Bug 90240

Summary: DOMHTMLCollection::item may return a wrong element after namedItem is called
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: New BugsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, darin, kling
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 90118    
Attachments:
Description Flags
Fixes the bug
none
Fixed the bug koivisto: review+

Ryosuke Niwa
Reported 2012-06-28 20:19:49 PDT
DOMHTMLCollection::item may return a wrong element after namedItem is called
Attachments
Fixes the bug (15.71 KB, patch)
2012-06-28 20:22 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Fixed the bug (16.01 KB, patch)
2012-06-28 23:20 PDT, Ryosuke Niwa 		koivisto: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2012-06-28 20:22:20 PDT
Created attachment 150071 [details] Fixes the bug
Ryosuke Niwa
Comment 2 2012-06-28 20:45:35 PDT
Comment on attachment 150071 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=150071&action=review > Source/WebCore/html/HTMLCollection.cpp:285 > m_cache.current = 0; I guess I should have removed this line as well (it'll degrade the performance to some extent and needs to be removed in the bug 90118 but doesn't introduce any incorrect behavior).
Antti Koivisto
Comment 3 2012-06-28 22:33:23 PDT
Comment on attachment 150071 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=150071&action=review > Source/WebCore/html/HTMLCollection.cpp:275 > + unsigned i = 0; > for (Element* e = itemAfter(0); e; e = itemAfter(e)) { > if (checkForNameMatch(e, /* checkName */ false, name)) { > m_cache.current = e; > + m_cache.position = i; > return e; > } > } > > + i = 0; You are not incrementing i.
Ryosuke Niwa
Comment 4 2012-06-28 23:20:06 PDT
Created attachment 150089 [details] Fixed the bug
Antti Koivisto
Comment 5 2012-06-28 23:25:55 PDT
Comment on attachment 150089 [details] Fixed the bug r=me. nice API test!
Ryosuke Niwa
Comment 6 2012-06-28 23:38:46 PDT
Committed r121521: <http://trac.webkit.org/changeset/121521>
Alexey Proskuryakov
Comment 7 2012-06-29 00:00:25 PDT
Nice!
Note You need to log in before you can comment on or make changes to this bug.