterData to a state tracking system, as the
            number of flags was getting messy and only one flag is valid at any given time.

            Test: svg/filters/feImage-self-and-other-referencing.html

            * rendering/svg/RenderSVGResourceFilter.cpp: Convert to new FilterData
            state management and enable cycle detection.
            (WebCore::RenderSVGResourceFilter::removeClientFromCache): Change isBuilt and markedForRemoval flags to state enums.
            (WebCore::RenderSVGResourceFilter::applyResource): Change flags to state enums and detect cycles.
            (WebCore::RenderSVGResourceFilter::postApplyResource): Change flags to state and add handling
            for the various states.
            (WebCore::RenderSVGResourceFilter::primitiveAttributeChanged): Change isBuilt flag to state enums.
            * rendering/svg/RenderSVGResourceFilter.h:
            (FilterData): Convert to a state tracking system.
            * rendering/svg/RenderSVGRoot.cpp:
            (WebCore::RenderSVGRoot::paintReplaced): Add a block around the
            SVGRenderingContext so that it applies the filter and reverts the
            context before the calling method restores the context.

2013-04-12  Tim Horton  <> 

        Merge r131488

    2012-10-16  Stephen Chenney  <> 
            An feImage that tries to render itself should be stopped

            Reviewed by Eric Seidel.

            An SVG feImage filter element will accept, as the src to render, an
            SVG document that makes use of the feImage itself. This causes the
            feImage to try to draw itself while already in the process of drawing
            itself. Various problems arise from this. The invariant we wish to
            maintain is that no element in the src tree of an feImage element
            refers to that feImage.

            This patch adds a flag to all FilterData objects that tracks whether or
            not the filter is currently applying itself, and avoids applying the
            filter recursively.

            While it may seem better to catch this problem when the src is set, or
            when the filter is built, that turns out to be challenging and
            inefficient. Say we choose to test when the src atttribute is set. To
            do so would require looking through all of the DOM nodes that will be
            rendered for the src, finding all resources used, and checking if any
            of them make use fo the feImage element that we are setting the source
            for. The infrastructure is not in place to do that, and it would
            involve walking a potentially very large portion of the DOM in order
            to detect a very rare situation. Note that it is not enough just to
            walk the DOM directly under the src; we also need to recursively follow any
            resource links to see if they use the feImage (e.g. patterns or
            masks or use or ...).

            If we instead try to use the renderer node to find self referencing,
            we need to recursively walk a potentially very large render tree,
            tracing all resources in search of the feImage. This would need to be
            done every time the filter is built, which is again a significant
            overhead for a situation that is very unlikely to occur. And we do not
            have methods that make it easy to find feImage filter effect nodes; they are
            hidden behind filter resource nodes.

            Hence the runtime check to catch the problem. The check must be in
            FilterData and RenderSVGResourceFilter code because we must prevent
            the destruction of the feImage when we encounter it recursively.

            This patch also renames FilterData::builded to FilterData::isBuilt.

            Test: svg/filters/feImage-self-referencing.html

            * rendering/svg/RenderSVGResourceFilter.cpp:
            (WebCore::ApplyingFilterEffectGuard): Guard to ensure that, in the future, we always
            clear the isApplying flag even if the postApplyResource method returns early.
            (WebCore::RenderSVGResourceFilter::applyResource): Do not apply a resource that is already applying and
            rename builded to isBuilt.
            (WebCore::RenderSVGResourceFilter::postApplyResource): Mark a resource as applying and clear after
            it is done. Abort if a resource is already applying when the method begins. Rename builded to isBuilt.
            (WebCore::RenderSVGResourceFilter::primitiveAttributeChanged): Rename builded to isBuilt.
            * rendering/svg/RenderSVGResourceFilter.h:
            (FilterData): Add isApplying and rename builded to isBuilt.

2013-04-12  Ryosuke Niwa  <>

        Merge 130717.

    2012-10-08  Yoshifumi Inoue  <>

            HTMLSelectElement::typeAheadFind depends on implementation dependent behavior

            Reviewed by Kent Tamura.

            This patch gets rid of C/C++ implementation dependent behavior from
            HTMLSelectElement::typeAheadFind() which does modulo operation with
            a negative operand.

            HTMLSelectElement::typeAheadFind() contains expression with modulo
            operator and dividend can be -1 when the "select" element without
            "option" element but "optgroup" element.

            Test: fast/forms/select/select-typeahead-crash.html

            * html/HTMLSelectElement.cpp:
            (WebCore::HTMLSelectElement::typeAheadFind): Changed to do modulo
            operation with both operands are non-negative.

2013-04-12  Ryosuke Niwa  <>

        Merge 136619.

    2012-12-04  Abhishek Arya  <>

            Crash in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode

            Reviewed by Ryosuke Niwa.

            |current| is weak node pointer that iterates in the hierarchy chain
            between |highestAncestor| and |targetNode|. Script executed as part
            of iframe onload event can blow away the nodes and we no longer have
            |targetNode| in our descendants chain. So, we RefPtr |current| and bail
            out when |targetNode| stops being a part of descendant chain.

