<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[214704] branches/safari-603-branch/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/214704">214704</a></dd>
<dt>Author</dt> <dd>jmarcell@apple.com</dd>
<dt>Date</dt> <dd>2017-03-31 17:20:38 -0700 (Fri, 31 Mar 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/214378">r214378</a>. rdar://problem/31177657
2017-03-24 Brent Fulgham <bfulgham@apple.com>
Handle recursive calls to ProcessingInstruction::checkStyleSheet
https://bugs.webkit.org/show_bug.cgi?id=169982
<rdar://problem/31083051>
Reviewed by Antti Koivisto.
See if we triggered a recursive load of the stylesheet during the 'beforeload'
event handler. If so, reset to a valid state before completing the load.
We should also check after 'beforeload' that we were not disconnected from (or
moved to a new) document.
I also looked for other cases of this pattern and fixed them, too.
Tests: fast/dom/beforeload/image-removed-during-before-load.html
fast/dom/beforeload/recursive-css-pi-before-load.html
fast/dom/beforeload/recursive-link-before-load.html
fast/dom/beforeload/recursive-xsl-pi-before-load.html
* dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::checkStyleSheet): Prevent recursive calls into
this function during 'beforeload' handling. Also, safely handle the case where
the element was disconnected in the 'beforeload' handler (similar to what
we do in HTMLLinkElement).
(WebCore::ProcessingInstruction::setCSSStyleSheet): Drive-by Fix: Protect the
current document to match what we do in setXSLStyleSheet.
* dom/ProcessingInstruction.h:
* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::process): Prevent recursive calls into
this function during 'beforeload' handling.
* html/HTMLLinkElement.h:
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::dispatchPendingBeforeLoadEvent): safely handle the case where
the element was disconnected in the 'beforeload' handler (similar to what
we do in HTMLLinkElement).
Patch by Brent Fulgham <bfulgham@apple.com> on 2017-03-31</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari603branchSourceWebCoreChangeLog">branches/safari-603-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari603branchSourceWebCoredomProcessingInstructioncpp">branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCoredomProcessingInstructionh">branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.h</a></li>
<li><a href="#branchessafari603branchSourceWebCorehtmlHTMLLinkElementcpp">branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.cpp</a></li>
<li><a href="#branchessafari603branchSourceWebCorehtmlHTMLLinkElementh">branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.h</a></li>
<li><a href="#branchessafari603branchSourceWebCoreloaderImageLoadercpp">branches/safari-603-branch/Source/WebCore/loader/ImageLoader.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li>branches/safari-603-branch/Source/fast/</li>
<li>branches/safari-603-branch/Source/fast/dom/</li>
<li>branches/safari-603-branch/Source/fast/dom/beforeload/</li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadimageremovedduringbeforeloadexpectedtxt">branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load-expected.txt</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadimageremovedduringbeforeloadhtml">branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load.html</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadrecursivecsspibeforeloadexpectedtxt">branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadrecursivecsspibeforeloadhtml">branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load.html</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadrecursivelinkbeforeloadexpectedtxt">branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load-expected.txt</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadrecursivelinkbeforeloadhtml">branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load.html</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadrecursivexslpibeforeloadexpectedtxt">branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadrecursivexslpibeforeloadhtml">branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load.html</a></li>
<li>branches/safari-603-branch/Source/fast/dom/beforeload/resources/</li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadresourcescontentxhtml">branches/safari-603-branch/Source/fast/dom/beforeload/resources/content.xhtml</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadresourcespasscss">branches/safari-603-branch/Source/fast/dom/beforeload/resources/pass.css</a></li>
<li><a href="#branchessafari603branchSourcefastdombeforeloadresourcestestxsl">branches/safari-603-branch/Source/fast/dom/beforeload/resources/test.xsl</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari603branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (214703 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-04-01 00:11:08 UTC (rev 214703)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -1,3 +1,45 @@
</span><ins>+2017-03-31 Brent Fulgham <bfulgham@apple.com>
+
+ Merge r214378. rdar://problem/31177657
+
+ 2017-03-24 Brent Fulgham <bfulgham@apple.com>
+
+ Handle recursive calls to ProcessingInstruction::checkStyleSheet
+ https://bugs.webkit.org/show_bug.cgi?id=169982
+ <rdar://problem/31083051>
+
+ Reviewed by Antti Koivisto.
