ChangeLog   [plain text]

=== WebCore-417.24 ===

2006-03-13  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-02-16  Tim Omernick  <>

        Reviewed by Geoff.

        <rdar://problem/4428609> Flash Player 8.0.22 can crash Safari (and WebKit apps)
        with javascript disabled (7015)

        Added a test case, manual-tests/NPN_Invoke.  This is a skeleton of a Netscape
        plugin which uses NPN_Invoke() to call the window.alert() JavaScript function.
        * bridge/mac/
        Removed the check Darin added to return 0 when JavaScript is disabled.
        This method cannot return 0, because plugins are not guaranteed to check
        for that.
        Removed my old fix for Radar 4428609 (7015) in favor of a better solution.
        Instead of creating a "dummy" JSObject to represent the window script object
        when JavaScript is disabled, we use the new JavaScriptCore bindings API to 
        create a "no script" NPObject.  This solution is better because it does not
        cause entry into any JavaScript interpreter code.

        * manual-tests/NPN_Invoke: Added.
        * manual-tests/NPN_Invoke/English.lproj: Added.
        * manual-tests/NPN_Invoke/English.lproj/Localized.r: Added.
        * manual-tests/NPN_Invoke/Info.plist: Added.
        * manual-tests/NPN_Invoke/NPN_Invoke.xcodeproj: Added.
        * manual-tests/NPN_Invoke/NPN_Invoke.xcodeproj/project.pbxproj: Added.
        * manual-tests/NPN_Invoke/main.c: Added.
        * manual-tests/NPN_Invoke/test.html: Added.

=== WebCore-417.23 ===

2006-03-02  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch
        This also includes the fix
        <rdar://problem/4462712> REGRESSION (r12872): Repro crash when clicking the Quick Reply box in Gmail

    2006-02-17  Vicki Murley <>

        Reviewed by Justin.
        Get rid of handleFocusOut on text fields and textareas - move this functionality to the place
        where we resign focus on the previous node in setFocusNode.  Add isTextField on RenderObject
        as one way to distinguish from contenteditable elements - Win IE does not fire onChange for 
        contenteditable elements, so we won't either. Also, expose the dirty bit variables previously 
        checked in handleFocusOut methods in isEdited() and setEdited().

        Fixes the following bugs:
        <rdar://problem/4315673> REGRESSION (1.2.2 - 1.3): onChange and onFocus events firing order differs for mouse click and tab (7227)
        <rdar://problem/4447009> for text fields, onChange should fire before onBlur to match Win IE

        Test case is on the way.

        * dom/DocumentImpl.cpp:
        (WebCore::DocumentImpl::setFocusNode): For textareas and text fields, fire a change event
        on the node that is resigning focus.  Make sure the blur event fires after the change event - 4447009.
        * rendering/render_form.cpp:
        (WebCore::RenderLineEdit::slotReturnPressed): Replace call to handleFocusOut with equivalent code.
        (WebCore::RenderLineEdit::isEdited): Added.
        (WebCore::RenderLineEdit::setEdited): Added.
        (WebCore::RenderTextArea::setEdited): Added.
        * rendering/render_form.h:
        (WebCore::RenderLineEdit::isTextField): Added.
        (WebCore::RenderTextArea::isTextArea): Make this non-virtual.
        (WebCore::RenderTextArea::isEdited): Added.
        * rendering/render_object.h:
        (WebCore::RenderObject::isEdited): Added.
        (WebCore::RenderObject::setEdited): Added.
        (WebCore::RenderObject::isTextField): Added.
        * rendering/render_replaced.h: Remove handleFocusOut().
        * rendering/render_replaced.cpp: Ditto.
        (WebCore::RenderWidget::eventFilter): Remove call to handleFocusOut().  Safe to do here,
        since we call setFocusNode immediately beforehand.

=== WebCore-417.22 ===

2006-02-15  Timothy Hatcher  <>

        Reviewed by Beth, Geoff, Maciej.

        Removed #define MALLOC_FAILURE_ACTION abort() letting malloc return NULL

        Fixes <rdar://problem/4365248> *SecUpd: Tiger* SureSec si#182 safari heap overflow.
        <rdar://problem/4416122> *SecUpd: Chardonnay* SureSec si#182 safari heap overflow.

        * khtml/misc/main_thread_malloc.cpp:

=== WebCore-417.21 ===

2006-02-10  Eric Seidel  <>

        Reviewed by darin.

        <rdar://problem/4145813> hang in XMLHttpRequest::cancelRequests
        No test case possible.

        * khtml/ecma/xmlhttprequest.cpp:

2006-02-10  Timothy Hatcher  <>

        Reviewed by Tim O.

        Rolling out r11800 and reworked Tim's original fix
        to call _NPN_DeallocateObject in the destructor.

        * kwq/

=== WebCore-417.20 ===

2006-02-06  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2005-11-01  Justin Garcia  <>

        Reviewed by darin

        Fixes <rdar://problem/4074536> Seed: Mail crash adjusting quote level - KHTMLPart::computeAndSetTypingStyle

        No test cases added, requires Mail

        * kwq/
        (-[WebCoreBridge typingStyle]):
        Crashes were happening after a style was merged with itself.  Mail was doing a setTypingStyle
        with a pointer to our internal typing style.  Fix is to only hand out copies of our typingStyle.