            Test blocked on

            * editing/ApplyStyleCommand.cpp:

2013-04-12  Ryosuke Niwa  <>

        Merge 117463.

    2012-05-17  Caio Marcelo de Oliveira Filho  <>

            [Qt] REGRESSION(101967): It made editing/style/iframe-onload-crash-mac.html timeout

            Reviewed by Ryosuke Niwa.

            Timeout was caused by an infinite in the outer loop of
            pushDownInlineStyleAroundNode(). The outer loop variable 'current' should point at the
            node containing 'targetNode'. The inner loop traverse the children of 'current'
            and discover the children that contains 'targetNode'.

            However, before the inner loop, we call removeInlineStyleFromElement() that can
            potentially remove the 'current' node from the tree, moving its children to
            'current' former parent. For that reason 'child' and 'lastChild' are collected
            before this call.

            The tricky part is that changing the 'current' children parent, we might trigger
            further side-effects, that can remove either 'child' or 'lastChild' from the tree
            too. The infinite loop was due to 'child' being off the document, so it's
            nextSibling() is 0, and we go another run of outer loop without changing
            'current' because the 'targetNode' wasn't in the first child that inner loop
            couldn't reach.

            When testing Qt on Mac, there was also a crash in RenderTextControl when the font
            family was empty, this patch fixes it as well.

            * editing/ApplyStyleCommand.cpp:
            (WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode): Use NodeVector
            instead of relying on first/last child being valid after
            removeInlineStyleFromElement() is called. Skip the child if it has no parent,
            this is an indication that it was removed from the tree.

            * rendering/RenderTextControl.cpp:
            (WebCore::RenderTextControl::hasValidAvgCharWidth): Empty AtomicStrings aren't
            supported by HashSet, so we have to early return in this case.

2013-04-12  Lucas Forschler  <>

        Merge r138654

    2013-01-02  Douglas Stockwell  <>

            Crash in WebCore::InlineBox::deleteLine

            Reviewed by Eric Seidel.

            When we ran off the end of the line while looking for line breaks in an
            inline with white-space:nowrap nested in a block with white-space:pre
            it was possible for the line break to be set at or before the current
            position -- this could result in duplications in the render tree or
            infinite looping.

            This patch changes the "fixup" logic that runs after we have finished
            iterating through elements and text and have potentially found a break
            point. In the case of a block setting white-space:pre we would back up
            a character in some cases. Not doing so could leave whitespace that
            should have been collapsed at the end of an inline.

            For example in '<span style="white-space:nowrap">x_</span>_y' if a
            break was inserted before 'y' the space after 'x' would still be
            rendered (rather than be collapsed with the break).

            To avoid this problem we will not take the opportunity to break until
            we have finished collapsing whitespace.

            Tests: fast/text/whitespace/inline-whitespace-wrapping-1.html

            * rendering/RenderBlockLineLayout.cpp:
            (WebCore::RenderBlock::LineBreaker::nextLineBreak): Collapse
            whitespace before breaking. Avoid setting the break before the current

2013-04-11  Lucas Forschler  <>

        Merge r136554

    2012-12-04  Julien Chaffraix  <>

            Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]

            Reviewed by Eric Seidel.

            Test: mathml/mfenced-root-layer.html

            * rendering/RenderLayer.cpp:
            Fixed this function to ensure that it always returns a stacking context, the bug
            was that the document element's layer wasn't guaranteed to be a stacking context.

2013-04-10  Lucas Forschler  <>

        Merge r136250

    2012-11-30  Florin Malita  <>

            SVG pattern data deleted while in use

            Reviewed by Dirk Schulze.

            Various calls in RenderSVGResourcePattern::applyResource() can trigger invalidations,
            which may end up deleting our current pattern data (via removeAllClientsFromCache).
            To avoid this, we should add the pattern data to the cache only after it is fully built.
            For clarity, the patch also refactors the pattern setup code into a separate method.

            Test: svg/custom/large-image-pattern-crash.html

            * rendering/svg/RenderSVGResourcePattern.cpp:
            * rendering/svg/RenderSVGResourcePattern.h:

2013-03-15  Lucas Forschler  <>

        Merge r136062

    2012-11-28  Abhishek Arya  <>

            Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent

            Reviewed by Adam Barth.

            |subframe| can be blown away inside passMousePressEventToSubframe
            call. Use RefPtr to protect it in handleMousePressEvent function.
            We use similar approach in handleMouseMoveEvent function.

            No new tests. Test is extremely time dependent and needs to trigger
            interaction gesture. Reproduced on ClusterFuzz.

            * page/EventHandler.cpp:

2013-03-15  Lucas Forschler  <>

        Merge r132970

    2012-10-30  Chris Evans  <>

            Improve performance of MaskPtr.

            Reviewed by Eric Seidel.