+
+ See if we triggered a recursive load of the stylesheet during the 'beforeload'
+ event handler. If so, reset to a valid state before completing the load.
+
+ We should also check after 'beforeload' that we were not disconnected from (or
+ moved to a new) document.
+
+ I also looked for other cases of this pattern and fixed them, too.
+
+ Tests: fast/dom/beforeload/image-removed-during-before-load.html
+ fast/dom/beforeload/recursive-css-pi-before-load.html
+ fast/dom/beforeload/recursive-link-before-load.html
+ fast/dom/beforeload/recursive-xsl-pi-before-load.html
+
+ * dom/ProcessingInstruction.cpp:
+ (WebCore::ProcessingInstruction::checkStyleSheet): Prevent recursive calls into
+ this function during 'beforeload' handling. Also, safely handle the case where
+ the element was disconnected in the 'beforeload' handler (similar to what
+ we do in HTMLLinkElement).
+ (WebCore::ProcessingInstruction::setCSSStyleSheet): Drive-by Fix: Protect the
+ current document to match what we do in setXSLStyleSheet.
+ * dom/ProcessingInstruction.h:
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::process): Prevent recursive calls into
+ this function during 'beforeload' handling.
+ * html/HTMLLinkElement.h:
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::dispatchPendingBeforeLoadEvent): safely handle the case where
+ the element was disconnected in the 'beforeload' handler (similar to what
+ we do in HTMLLinkElement).
+
</ins><span class="cx"> 2017-03-30 Jason Marcell <jmarcell@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r214392. rdar://problem/31356105
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCoredomProcessingInstructioncpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.cpp (214703 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.cpp 2017-04-01 00:11:08 UTC (rev 214703)
+++ branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.cpp 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2000 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2006, 2008, 2009 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2013 Samsung Electronics. All rights reserved.
</span><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="lines">@@ -35,6 +35,7 @@
</span><span class="cx"> #include "StyleSheetContents.h"
</span><span class="cx"> #include "XMLDocumentParser.h"
</span><span class="cx"> #include "XSLStyleSheet.h"
</span><ins>+#include <wtf/SetForScope.h>
</ins><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="lines">@@ -80,6 +81,10 @@
</span><span class="cx">
</span><span class="cx"> void ProcessingInstruction::checkStyleSheet()
</span><span class="cx"> {
</span><ins>+ // Prevent recursive loading of stylesheet.
+ if (m_isHandlingBeforeLoad)
+ return;
+
</ins><span class="cx"> if (m_target == "xml-stylesheet" && document().frame() && parentNode() == &document()) {
</span><span class="cx"> // see http://www.w3.org/TR/xml-stylesheet/
</span><span class="cx"> // ### support stylesheet included in a fragment of this (or another) document
</span><span class="lines">@@ -130,12 +135,24 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> String url = document().completeURL(href).string();
</span><ins>+
+ Ref<Document> originalDocument = document();
+
+ {
+ SetForScope<bool> change(m_isHandlingBeforeLoad, true);
</ins><span class="cx"> if (!dispatchBeforeLoadEvent(url))
</span><span class="cx"> return;
</span><ins>+ }
</ins><span class="cx">
</span><ins>+ bool didEventListenerDisconnectThisElement = !inDocument() || &document() != originalDocument.ptr();
+ if (didEventListenerDisconnectThisElement)
+ return;
+
</ins><span class="cx"> m_loading = true;
</span><span class="cx"> document().styleScope().addPendingSheet();
</span><span class="cx">
</span><ins>+ ASSERT_WITH_SECURITY_IMPLICATION(!m_cachedSheet);
+
</ins><span class="cx"> #if ENABLE(XSLT)
</span><span class="cx"> if (m_isXSL) {
</span><span class="cx"> auto options = CachedResourceLoader::defaultCachedResourceOptions();
</span><span class="lines">@@ -206,6 +223,7 @@
</span><span class="cx"> // We don't need the cross-origin security check here because we are
</span><span class="cx"> // getting the sheet text in "strict" mode. This enforces a valid CSS MIME
</span><span class="cx"> // type.
