ChangeLog   [plain text]

=== WebCore-418.21 ===

2006-08-15  Geoffrey Garen  <>

        Merged fix from TOT to Safari-2-0-branch
        This fixes <rdar://problem/4661982> (crash in KHTMLParser::popBlock).
        - This patch reworks a previous fix for <rdar://problem/3524912> repro 
        crash in KHTMLParser::parseToken, due to parser's current element being 
        destroyed (, along with subsequent adjustments to fix
        The previous solutions caused a ~2% performance regression on iBench HTML,
        due to RefPtr churn. The optimizations here gain back that ~2% plus ~1% more,
        for a total win of ~3% vs current TOT.
        The solution here is:
        (1) Don't let the parser ref document nodes -- that causes leaks.
        (2) Handle ref/deref manually, to avoid RefPtr churn. Specifically, when 
        moving a node between stacks or to/from 'current', rather than deref'ing
        and then ref'ing again, simply move the node, along with its refcount, to
        its new location, and overwrite its old location.
        * WebCore.xcodeproj/project.pbxproj:
        * html/HTMLParser.cpp:
        * html/HTMLParser.h:

2006-08-04  Beth Dakin  <>

        Reviewed by me/Hyatt.

        Mostly this is merging over Hyatt's fix with r15801. Some other 
        things needed to be tweaked though. This is a better fix for 
        <rdar://problem/4541255> Safari hangs at
        safari-test/ somewhere from 

        * khtml/rendering/render_box.cpp:
        (RenderBox::deleteLineBoxWrapper): Call remove.
        * khtml/rendering/render_box.h:
        * khtml/rendering/render_list.cpp: 
        (RenderListItem::updateMarkerLocation): Call remove.
        * khtml/rendering/render_list.h:
        * khtml/rendering/render_object.cpp: Back out old fix.
        * khtml/rendering/render_object.h: Back out old fix. 

2006-07-28  Beth Dakin  <>

        Rubber stamped by Maciej.

        Fix for <rdar://problem/4541255> Safari hangs at http:// somewhere from 

        This is the same fix that Maciej and I did a week ago for 4529398. 
        Rolling it onto the branch because it fixes this crash too!

        * WebCore.xcodeproj/project.pbxproj: Project file wars.
        * khtml/rendering/render_list.cpp:
        (ListMarkerBox::detach): Remove from parent when detaching.
        (ListMarkerBox::operator delete):
        * khtml/rendering/render_list.h:

=== WebCore-418.20.1 ===

2006-07-06  Adele Peterson  <>

        Reviewed by Tim Hatcher.

        - Speculative fix for <rdar://problem/4605532> unrepro crash at after upgrading to 10.4.7 (but happening with 10.4.6 too)

        * khtml/khtmlview.cpp: (KHTMLView::layout): Ref's the view during layout, since a recalcStyle could cause the view to be deleted.
        If we get back from recalcStyle, and there's only one ref, return early since the the view will be deleted when we exit layout.
        * khtml/khtmlview.h: (KHTMLView::hasOneRef): Added.

=== WebCore-418.20 ===

2006-07-05  Alice Liu  <>

        Merged fix from TOT to Safari-2-0-branch
        This fixes <rdar://problem/4600166> REGRESSION: Safari crash while loading web pages ( )

    2005-10-16  David Hyatt  <>

        Clean up the deletion of anonymous boxes in the render tree.
        Renamed methods to make it more clear and also added comments.
        Reviewed by bdakin

        * khtml/rendering/render_container.cpp:
        this was renamed on the branch, from RenderContainer::destroy
        this was renamed on the branch, from RenderContainer::destroyLeftoverChildren
        * khtml/rendering/render_container.h:
        * khtml/rendering/render_flow.cpp:
        this was renamed on the branch, from RenderContainer::destroy

=== WebCore-418.19.1 ===

2006-06-21  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch
        This fixes <rdar://problem/4571273> WebCore crash in khtml::RenderObject::getAbsoluteRepaintRectWithOutline

    2005-10-21  Beth Dakin  <>

        Reviewed by Hyatt

        Fix for <rdar://problem/3947202> certain sequence of DOM 
        method calls involving CSS outline and display crashes Safari 
        (in repaint code).