            Calculate the mask once, and store it as a fast-access member variable.
            Also avoid unneccessary integer width expansion in index calculation.
            Parser/tiny-innerHTML.html has a high stddev.
            Best result I've seen pre-patch is 5.70 runs/s.
            Best result I've seen post-patch is 5.72 runs/s, but this is not statistically significant.
            MaskPtr is still showing as ~2% in the profile, so we're not sure we trust the profile symbolization at this time.
            MaskPtr is now reduced to a single inline instruction (was: 4) so this seems like a strict improvement worth landing.

            * rendering/RenderArena.cpp:
            (MaskPtr): Use a passed-in mask for the mask operation.
            (WebCore::RenderArena::RenderArena): Calculate the mask and store it.
            (WebCore::RenderArena::free): Use stored mask and avoid unneccessary casts.
            * rendering/RenderArena.h:
            (RenderArena): Store the freelist mask as a member variable.

2013-03-15  Lucas Forschler  <>

        Merge r132724

    2012-10-26  Philip Rogers  <>

            Prevent NaN offset values in ElementTimeControl.

            Reviewed by Abhishek Arya.

            NaN values can cause ElementTimeControl to go back in time!
            If a value of NaN is passed to ElementTimeControl::beginElementAt(offset),
            subsequent sorting will cause an assert in SVGSMILElement::findInstanceTime
            because NaN values are not properly sorted. NaN SMILTime values
            should not be allowed at all, so this patch adds a check for them in
            ElementTimeControl's setters.

            This patch also adds preventative asserts to catch if SMILTime is ever
            initialized with NaN, or if addEndTime/addBeginTime are ever called
            with NaN values.

            Test: svg/custom/elementTimeControl-nan-crash.html

            * svg/SVGAnimationElement.cpp:
            * svg/animation/SMILTime.h:
            * svg/animation/SVGSMILElement.cpp:

2013-03-15  Lucas Forschler  <>

        Merge r132511

    2012-10-25  Tom Sepez  <>

            XSSAuditor must replace form action with about:blank when reflected action detected.

            Reviewed by Daniel Bates.

            Changes empty string form-action replacement to about:blank.
            Existing form-action.html test modified to check this case.

            * html/parser/XSSAuditor.cpp:

2013-03-15  Lucas Forschler  <>

        Merge r132287

    2012-10-23  Nate Chapin  <>

            Crash in WebCore::SubresourceLoader::willSendRequest.

            Reviewed by Abhishek Arya.

            No new tests. There is a test case that should cover this, but it doesn't
            work correctly on many platforms due to its use of testRunner.addURLToRedirect().
            See http/tests/loading/cross-origin-XHR-willLoadRequest.html.
            Tested manually on

            * loader/SubresourceLoader.cpp:

2013-03-15  Lucas Forschler  <>

        Merge r131709

    2012-10-18  MORITA Hajime  <>

            Assertion failure at TreeScopeAdopter::moveNodeToNewDocument()

            Reviewed by Kent Tamura.

            Shadow DOM notification call didn't have checks for mutation detection.
            This change adds such checks.

            Test: fast/forms/textarea/textarea-autofocus-removal-while-focusing-with-style.html

            * dom/ContainerNodeAlgorithms.cpp:

2013-03-15  Lucas Forschler  <>

        Merge r130999

    2012-10-10  Stephen Chenney  <>

            SVGTextRunRenderingContext changes font data in the glyph page, but it shouldn't

            Reviewed by Eric Seidel.

            The code in SVGTextRunRenderingContext::glyphDataForCharacter, when it
            encounters an <altglyph> tag, immediately replaces the font data for a
            glyph with font data for the primary font, presumably to meet the SVG
            spec requirement: "If the references to alternate glyphs do not result
            in successful identification of alternate glyphs to use, then the
            character(s) that are inside of the ‘altGlyph’ element are rendered as
            if the ‘altGlyph’ element were a ‘tspan’ element instead."

            If the alt glyph is not then found we are in the case from the spec
            and indeed we should use the primary font. However, we end up replacing the GlyphPage
            entry for the character with primary font data, which we should not do
            because the glyph page might be used in some place that does not have
            the alt glyph tag.

            Furthermore, this causes object lifetime problems for font data, because
            in cases where the font data that is replaced is for the system fallback
            font the GlyphPage will live forever with no knowldege that it contains
            font data pointers into font data other that the system fallback. The
            replaced font data may be deleted while the pointer lives on in the
            system fallback page.

            The fix is simply not to replace the font data in the page.

            Test: svg/text/alt-glpyh-on-fallback-font-crash.html

            * rendering/svg/SVGTextRunRenderingContext.cpp:
            (WebCore::SVGTextRunRenderingContext::glyphDataForCharacter): Keep track of the original font data and put it back
            in the glyph page when the method has finished.

2013-03-12  Lucas Forschler  <>

        Merge r142657

    2013-02-12  Levi Weintraub  <>

            ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderListItem::positionListMarker

            Reviewed by Abhishek Arya.

            RenderListItems performs special management of its children to maintain list markers. Splitting a flow
            through a list item results in assumptions made inside RenderListItem failing, so for now, avoid splitting
            flows when inside one.