</span><ins>+ Ref<Document> protect(document());
</ins><span class="cx"> parseStyleSheet(sheet->sheetText());
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCoredomProcessingInstructionh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.h (214703 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.h 2017-04-01 00:11:08 UTC (rev 214703)
+++ branches/safari-603-branch/Source/WebCore/dom/ProcessingInstruction.h 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2000 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2006 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2013 Samsung Electronics. All rights reserved.
</span><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="lines">@@ -87,6 +87,7 @@
</span><span class="cx"> #if ENABLE(XSLT)
</span><span class="cx"> bool m_isXSL { false };
</span><span class="cx"> #endif
</span><ins>+ bool m_isHandlingBeforeLoad { false };
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorehtmlHTMLLinkElementcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.cpp (214703 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.cpp 2017-04-01 00:11:08 UTC (rev 214703)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.cpp 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -2,7 +2,7 @@
</span><span class="cx"> * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
</span><span class="cx"> * (C) 1999 Antti Koivisto (koivisto@kde.org)
</span><span class="cx"> * (C) 2001 Dirk Mueller (mueller@kde.org)
</span><del>- * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2009 Rob Buis (rwlbuis@gmail.com)
</span><span class="cx"> * Copyright (C) 2011 Google Inc. All rights reserved.
</span><span class="cx"> *
</span><span class="lines">@@ -56,6 +56,7 @@
</span><span class="cx"> #include "StyleScope.h"
</span><span class="cx"> #include "StyleSheetContents.h"
</span><span class="cx"> #include <wtf/Ref.h>
</span><ins>+#include <wtf/SetForScope.h>
</ins><span class="cx"> #include <wtf/StdLibExtras.h>
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="lines">@@ -225,6 +226,10 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ // Prevent recursive loading of link.
+ if (m_isHandlingBeforeLoad)
+ return;
+
</ins><span class="cx"> URL url = getNonEmptyURLAttribute(hrefAttr);
</span><span class="cx">
</span><span class="cx"> if (!m_linkLoader.loadLink(m_relAttribute, url, attributeWithoutSynchronization(asAttr), attributeWithoutSynchronization(crossoriginAttr), document()))
</span><span class="lines">@@ -244,8 +249,11 @@
</span><span class="cx"> m_cachedSheet = nullptr;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ {
+ SetForScope<bool> change(m_isHandlingBeforeLoad, true);
</ins><span class="cx"> if (!shouldLoadLink())
</span><span class="cx"> return;
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> m_loading = true;
</span><span class="cx">
</span><span class="lines">@@ -279,6 +287,8 @@
</span><span class="cx">
</span><span class="cx"> request.setAsPotentiallyCrossOrigin(crossOrigin(), document());
</span><span class="cx">
</span><ins>+ ASSERT_WITH_SECURITY_IMPLICATION(!m_cachedSheet);
+
</ins><span class="cx"> m_cachedSheet = document().cachedResourceLoader().requestCSSStyleSheet(WTFMove(request));
</span><span class="cx">
</span><span class="cx"> if (m_cachedSheet)
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCorehtmlHTMLLinkElementh"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.h (214703 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.h 2017-04-01 00:11:08 UTC (rev 214703)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.h 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
</span><span class="cx"> * (C) 1999 Antti Koivisto (koivisto@kde.org)
</span><del>- * Copyright (C) 2003, 2008, 2010 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2011 Google Inc. All rights reserved.