        * khtml/rendering/render_flow.cpp:
        (RenderFlow::destroy): Need to set m_continuation to 0 after it
        is destroyed to prevent possible crashes.

=== WebCore-418.19 ===

2006-06-14  Justin Garcia  <>

        Reviewed by thatcher, harrison
        <rdar://problem/4585175> 10.4.7 regression: Text from end of signature unexpectedly removed
        Merged fix for:
        REGRESSION: Content lost during a delete/merge of whitespace:pre text

        * khtml/editing/htmlediting.cpp:
        (khtml::hasARenderedDescendant): Added.
        (khtml::CompositeEditCommand::prune): Don't prune a leaf, the root editable element, or a container with one or more rendered descendants.

=== WebCore-418.18 ===

2006-06-14  David Harrison  <>

        Written by mjs, reviewed by Tim H.

        <rdar://problem/4586051> 10.4.7 regression: 'Saved and recent' button on does not work

        * khtml/xml/dom_nodeimpl.cpp:
        Call window capturing event handlers, not just bubbling event handlers.

=== WebCore-418.17 ===

2006-06-13  Geoffrey Garen  <>

        Patch by Darin, tweaked by me, reviewed by Harrison.

        - Fixed <rdar://problem/4584598> 10.4.7 regression: Changing location 
        for weather on home page redirects to another page
        We need to keep separate caches for HTML and non-HTML event listeners
        so that, if you add one of each to the same node, the two don't clobber 
        each other.

        * khtml/ecma/kjs_events.cpp:
        * khtml/ecma/kjs_window.cpp:
        * khtml/ecma/kjs_window.h:

2006-06-13  Maciej Stachowiak  <>

        Reviewed by Harrison, landed by Tim H.

        <rdar://problem/4583892> 10.4.7 regression: Hang occurs when attempting to load search results at

        Handle window events for capture phase, except load events, this quirk is needed because
        Mozilla used to not do the bubble or capture phase for image load events and sites mistakenly
        put capturing load event listeners on the window

        * khtml/xml/dom_nodeimpl.cpp:

=== WebCore-418.16 ===

2006-06-12  Timothy Hatcher  <>

        Reviewed by Maciej, Harrison.

        Fixes <rdar://problem/4582172> frameset load events don't fire (can't login into Gmail account or see map at

        Framesets need to register their load, beforeunload and unload events with the window.

        * khtml/html/html_baseimpl.cpp:

=== WebCore-418.15 ===

2006-06-09  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch
        This fixes the regression from <rdar://problem/4578533> REGRESSION: vbulletin search box closes when clicked

    2006-02-23  Vicki Murley <>

        Reviewed by Hyatt.

        - fix <rdar://problem/4456004> onbeforeunload should cancel, and 
        <rdar://problem/4453579> REGRESSION (TOT): onbeforeunload is broken (7421)

        * bridge/mac/
        (WebCore::MacFrame::shouldClose): Onbeforeunload is a non-bubbling window
        event, so we should be using handleWindowEvent rather than dispatching a 
        generic event on the body. It seems this only worked before because of incorrect
        code in other parts of the tree. 
        * dom/dom2_eventsimpl.cpp:
        (WebCore::BeforeUnloadEventImpl::BeforeUnloadEventImpl): for this constructor,
        pass true for the cancel parameter

=== WebCore-418.14 ===

2006-06-09  Timothy Hatcher  <>
        Rolling out this fix, this caused a Mail regression.
        <rdar://problem/4578653> Forwarding loses the attached images

    2006-04-26  Tim Omernick  <>
        Reviewed by Hyatt.
        <rdar://problem/4068375> Flash inserted via innerHTML Fails to Show when CSS Display
        Style is Toggled via Javascript
        * html/html_objectimpl.cpp:
        Set needWidgetUpdate when finished parsing, even if the object element is not in
        a document.  That way, when the element attaches to a document, it will update its
        widget (creating the plug-in view if necessary).  This is important when the object
        is being inserted via setInnerHTML, since the parsed nodes are not added to the
        document until the whole HTML string is parsed.