            Test: fast/multicol/span/list-multi-column-crash.html

            * rendering/RenderBlock.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r140558

    2013-01-17  Roger Fong  <>

            [Win] Remove dependence on Microsoft Embedded OpenType Font Engine (T2EMBED.DLL)  from FontCustomPlatformData.cpp.

            Reviewed by Dan Bernstein.

            * platform/graphics/win/FontCustomPlatformData.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r142539

    2013-02-11  Emil A Eklund  <>

            Change RenderFrameSet::paint to use m-rows/m_cols directly.

            Reviewed by Eric Seidel.

            Test: fast/frames/invalid-frameset.html

            * rendering/RenderFrameSet.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r142365

    2013-02-09  Philip Rogers  <>

            Sanitize m_keyTimes for paced value animations

            Reviewed by Dirk Schulze.

            SVG animations with calcMode=paced calculate new m_keyTimes in
            SVGAnimationElement::calculateKeyTimesForCalcModePaced() because paced animations do not
            specify keyTimes. If an error occurs while calculating m_keyTimes, and there exists
            user-specified values, a crash could occur because the user-specified values were not

            This change clears user-specified keyTimes before calculating new ones.

            Test: svg/animations/animate-keytimes-crash.html

            * svg/SVGAnimationElement.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r142358

    2013-02-09  Kent Tamura  <>

            Fix crash by img[ismap] with content property

            Reviewed by Adam Barth.

            Test: fast/dom/HTMLAnchorElement/anchor-ismap-crash.html

            * html/HTMLAnchorElement.cpp:
            Check if the renderer of an img element is RenderImage.

2013-03-12  Lucas Forschler  <>

        Merge r141858

    2013-02-04  Kent Tamura  <>

            Fix crash by <select> type change on focus

            Reviewed by Abhishek Arya.

            Test: fast/forms/select/select-change-type-on-focus.html

            * html/HTMLSelectElement.cpp:
            focus() calls may change the renderer type.

2013-03-12  Lucas Forschler  <>

        Merge r141851

    2013-02-04  Wei James  <>

            Heap-buffer-overflow in WebCore::AudioBufferSourceNode::process

            After calling setBuffer() with a buffer having a different number of
            channels, there can in rare cases be a slight delay before the output
            bus is updated to the new number of channels because of use of
            tryLocks() in the context's updating system.
            In this case, if the the buffer has just been changed and we're
            not quite ready yet then just output silence.

            Reviewed by Chris Rogers.

            * Modules/webaudio/AudioBufferSourceNode.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r140879

    2013-01-25  Raymond Toy  <>

            Don't subtract too much from nonSilentFramesToProcess

            Reviewed by Kenneth Russell.

            No new tests.

            * Modules/webaudio/AudioScheduledSourceNode.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r140520

    2013-01-23  Hajime Morrita  <>

            Invalidated SVG shadow tree should be always detached.

            Reviewed by Ryosuke Niwa.

            SVGUseElement::clearResourceReferences() uses removeAllChildren() for
            clearing its shadow DOM, but this is wrong.
            removeAllChildren() is designed for removing children of an out-of-document Node.
            For efficiency, it skips a series of cleanup sequences like detach().

            For removing SVG shadow tree which is in Document, removeChildren() should be used.
            It does proper cleanup for the chilren.

            Test: svg/custom/use-invalidate-click-crash.xhtml

            * svg/SVGUseElement.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r140101

    2013-01-17  Rafael Weinstein  <>

            Ensure the parser adopts foster-parented children into the document of their parent.

            Reviewed by Adam Barth.

            Tests: fast/parser/foster-parent-adopted.html

            * html/parser/HTMLConstructionSite.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r140069

    2013-01-17  Abhishek Arya  <>

            Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine

            Reviewed by Julien Chaffraix.

            Test: fast/multicol/float-not-removed-crash.html

            * rendering/RenderBoxModelObject.cpp:
            1. When fullRemoveInsert is True, make sure to clear the
            floating objects from our list (similar to positioned objects).
            Our children are getting moved to another block and we won't
            get notified when they are going away.
            2. Remove the redundant hasPositionedObjects check since it
            is already done inside removePositionedObjects.

2013-03-12  Lucas Forschler  <>

        Merge r139788

    2013-01-15  Elliott Sprehn  <>

            Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree

            Reviewed by Abhishek Arya.

            Always walk up from beforeChild until the parent() is the owner of the
            child list, otherwise we can end up in situations where
            newChild->parent() == owner but newChild->nextSibling()->parent() != owner
            which is a recipe for security bugs. Previously we only walked up through
            anonymous blocks, but missed anonymous inline blocks like those generated
            by <ruby>.

            Test: fast/css-generated-content/bug-106384.html

            * rendering/RenderObjectChildList.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r139551

    2013-01-12  Gavin Peters  <>

            Regression(r119759): Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse

            A subresource could receive a body on a 404 if its call to CachedResource::error() resulted in a nested message loop.
            That caused a crash when data was received, as the Subresource was in the Finished state already. Now when receiving
            data we ignore these bodies, avoiding the crash.