</span><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="lines">@@ -137,6 +137,7 @@
</span><span class="cx"> bool m_createdByParser;
</span><span class="cx"> bool m_firedLoad;
</span><span class="cx"> bool m_loadedResource;
</span><ins>+ bool m_isHandlingBeforeLoad { false };
</ins><span class="cx">
</span><span class="cx"> PendingSheetType m_pendingSheetType;
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari603branchSourceWebCoreloaderImageLoadercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-603-branch/Source/WebCore/loader/ImageLoader.cpp (214703 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/WebCore/loader/ImageLoader.cpp 2017-04-01 00:11:08 UTC (rev 214703)
+++ branches/safari-603-branch/Source/WebCore/loader/ImageLoader.cpp 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
</span><span class="cx"> * (C) 1999 Antti Koivisto (koivisto@kde.org)
</span><del>- * Copyright (C) 2004, 2005, 2006, 2007, 2009, 2010 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -395,7 +395,12 @@
</span><span class="cx"> if (!element().document().hasLivingRenderTree())
</span><span class="cx"> return;
</span><span class="cx"> m_hasPendingBeforeLoadEvent = false;
</span><ins>+ Ref<Document> originalDocument = element().document();
</ins><span class="cx"> if (element().dispatchBeforeLoadEvent(m_image->url())) {
</span><ins>+ bool didEventListenerDisconnectThisElement = !element().inDocument() || &element().document() != originalDocument.ptr();
+ if (didEventListenerDisconnectThisElement)
+ return;
+
</ins><span class="cx"> updateRenderer();
</span><span class="cx"> return;
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadimageremovedduringbeforeloadexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load-expected.txt (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load-expected.txt (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load-expected.txt 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+This test confirms that image loading properly handles a 'beforeload' events that removes the image from the document. It passes if no debug assertions are fired.
+
+PASS: Hit the beforeload handler
+PASS
+PASS: No assertions hit.
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadimageremovedduringbeforeloadhtml"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load.html (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load.html (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/image-removed-during-before-load.html 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,42 @@
</span><ins>+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script src="resources/print.js"></script>
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ image = document.createElement("img");
+ image.setAttribute("style", "display:none");
+ image.addEventListener("load", function() {
+ print('PASS', 'green');
+ }, { once: true });
+ image.addEventListener("beforeload", function() {
+ print('PASS: Hit the beforeload handler', 'green');
+ document.body.removeChild(image);
+ image = null;
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(image);
+
+ image.setAttribute("src", "../../images/resources/test-load.jpg");
+}
+
+function step2()
+{
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body onload="test()">
+<p>This test confirms that image loading properly handles a 'beforeload' events that removes the image from the document. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadrecursivecsspibeforeloadexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+This test confirms that CSS stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.
+
+PASS: No assertions hit.
+
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadrecursivecsspibeforeloadhtml"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load.html (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load.html (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/recursive-css-pi-before-load.html 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta http-equiv="pragma" content="no-cache"/>
+<meta http-equiv="expires" content="0"/>
+<script src="resources/print.js"></script>
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ frame = document.createElement("iframe");
+ frame.setAttribute("src", "resources/content.xhtml");
+ frame.addEventListener("load", function(){
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(frame);
+
+ function step2(){
+ ins = 'href="pass.css" type="text/css"';
+ pi = frame.contentDocument.createProcessingInstruction('xml-stylesheet', ins);
+ pi.addEventListener("beforeload", function(){ pi.data = 'href="fail.css" type="text/css"'; }, { once: true });
+ frame.contentDocument.insertBefore(pi, frame.contentDocument.firstChild);
+
+ frame.contentDocument.removeChild(pi);
+ pi = null;
+
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+</script>
+</head>
+<body onload="test()">
+<p>This test confirms that CSS stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadrecursivelinkbeforeloadexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load-expected.txt (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load-expected.txt (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load-expected.txt 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+This test confirms that link elements properly handled changes during 'beforeload' events. It passes if no debug assertions are fired.
