[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.15-1-40151-g37bb677

darin darin at 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sat Sep 26 07:19:16 UTC 2009 

The following commit has been merged in the debian/unstable branch:
commit 895eae19fa6e5ae7b9bc7e30867d5f4b7cc0158c
Author: darin <darin at 268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sun Jan 12 17:01:13 2003 +0000

            Reviewed by John.
    
    	- fixed 3144789 -- reproducible crash in KHTMLParser::freeBlock on a page at www.library.arizona.edu
    
            * khtml/html/htmlparser.cpp: (KHTMLParser::finished): Call freeBlock here rather than
    	waiting until the parser is destroyed. This fixes the bug because when the parser is
            destroyed, the document is already destroyed, so we have a dangling current pointer to an
    	already-destroyed node.
    
    	- fixed 3142024 -- crash/hang/assert on java.sun.com in HTMLTokenizer
    
    	The bug was caused by an erroneous clicked signal that was being emitted by
    	QListBox at just the wrong time.
    
            * kwq/KWQListBox.h: Added _changingSelection boolean.
            * kwq/KWQListBox.mm: (QListBox::QListBox): Set _changingSelection to false.
            (QListBox::setSelected): Set _changingSelection to true.
            (-[KWQListBoxTableViewDelegate tableViewSelectionDidChange:]): Only emit the "clicked"
    	signal if _changingSelection is false.
    
            * khtml/html/htmltokenizer.h: Add debug-only boolean inWrite.
            * khtml/html/htmltokenizer.cpp: (HTMLTokenizer::HTMLTokenizer): Set inWrite to false.
    	(HTMLTokenizer::write): Set inWrite to true.
    	(HTMLTokenizer::~HTMLTokenizer): Assert that inWrite is not true.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@3303 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog-2003-10-25 b/WebCore/ChangeLog-2003-10-25
index c2ddee7..66bc6b0 100644
--- a/WebCore/ChangeLog-2003-10-25
+++ b/WebCore/ChangeLog-2003-10-25
@@ -1,5 +1,32 @@
 2003-01-11  Darin Adler  <darin at apple.com>
 
+        Reviewed by John.
+
+	- fixed 3144789 -- reproducible crash in KHTMLParser::freeBlock on a page at www.library.arizona.edu
+
+        * khtml/html/htmlparser.cpp: (KHTMLParser::finished): Call freeBlock here rather than
+	waiting until the parser is destroyed. This fixes the bug because when the parser is
+        destroyed, the document is already destroyed, so we have a dangling current pointer to an
+	already-destroyed node.
+
+	- fixed 3142024 -- crash/hang/assert on java.sun.com in HTMLTokenizer
+
+	The bug was caused by an erroneous clicked signal that was being emitted by
+	QListBox at just the wrong time.
+
+        * kwq/KWQListBox.h: Added _changingSelection boolean.
+        * kwq/KWQListBox.mm: (QListBox::QListBox): Set _changingSelection to false.
+        (QListBox::setSelected): Set _changingSelection to true.
+        (-[KWQListBoxTableViewDelegate tableViewSelectionDidChange:]): Only emit the "clicked"
+	signal if _changingSelection is false.
+
+        * khtml/html/htmltokenizer.h: Add debug-only boolean inWrite.
+        * khtml/html/htmltokenizer.cpp: (HTMLTokenizer::HTMLTokenizer): Set inWrite to false.
+	(HTMLTokenizer::write): Set inWrite to true.
+	(HTMLTokenizer::~HTMLTokenizer): Assert that inWrite is not true.
+
+2003-01-11  Darin Adler  <darin at apple.com>
+
         Reviewed by Dave.
 
 	- fixed 3136944 -- mouseover feedback over non-mapped part of image map claims
diff --git a/WebCore/ChangeLog-2005-08-23 b/WebCore/ChangeLog-2005-08-23
index c2ddee7..66bc6b0 100644
--- a/WebCore/ChangeLog-2005-08-23
+++ b/WebCore/ChangeLog-2005-08-23
@@ -1,5 +1,32 @@
 2003-01-11  Darin Adler  <darin at apple.com>
 
+        Reviewed by John.
+
+	- fixed 3144789 -- reproducible crash in KHTMLParser::freeBlock on a page at www.library.arizona.edu
+
+        * khtml/html/htmlparser.cpp: (KHTMLParser::finished): Call freeBlock here rather than
+	waiting until the parser is destroyed. This fixes the bug because when the parser is
+        destroyed, the document is already destroyed, so we have a dangling current pointer to an
+	already-destroyed node.
+
+	- fixed 3142024 -- crash/hang/assert on java.sun.com in HTMLTokenizer
+
+	The bug was caused by an erroneous clicked signal that was being emitted by
+	QListBox at just the wrong time.
+
+        * kwq/KWQListBox.h: Added _changingSelection boolean.
+        * kwq/KWQListBox.mm: (QListBox::QListBox): Set _changingSelection to false.
+        (QListBox::setSelected): Set _changingSelection to true.
+        (-[KWQListBoxTableViewDelegate tableViewSelectionDidChange:]): Only emit the "clicked"
+	signal if _changingSelection is false.
+
+        * khtml/html/htmltokenizer.h: Add debug-only boolean inWrite.
+        * khtml/html/htmltokenizer.cpp: (HTMLTokenizer::HTMLTokenizer): Set inWrite to false.
+	(HTMLTokenizer::write): Set inWrite to true.
+	(HTMLTokenizer::~HTMLTokenizer): Assert that inWrite is not true.
+
+2003-01-11  Darin Adler  <darin at apple.com>
+
         Reviewed by Dave.
 