            Reviewed by Nate Chapin.

            No new tests in WebKit, since it required a nested message loop which isn't present in chromium DumpRender tree.
            There's a Chrome side browser test, see

            * loader/SubresourceLoader.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r139457

    2013-01-11  Florin Malita  <>

            [SVG] Suppress resource rebuilding for unattached and shadow elements

            Reviewed by Dirk Schulze.

            SVGStyledElement::buildPendingResourcesIfNeeded() can be called while cloning a subtree
            (as nodes are inserted into the clone, while still detached) or when elements are inserted
            into the shadow tree. Both of these cases are problematic for SVGUseElement and can trigger
            indirect recursion in SVGUseElement::buildPendingResource.

            Since shadow and !inDocument() nodes are of no interest to ID dependents (they cannot be
            found by ID in the document), the patch short-circuits buildPendingResource() for these

            Test: svg/custom/use-rebuild-resources-crash.svg

            * svg/SVGStyledElement.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r138994

    2013-01-07  Justin Novosad  <>

            Fixing memory read after free in CanvasRenderingContext2D::accessFont

            Reviewed by Abhishek Arya.

            Using a temporary String object to hold ref count on string that is
            passed by reference in CanvasRenderingContext2D::accessFont.

            Test: fast/canvas/canvas-measureText.html

            * html/canvas/CanvasRenderingContext2D.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r138926

    2013-01-06  Abhishek Arya  <>

            Heap-use-after-free in DocumentLoader::stopLoading

            Reviewed by Eric Seidel.

            Test: fast/dom/ready-state-change-crash.html

            * html/parser/HTMLDocumentParser.cpp:
            (WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out
            if the parser is detached due to mutation event.
            * loader/DocumentLoader.cpp:
            (WebCore::DocumentLoader::stopLoading): Move the protectors for
            frame and document loader to the start of the function. Call to
            m_frame->loader()->stopLoading() can change document ready state
            and fire mutation event which might blow the document loader from

2013-03-12  Lucas Forschler  <>

        Merge r138918

    2013-01-06  Abhishek Arya  <>

            Heap-use-after-free in WebCore::Document::implicitClose

            Reviewed by Eric Seidel.

            Test: fast/dom/window-load-crash.html

            * dom/Document.cpp:
            (WebCore::Document::implicitClose): RefPtr protect |this| document since it
            can be destroyed in the dispatchWindowLoadEvent call.

2013-03-12  Lucas Forschler  <>

        Merge r138863

    2013-01-04  Abhishek Arya  <>

            Heap-use-after-free in WebCore::XMLDocumentParser::doEnd

            Reviewed by Adam Barth.

            XMLDocumentParser can be blown away inside document()->styleResolverChanged()
            call. Protect it with a local RefPtr in Document::explitClose.    

            No new tests. The site specific dependencies are hard to minimize.

            * dom/Document.cpp:
            (WebCore::Document::explicitClose): RefPtr m_parser into a local, since
            it can be detached and nulled out in DocumentWriter::end().
            * xml/parser/XMLDocumentParser.cpp:
            (WebCore::XMLDocumentParser::end): Bail out when we are detached.
            * xml/parser/XMLDocumentParserLibxml2.cpp:
            (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
            * xml/parser/XMLDocumentParserQt.cpp:
            (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.

2013-03-12  Lucas Forschler  <>

        Merge r138850

    2013-01-04  Abhishek Arya  <>

            Crash in WebCore::RenderBlock::willBeDestroyed

            Reviewed by Eric Seidel.

            It is not required to set beforeChild to :after child since DOM is
            now pseudo element aware. See We
            were incorrectly placing the inline continuation before the :after

            Test: fast/multicol/continuation-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks): remove beforeChild
            setting to afterPseudoElementRenderer.
            * rendering/RenderRuby.cpp:
            (WebCore::RenderRubyAsInline::addChild): add missing beforeChild argument.
            setting to afterPseudoElementRenderer.
            (WebCore::RenderRubyAsBlock::addChild): add missing beforeChild argument.
            * rendering/RenderTable.cpp:
            (WebCore::RenderTable::addChild): remove beforeChild
            setting to afterPseudoElementRenderer.
            * rendering/RenderTableRow.cpp:
            (WebCore::RenderTableRow::addChild): remove beforeChild
            setting to afterPseudoElementRenderer.
            * rendering/RenderTableSection.cpp:
            (WebCore::RenderTableSection::addChild): remove beforeChild
            setting to afterPseudoElementRenderer.

2013-03-12  Lucas Forschler  <>

        Merge r138812

    2013-01-04  John Mellor  <>

            Early out from FontCache::releaseFontData if cached font data not found.

            Reviewed by Abhishek Arya.

            No tests, as no change in behavior.

            * platform/graphics/FontCache.cpp:

                Early out in release builds if cached font data not found.

2013-03-12  Lucas Forschler  <>

        Merge r138657

    2013-01-02  Abhishek Arya  <>

            Crash in WebCore::Element::cloneElementWithoutChildren.

            Reviewed by Ryosuke Niwa.