+
+PASS: Beforeload handled.
+PASS: No assertions hit.
+
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadrecursivelinkbeforeloadhtml"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load.html (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load.html (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/recursive-link-before-load.html 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,61 @@
</span><ins>+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta http-equiv="pragma" content="no-cache"/>
+<meta http-equiv="expires" content="0"/>
+<script src="resources/print.js"></script>
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ frame = document.createElement("iframe");
+ frame.setAttribute("src", "resources/content.xhtml");
+ frame.addEventListener("load", function(){
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(frame);
+
+ var link;
+ var head;
+
+ function step2() {
+ head = frame.contentDocument.getElementsByTagName('head')[0];
+
+ link = frame.contentDocument.createElement('link');
+ link.type = 'text/css';
+ link.rel = 'stylesheet';
+
+ link.addEventListener("beforeload", function() {
+ print("PASS: Beforeload handled.", "green");
+ link.href = 'fail.css';
+ setTimeout(step3, 0);
+ }, { once: true });
+
+ link.href = 'pass.css';
+
+ head.appendChild(link);
+ }
+
+ function step3() {
+ head.removeChild(link);
+ link = null;
+
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+</script>
+</head>
+<body onload="test()">
+<p>This test confirms that link elements properly handled changes during 'beforeload' events. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadrecursivexslpibeforeloadexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+This test confirms that XSL stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.
+
+PASS: No assertions hit.
+
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadrecursivexslpibeforeloadhtml"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load.html (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load.html (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/recursive-xsl-pi-before-load.html 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta http-equiv="pragma" content="no-cache"/>
+<meta http-equiv="expires" content="0"/>
+<script src="resources/print.js"></script>
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ frame = document.createElement("iframe");
+ frame.setAttribute("src", "resources/content.xhtml");
+ frame.addEventListener("load", function(){
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(frame);
+
+ function step2(){
+ ins = 'href="test.xsl?a=1" type="text/xsl"';
+ pi = frame.contentDocument.createProcessingInstruction('xml-stylesheet', ins);
+ pi.addEventListener("beforeload", function(){ pi.data = 'href="test.xsl?b=1" type="text/xsl"'; }, { once: true });
+ frame.contentDocument.insertBefore(pi, frame.contentDocument.firstChild);
+
+ frame.contentDocument.removeChild(pi);
+ pi = null;
+
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+</script>
+</head>
+<body onload="test()">
+<p>This test confirms that XSL stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadresourcescontentxhtml"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/resources/content.xhtml (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/resources/content.xhtml (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/resources/content.xhtml 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+hi
+</body>
+</html>
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadresourcespasscss"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/resources/pass.css (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/resources/pass.css (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/resources/pass.css 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+.block {
+ width: 100px;
+ height: 100px;
+ background-color: green;
+}
</ins></span></pre></div>
<a id="branchessafari603branchSourcefastdombeforeloadresourcestestxsl"></a>
<div class="addfile"><h4>Added: branches/safari-603-branch/Source/fast/dom/beforeload/resources/test.xsl (0 => 214704)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-603-branch/Source/fast/dom/beforeload/resources/test.xsl (rev 0)
+++ branches/safari-603-branch/Source/fast/dom/beforeload/resources/test.xsl 2017-04-01 00:20:38 UTC (rev 214704)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ <xsl:output method="html"/>
+ <xsl:template match="/">
+ <html>
+ <head>
+ </head>
+ <body>
+ Test
+ </body>
+ </html>
+ </xsl:template>
+</xsl:stylesheet>
</ins></span></pre>
</div>
</div>
</body>
</html>