2006-02-06  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-01-16  Tim Omernick  <>

        Reviewed by John Sullivan.

        WebCore part of <rdar://problem/4211707> NPAPI ref count behavior differs with Mozilla

        * bridge/mac/
        Call _NPN_DeallocateObject() instead of _NPN_ReleaseObject() so that we don't leak if a plugin fails to release
        the window script object properly.
        Our old NPN_GetValue() did not properly retain the returned window script object.  Because of this, many plugins
        have WebKit-specific workarounds to not release said window script object.  Forcibly deallocating it here
        should prevent any such issues.  This shouldn't cause any problems for plugins, since they should already be
        stopped and destroyed at this point.
        This also fixes a preexisting leak of the window script NPObject -- it was never actually being freed!

=== WebCore-417.19 ===

2006-01-18  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-01-17  Beth Dakin  <>

        Reviewed by Hyatt and Darin

        Fix for <rdar://problem/4405836> REGRESSION: crash at 
        when deleting mail in khtml::RenderTableCell::collapsedBottomBorder() const 
        + 232

        RenderTableCell::collapsedBottomBorder() gets nextCell by calling 
        table()->cellBelow(this). In the case of the crash, cellBelow() returns 
        a pointer to a table cell that was already destroyed. cellBelow() thinks 
        that the pointer is still good because the grid of cells has not been updated 
        because all of this code is called through the hitTest and the hitTest does 
        not update the layout. The fix that I have is simply it have the hitTest call 
        updateLayout(). This is the only change in behavior. The rest of the patch 
        preserves behavior for simulated clicks. fast/events/stopPropagation-submit 
        caught this problem that arose from calling updateLayout() in the hitTest; 
        we should always have an x and y position of 0 for simulated clicks. This 
        preserves that behavior by keeping track of whether a click is simulated or not.

        * khtml/html/HTMLInputElementImpl.cpp:
        (DOM::HTMLInputElementImpl::defaultEventHandler): If the click is simulated, 
        set xPos and yPos to 0.
        * khtml/html/html_elementimpl.cpp:
        (HTMLElementImpl::setContentEditable): Fix spacing.
        (HTMLElementImpl::click): It isn't necessary to check if there is a renderer.
        * khtml/rendering/render_layer.cpp:
        (khtml::RenderLayer::hitTest): Call updateLayout().
        * khtml/xml/NodeImpl.cpp:
        (WebCore::NodeImpl::dispatchSimulatedMouseEvent): Set isSimulated to true.
        (WebCore::NodeImpl::dispatchMouseEvent): Keep track of isSimulated.
        * khtml/xml/NodeImpl.h: Same.
        * khtml/xml/dom2_eventsimpl.cpp:
        (DOM::MouseRelatedEventImpl::MouseRelatedEventImpl): Add isSimulated to
        (DOM::MouseRelatedEventImpl::computePositions): Only change the offsets if 
        it's not simulated.
        (DOM::MouseEventImpl::MouseEventImpl): Add isSimulated to MouseEventImpl()
        * khtml/xml/dom2_eventsimpl.h: 
        (DOM::MouseRelatedEventImpl::isSimulated): Declarations of isSimulated
        (DOM::MouseEventImpl::isSimulated): Same.

=== WebCore-417.18.1 ===

2006-01-05  Adele Peterson  <>

        Merged fix from TOT to Safari-2-0-branch

    2005-10-25  Beth Dakin  <>

        Reviewed by Maciej

        Fix for <rdar://problem/4148730> SureSec si#182 safari heap overflow.
        When a table has a really huge rowSpan, Safari used to crash because
        the malloc of the grid for the table failed. This fix just checks for
        the success of the malloc.

        * khtml/rendering/render_table.cpp:
        (RenderTableSection::ensureRows): Return false if the grid resize is not 
        (RenderTableSection::addCell): Return early if ensureRows() returned false.
        * khtml/rendering/render_table.h: Make ensureRows() return a bool instead
        of void.

=== WebCore-417.18 ===

2005-12-23  Geoffrey Garen  <>

        - Fixed <rdar://problem/4392583> REGRESSION: Reproducible crash while viewing Opera's "why we're better than Safari" site,, in khtml::RenderBlock::nodeAtPoint

        Fix by Darin, reviewed and landed by me.

        * khtml/rendering/render_container.cpp:
        (RenderContainer::updatePseudoChild): Don't have the parent call removeChild, because the child calls parent()->removeChild() on itself in detach().

=== WebCore-417.17 ===

2005-12-21  Adele Peterson  <>

        Reviewed by Tim Hatcher.

        Fix for <rdar://problem/4387433> Seed: Radio buttons behave incorrectly in Gmail settings

        * khtml/html/html_formimpl.cpp:
        (DOM::HTMLFormElementImpl::registerFormElement): If this form element is already checked in the default form, remove it from m_selectedRadioButtons and add it for the new form.

=== WebCore-417.16 ===

2005-12-20  Adele Peterson  <>

        Reviewed by Darin.

        Fix for <rdar://problem/4387630> REGRESSION: <select> element's onClick event doesn't fire @

        * kwq/
        (KWQKHTMLPart::passSubframeEventToSubframe): only pass mouse down for khtmlviews.

== Rolled over to ChangeLog-2005-12-19 ==