            RefPtr |ancestors| vector since its elements can be destroyed from mutation events
            fired in CompositeEditCommand::appendNode. 

            No new tests. The testcase relies on recursive DOM mutations and does not minimize.

            * editing/InsertParagraphSeparatorCommand.cpp:
            * editing/InsertParagraphSeparatorCommand.h:

2013-03-12  Lucas Forschler  <>

        Merge r138316

    2012-12-20  Stephen Chenney  <>

            SVG: <altglpyh> for a surrogate pair character in a ligature fails

            Reviewed by Dirk Schulze.

            There are two issues with SVG <altglyph> tags applied to surrogate
            fonts, particularly when mixed with non-standard forms (arabic,
            vertical, etc.).

            First, there is an assertion that is invalid when an alt glyph is
            substituted for the surrogate, because the text chunk that is consumed
            by an alt glyph is the entire run, whereas we assert that a
            surrogate's chunk is length 2 regardless. That assertion has been

            Second, when an arabic character or some other characters requiring a
            special form appears before the surrogate pair character inside the alt
            glyph tag, we reject the alt glyph because it is not compatible with the form.
            However, when we process the next character - the surrogate pair - we
            do accept the alt glyph. This breaks all the indexes because we have
            already consumed part of the run that is now considered the alt glyph.
            Chaos ensues. This patch forces us to always accept alt glyph
            characters (assuming we have some glyph to draw). This better matches
            the intent of the spec - if someone specifies an alt glyph they are
            explicitly stating which glyph they want used. We should not argue
            with the content author.

            Tests: svg/text/alt-glyph-for-surrogate-pair-expected.svg

            * rendering/svg/SVGTextLayoutEngine.cpp:
            (WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath): Fix some poor code.
            * rendering/svg/SVGTextMetricsBuilder.cpp:
            (WebCore::SVGTextMetricsBuilder::advanceSimpleText): Remove an assert that is not always valid.
            * svg/SVGFontData.cpp:
            (WebCore::SVGFontData::applySVGGlyphSelection): Always return an altGlyph when found. Do not check it compatibility.

2013-03-12  Lucas Forschler  <>

        Merge r137464

    2012-12-12  Alexander Pavlov  <>

            Web Inspector: [Crash] Clear cached stylesheet rules in InspectorStyleSheet::deleteRule()

            Reviewed by Vsevolod Vlasov.

            Cached rules (m_flatRules) should get cleared whenever a rule is deleted.

            Test: inspector/styles/undo-add-rule-crash.html

            * inspector/InspectorStyleSheet.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r136560

    2012-12-04  Abhishek Arya  <>

            Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue

            Reviewed by Eric Seidel.

            r115639 fixed a memory leak caused by reference cycle between StyleCachedImageSet
            and its owner CSSImageSetValue. The fix caused StyleCachedImageSet to maintain
            a weak pointer to CSSImageSetValue. This patch makes sure that the weak pointer
            is cleared when CSSImageSetValue is going away.

            Test: fast/css/image-set-value-not-removed-crash.html

            * css/CSSImageSetValue.cpp:
            * rendering/style/StyleCachedImageSet.h:

2013-03-12  Lucas Forschler  <>

        Merge r136558

    2012-12-04  Abhishek Arya  <>

            Crash in CachedResource::checkNotify due to -webkit-crossfade.

            Reviewed by Nate Chapin.

            Make sure to not re-add the same client again for |m_cachedFromImage|
            and |m_cachedToImage|. This would otherwise cause the CSSCrossfadeValue
            client to not get removed from its cached image resource (when it is
            going away).

            Test: fast/images/crossfade-client-not-removed-crash.html

            * css/CSSCrossfadeValue.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r136541

    2012-12-04  Florin Malita  <>

            Stale SVGUseElement reference in CachedResource::checkNotify()

            Reviewed by Eric Seidel.

            SVGUseElement tracks one CachedSVGDocument at a time (for external references), but when
            the href attribute is updated it fails to unregister with the current CachedSVGDocument
            and only updates its CachedSVGDocument with the new instance. This leaves an untracked
            reference with the original CachedSVGDocument.

            The patch adds the missing removeClient() call on href change, and encapsulates the
            CachedSVGDocument manipulation in a helper method which handles the necessary cleanup.

            Test: svg/custom/use-href-update-crash.svg

            * svg/SVGUseElement.cpp:
            * svg/SVGUseElement.h:

2013-03-12  Lucas Forschler  <>

        Merge r136253

    2012-11-30  Abhishek Arya  <>

            Crash due to intruding float not removed after writing mode changed.

            Reviewed by Levi Weintraub.

            When RenderView writing mode changes, make sure to mark all descendants
            with floats for layout.

            Test: fast/block/float/intruding-float-not-removed-writing-mode.xhtml

            * rendering/RenderBox.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r136074

    2012-11-28  Kenichi Ishibashi  <>

            StyleResolver should not set NaN to font size

            Reviewed by Abhishek Arya.

            fixedScaleFactor could be NaN since settings->defaultFixedFontSize()
            and settings->defaultFontSize() are zero in some case. This turns
            out setting NaN to font size. Add a zero checks so that
            fixedScaleFactor won't be NaN.