2006-06-09  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch
        This fixes <rdar://problem/4578533> REGRESSION: vbulletin search box closes when clicked

    2006-02-08  Adele Peterson  <>

        Reviewed by Maciej.

        - Fixed <rdar://problem/4325160> 
          REGRESSION(416.12-420+): window events not stopped by stopPropagation (affects macnn forums)

        * fast/events/window-events-bubble.html
        * fast/events/window-events-bubble2.html
        * fast/events/window-events-capture.html

        * khtml/xml/DocumentImpl.cpp:
        (WebCore::DocumentImpl::handleWindowEvent): Added to send events directly to the window.  This code used to be in defaultEventHandler, but that wasn't sending them at the right time.
        (WebCore::DocumentImpl::defaultEventHandler): Moved code to send window events to handleWindowEvent.
        * khtml/xml/DocumentImpl.h: Added handleWindowEvent.
        * khtml/xml/NodeImpl.cpp:
        (WebCore::NodeImpl::dispatchGenericEvent): fire window events in capture and bubble phases.
        (WebCore::NodeImpl::dispatchWindowEvent): call handleWindowEvent.

=== WebCore-418.13 ===

2006-06-06 Geoffrey Garen <>

        Fix by Maciej, reviewed by Darin. I provided desk space.
        - Fixed <rdar://problem/4573918> 10.4.7 Regression: Hang randomly occurs 
        when attempting to load if you use a PAC file

        Because the garbage collector suspends a thread while marking its stack,
        mark methods must not call malloc, because they may end up stuck,
        trying to acquire the malloc lock from a suspended thread.

        The fix here is:
        (1) Use a data member rather than a dictionary to track nodes that are
        in the process of marking their subtrees.
        (2) Avoid the case wheter calling getDOMNodeForDocument might allocate
        the staticDOMNodesPerDocument dictionary.
        * khtml/ecma/kjs_binding.cpp:
        * khtml/ecma/kjs_dom.cpp:
        * khtml/xml/dom_nodeimpl.cpp:
        * khtml/xml/dom_nodeimpl.h:

=== WebCore-418.12 ===

2006-06-02  Timothy Hatcher  <>

        Reviewed by Darin and Eric.

        <rdar://problem/4523402> SUTiLondon: XSL file containing <xsl:include href="../Styles/EscapeString.xsl" /> fails to load file

        The decoder was returning a null string for the EscapeString stylesheet because it didn't specify an encoding.
        If we do not find an encoding we need to assume it is UTF-8.

        We also need to load DTD files in xml documents for this test to fully work like Win IE.
        Wrapping XMLTokenizer's xmlReadMemory with setLoaderForLibXMLCallbacks to load any files XML needs through the docLoader.

        However, this further exposes <rdar://problem/4292995> (libxml2 looks for file in /etc/xml/catalog, but the file is not installed)
        This causes Safari to show an error in the activity window about file:///etc/xml/catalog. To prevent this we can set
        the XML_CATALOG_FILES environment variable to an empty string. We will only set this env var if it hasn't been set already.
        This allows someone to launch Safari with a custom catalog if that was ever needed.

        * khtml/misc/decoder.cpp:
        * khtml/xml/xml_tokenizer.cpp:

2006-06-02  Geoffrey Garen  <>

        Reviewed by Maciej.
        - Fixed <rdar://problem/4568551> Hang occurs when attempting to load 
        links found at
        if you use a PAC file
        For a synchronous XMLHttpRequest, the JavaScript interpreter initiating 
        the request would deadlock with the JavaScript interpreter spawned by 
        the request to execute the PAC file.
        The solution here is to temporarily drop the initiating interpreter's locks
        before making the request, and re-acquire the locks afterwards. Because
        the initiating interpreter waits for the request to complete before
        continuing execution, it is free to drop its locks while the request
        is in progress.