 	- fixed 3136944 -- mouseover feedback over non-mapped part of image map claims
diff --git a/WebCore/khtml/html/htmlparser.cpp b/WebCore/khtml/html/htmlparser.cpp
index a025dae..b24b838 100644
--- a/WebCore/khtml/html/htmlparser.cpp
+++ b/WebCore/khtml/html/htmlparser.cpp
@@ -1345,4 +1345,8 @@ void KHTMLParser::finished()
     // too, not just the HTML case.
     if (doc() && !doc()->firstChild())
         insertNode(new HTMLHtmlElementImpl(document));
+    
+    // This ensures that "current" is not left pointing to a node when the document is destroyed.
+    freeBlock();
+    current = 0;
 }
diff --git a/WebCore/khtml/html/htmltokenizer.cpp b/WebCore/khtml/html/htmltokenizer.cpp
index 6da1d94..4ff9456 100644
--- a/WebCore/khtml/html/htmltokenizer.cpp
+++ b/WebCore/khtml/html/htmltokenizer.cpp
@@ -216,6 +216,9 @@ inline bool tagMatch(const char *s1, const QChar *s2, uint length)
 // ----------------------------------------------------------------------------
 
 HTMLTokenizer::HTMLTokenizer(DOM::DocumentPtr *_doc, KHTMLView *_view)
+#ifndef NDEBUG
+    : inWrite(false)
+#endif
 {
     view = _view;
     buffer = 0;
@@ -232,6 +235,9 @@ HTMLTokenizer::HTMLTokenizer(DOM::DocumentPtr *_doc, KHTMLView *_view)
 }
 
 HTMLTokenizer::HTMLTokenizer(DOM::DocumentPtr *_doc, DOM::DocumentFragmentImpl *i)
+#ifndef NDEBUG
+    : inWrite(false)
+#endif
 {
     view = 0;
     buffer = 0;
@@ -1393,6 +1399,10 @@ void HTMLTokenizer::write( const QString &str, bool appendData )
     else
         setSrc(str);
 
+#ifndef NDEBUG
+    inWrite = true;
+#endif
+    
 //     if (Entity)
 //         parseEntity(src, dest);
 
@@ -1606,6 +1616,10 @@ void HTMLTokenizer::write( const QString &str, bool appendData )
         }
     }
     _src = QString::null;
+    
+#ifndef NDEBUG
+    inWrite = false;
+#endif
 
     if (noMoreData && !loadingExtScript && !m_executingScript )
         end(); // this actually causes us to be deleted
@@ -1733,9 +1747,9 @@ void HTMLTokenizer::processToken()
         jsProxy->setEventHandlerLineno(0);
 }
 
-
 HTMLTokenizer::~HTMLTokenizer()
 {
+    assert(!inWrite);
     reset();
     delete parser;
 }
diff --git a/WebCore/khtml/html/htmltokenizer.h b/WebCore/khtml/html/htmltokenizer.h
index a80df1d..f0c99b5 100644
--- a/WebCore/khtml/html/htmltokenizer.h
+++ b/WebCore/khtml/html/htmltokenizer.h
@@ -352,6 +352,10 @@ protected:
     KHTMLParser *parser;
 
     KHTMLView *view;
+
+#ifndef NDEBUG
+    bool inWrite;
+#endif
 };
 
 #if APPLE_CHANGES
diff --git a/WebCore/kwq/KWQListBox.h b/WebCore/kwq/KWQListBox.h
index a934a8e..23a7e40 100644
--- a/WebCore/kwq/KWQListBox.h
+++ b/WebCore/kwq/KWQListBox.h
@@ -61,6 +61,7 @@ public:
     void setSelected(int, bool);
     bool isSelected(int) const;
     
+    bool changingSelection() { return _changingSelection; }
     void clicked() { _clicked.call(); }
     void selectionChanged() { _selectionChanged.call(); }
 
@@ -69,6 +70,7 @@ private:
 
     NSMutableArray *_items;
     bool _insertingItems;
+    bool _changingSelection;
     mutable float _width;
     mutable bool _widthGood;
     
diff --git a/WebCore/kwq/KWQListBox.mm b/WebCore/kwq/KWQListBox.mm
index 6ef20d2..65ca077 100644
--- a/WebCore/kwq/KWQListBox.mm
+++ b/WebCore/kwq/KWQListBox.mm
@@ -46,6 +46,7 @@ QListBox::QListBox(QWidget *parent)
     : QScrollView(parent)
     , _items([[NSMutableArray alloc] init])
     , _insertingItems(false)
+    , _changingSelection(false)
     , _widthGood(false)
     , _clicked(this, SIGNAL(clicked(QListBoxItem *)))
     , _selectionChanged(this, SIGNAL(selectionChanged()))
@@ -170,11 +171,13 @@ void QListBox::setSelected(int index, bool selectIt)
 {
     ASSERT(!_insertingItems);
     NSTableView *tableView = [(NSScrollView *)getView() documentView];
+    _changingSelection = true;
     if (selectIt) {
         [tableView selectRow:index byExtendingSelection:[tableView allowsMultipleSelection]];
     } else {
         [tableView deselectRow:index];
     }
+    _changingSelection = false;
 }
 
 bool QListBox::isSelected(int index) const
@@ -252,7 +255,9 @@ QSize QListBox::sizeForNumberOfLines(int lines) const
 - (void)tableViewSelectionDidChange:(NSNotification *)notification
 {
     _box->selectionChanged();
-    _box->clicked();
+    if (!_box->changingSelection()) {
+        _box->clicked();
+    }
 }
 
 - (BOOL)tableView:(NSTableView *)tableView shouldSelectRow:(int)row

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list