            Test: fast/css/font-size-nan.html

            * css/StyleResolver.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r136061

    2012-11-28  Tom Sepez  <>

            XSSAuditor bypass with script src=data: URL ending in <!--

            Reviewed by Adam Barth.

            This fixes an additional case where characters from the page itself are
            included with the snippet to match against the reflected vector, and the
            JS remains legitimate because of a <!--- comment. Truncate the snippet at
            such a comment.

            Test: http/tests/security/xssAuditor/script-tag-with-source-data-url3.html

            * html/parser/XSSAuditor.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r136060

    2012-11-28  Abhishek Arya  <>

            Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer

            Reviewed by David Hyatt.

            RenderInline::splitFlow and RenderBlock::splitFlow re-use |pre|
            block in some cases. In those cases, |pre| might hold floating objects
            and those floating descendants might get moved to |post| block. If
            the |pre| block does not get a layout later, then the floating
            descendant will never get removed since it is now part of |post|
            ancestor chain. We don't want failing-to-layout bugs turned into
            security bugs and hence clear floating objects list since we expect
            it to be rebuilt in subsequent layout.

            Test: fast/block/float/float-not-removed-from-pre-block.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::splitFlow): Call removeFloatingObjects on |pre| block.
            (WebCore::RenderBlock::removeFloatingObjects): Clear all floating objects from our list.
            * rendering/RenderBlock.h: 
            * rendering/RenderInline.cpp:
            (WebCore::RenderInline::splitFlow): Call removeFloatingObjects on |pre| block.

2013-03-12  Lucas Forschler  <>

        Merge r135719

    2012-11-26  Florin Malita  <>

            RenderSVGResourceContainer does not clear cached data on removal

            Reviewed by Dirk Schulze.

            RenderSVGResourceContainer::removeClient needs to also remove the client from specialized
            caches, otherwise we can end up with stale references.

            Test: svg/custom/stale-resource-data-crash.svg

            * rendering/svg/RenderSVGResourceContainer.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r135478

    2012-11-21  Cosmin Truta  <>

            Numeric identifiers of events should not be globally sequential

            Reviewed by Alexey Proskuryakov.

            The functions setTimeout, setInterval and navigator.geolocation.watchPosition
            are currently returning values that are unique across all JavaScript execution
            contexts, due to their dependency on global variables.
            Such a guarantee is unnecessarily strong. In this patch, we constrain uniqueness
            to these functions' own script execution context only.

            Tests: fast/dom/Geolocation/watchPosition-unique.html

            * Modules/geolocation/Geolocation.cpp:
            (WebCore): Remove firstAvailableWatchId.
            (WebCore::Geolocation::watchPosition): Get new watchID from script execution context.
            (WebCore::Geolocation::clearWatch): Invalid watchID means less than or equal to 0.
            * Modules/geolocation/Geolocation.h:
            (Geolocation): Renamed the argument of Geolocation::clearWatch to WatchID.
            * dom/ScriptExecutionContext.cpp:
            (WebCore::ScriptExecutionContext::ScriptExecutionContext): Update initialization.
            (WebCore::ScriptExecutionContext::newUniqueID): Add.
            * dom/ScriptExecutionContext.h:
            (ScriptExecutionContext): Add m_sequentialID.
            (WebCore::ScriptExecutionContext::addTimeout): Inline.
            (WebCore::ScriptExecutionContext::removeTimeout): Inline.
            (WebCore::ScriptExecutionContext::findTimeout): Inline.
            * page/DOMTimer.cpp:
            (WebCore): Remove timeoutId.
            (WebCore::DOMTimer::DOMTimer): Get new timeoutId from script execution context.

2013-03-12  Lucas Forschler  <>

        Merge r135303

    2012-11-20  Abhishek Arya  <>

            Crash in FrameLoader::stopLoading.

            Reviewed by Nate Chapin.

            Frame can be blown away in unload event handler. Need
            to protect it with a RefPtr.

            Test: fast/frames/frame-unload-crash2.html

            * loader/FrameLoader.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r135299

    2012-11-20  Tom Sepez  <>

            XSSAuditor::decodedSnippetForJavaScript stopping when comma encountered.

            Reviewed by Adam Barth.

            Rather than returning an empty fragment, continue processing the body
            of a script tag when the decoded fragment reduces to nothing.

            Test: http/tests/security/xssAuditor/script-tag-with-actual-comma.html

            * html/parser/XSSAuditor.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r135193

    2012-11-19  Abhishek Arya  <>

            Crash in ApplyStyleCommand::cleanupUnstyledAppleStyleSpans.

            Reviewed by Ryosuke Niwa.

            RefPtr startDummySpanAncestor and endDummySpanAncestor since
            they can go away inside fixRangeAndApplyInlineStyle call.

            Test: editing/style/apply-style-crash.html

            * editing/ApplyStyleCommand.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r133717

    2012-11-06  Ken Buchanan  <>

            Crash due to column span under button element

            Reviewed by Abhishek Arya.

            When there is a column-spanning child of a RenderButton
            splitBlocks() must split the RenderButton as well as its
            only permitted direct child, the anonymous block referenced
            by m_inner. A crash was occurring because splitBlocks()
            calls addChildIgnoringAnonymousColumnBlocks() to add the
            cloned m_inner to the cloned RenderButton, which meant the
            m_inner for the cloned RenderButton was not being set even
            though a child was being added. This violates state
            assumptions in the RenderButton code.

            This patch prevents any descendants of RenderButton from
            spanning columns. Also, it adds a precautionary check in
            RenderButton::removeChild() to mitigate problems if similar
            state problems are found in future.

            * rendering/RenderBlock.cpp:
            * rendering/RenderButton.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r133686

    2012-11-06  Simon Fraser  <>

            -webkit-background-clip:text produces artifacts when applied to the body and the browser is resized

            Reviewed by Beth Dakin.

            If the body had -webkit-background-clip: text, we'd fail to paint
            anything behind it, so would see garbage pixels.

            Fix by having RenderView::paintBoxDecorations() check for a background-clip of "text"
            on the renderer that paints the root background.

            Added some new pixel tests for combinations of html and body transform
            and backgrounds; earlier versions of the patch broke some of these tests.

            Tests: fast/backgrounds/background-clip-text-on-body.html

            * rendering/RenderView.cpp:
            (WebCore::rendererObscuresBackground): Broke up the single condition
            into early 'false' returns when possible. We need to also check whether
            the renderer that actually paints the background (which might be the body)
            will fill it; background-clip: text does not.
            (WebCore::RenderView::paintBoxDecorations): Rather than checking firstChild(),
            actually check the root renderer, so that we can reliably get to the renderer
            that mains the root background.

2013-03-12  Lucas Forschler  <>

        Merge r133155

    2012-11-01  Stephen Chenney  <>

            SVG as an image may recreate the renderer on zoom

            Reviewed by Abhishek Arya.

            The SVGImage code, when SVG is used in <img> tags, caches the renderer
            at the start of the painting method and re-uses the pointer at the end
            of the method. However, when the page is zoomed the renderer may be
            detached mid-method, thus leaving a stray pointer. The fix is to
            re-fetch the pointer after the zooms.

            Test: svg/as-image/img-zoom-svg-stylesheet.html

            * svg/graphics/SVGImage.cpp:
            (WebCore::SVGImage::drawSVGToImageBuffer): Re-fetch the renderer after
            the zoom operations.

2013-03-12  Lucas Forschler  <>

        Merge r132983

    2012-10-30  Kent Tamura  <>

            Delaying 'change' and 'input' event dispatching during HTMLInputElement::setValue

            Reviewed by Abhishek Arya.

            'change' and 'input' events are asynchronous and not
            cancelable. We can use ScopedEvent.

            Test: fast/forms/range/range-type-change-onchange.html

            * dom/Node.cpp:
            (WebCore::Node::dispatchChangeEvent): Use dispatchScopedEvent.
            (WebCore::Node::dispatchInputEvent): Ditto.
            * html/HTMLInputElement.cpp:
            Make a scope to delay event dispatching.
            * html/RangeInputType.cpp:
            (WebCore::RangeInputType::handleKeydownEvent): Ditto.

2013-03-12  Lucas Forschler  <>

        Merge r132462

    2012-10-25  Alexander Pavlov  <>

            Web Inspector: Improper out-of-order call on a rule that is being removed from the stylesheet.

            Reviewed by Vsevolod Vlasov.

            * inspector/InspectorStyleSheet.cpp:

2013-03-12  Lucas Forschler  <>

        Merge r132398

    2012-10-24  Ami Fischman  <>

            call to setNeedsLayout during RenderVideo::paintReplaced

            Reviewed by Eric Carlson.

            Removed unnecessary call and added new defensive guards to catch erroneous setNeedsLayout() calls
            during paints earlier (so the offending calls are in the emitted stacktrace).

            No new tests - new defensive checks are triggered by existing tests.

            * page/FrameView.cpp:
            (WebCore::FrameView::paintContents): forbid setNeedsLayout() during painting
            * rendering/RenderObject.cpp:
            * rendering/RenderObject.h:
            (SetLayoutNeededForbiddenScope): added helper class for forbidding setNeedsLayout() in a scope.
            * rendering/RenderVideo.cpp:
            (WebCore::RenderVideo::paintReplaced): drop the offending & unnecessary call to updatePlayer().

2013-03-12  Lucas Forschler  <>

        Merge r131578

    2012-10-17  Alexander Pavlov  <>

            Web Inspector: Avoid style updates when retrieving the inline stylesheet text

            Reviewed by Vsevolod Vlasov.

            Avoid using innerText() to retrieve inline stylesheet text, which may result in style and layout updates.

            * inspector/InspectorStyleSheet.cpp:

== Rolled over to ChangeLog-2013-03-12 ==