        * khtml/ecma/xmlhttprequest.cpp:

2006-06-01  Geoffrey Garen  <>

        Reviewed by Maciej.
        - Fixed <rdar://problem/4569127> 10.4.7 regression: Crash occurs when 
        clicking on the navigation tabs at

        The fix is to mark all DOM Nodes when collecting on an alternate thread -- 
        not just the nodes that are still in a document.
        Previously, the DOMObjectsMarker didn't mark DOM nodes that were not in 
        a document, since we assumed such nodes would either be (a) unreachable 
        or (b) reachable, and therefore marked elsewhere. However, it seems that
        heap/stack entropy allows for (c) non-deterministically reachable by the
        conservative garbage collector. So, ironically, we need to mark
        DOM nodes that are not in a document to avoid crashing when trying to
        mark them later.

        * khtml/ecma/kjs_binding.cpp:

=== WebCore-418.11 ===

2006-05-30  Levi Weintraub  <>

        Reviewed by justin.

        <rdar://problem/4039661> crash in ApplyStyleCommand::applyBlockStyle(DOM::CSSMutableStyleDeclarationImpl*, DOM::Position const&, DOM::Position const&) pasting contents of webpage into Mail or Blot
        <rdar://problem/4029632> Mail crashes in DOM::NodeImpl::isBlockFlow() after pasting text with alignment style and BR element from Safari

        * khtml/editing/htmlediting.cpp:
        (khtml::ApplyStyleCommand::applyBlockStyle): Swap reversed start and
        end selection points to avoid null dereference.
        (khtml::ApplyStyleCommand::removeInlineStyle): Modified assert to
        not complain about caret selections.

=== WebCore-418.10 ===

2006-05-27  Geoffrey Garen  <>

        Reviewed by Maciej.
        - Fixed <rdar://problem/4562599> 10.4.7 regression: After closing a 
        window that contains, creating a new window results in 
        crash (KJS::PropertyMap::mark() )

        ScriptInterpreter used to be responsible for marking cached DOM objects.
        That was insufficient because once all the windows are closed, there's
        no ScriptInterpreter left to do the marking.
        The solution here is to allocate a static, protected 'DOMObjectsMarker'
        object that takes care of marking the DOM object caches.
        * khtml/ecma/kjs_binding.cpp:
        * khtml/ecma/kjs_binding.h:

=== WebCore-418.9 ===

2006-05-24  Kevin Decker    <>

        Reviewed by Adele.

        <rdar://problem/4557153> REGRESSION (10.4.7): Seed: Safari no longer blocks pop-up from
        * khtml/ecma/kjs_binding.cpp:
        (KJS::ScriptInterpreter::wasRunByUserGesture): Fixed typo from a previous check-in on 2006-04-27.

=== WebCore-418.8 ===

2006-05-19  Geoffrey Garen  <>

        Reviewed by Maciej.

        - Fixed <rdar://problem/4543569> 10.4.7 regression: Crash occurs
        when attempting to view image in slideshow mode at ( KJS::IfNode::execute
        (KJS::ExecState*) + 312)

        - Minor fix: DOMParserConstructor needed to inherit from DOMObject to
        prevent collection on alternate threads.

        - Major fix: On alternate threads, DOMObjects remain in the
        ScriptInterpreter's cache because they're not collected. So, they
        need an opportunity to mark their children.

        * khtml/ecma/domparser.h:
        * khtml/ecma/kjs_binding.cpp:
        * khtml/ecma/kjs_binding.h:

2006-05-19  Levi Weintraub  <>

        Reviewed by justin.

        When the paste performance fix was merged over, uses of isCandidate
        were changed to isRenderedContent. isRenderedContent on the branch
        is incorrect in a few ways.

        * khtml/editing/visible_position.cpp:

=== WebCore-418.7 ===

2006-05-17  David Harrison  <>

        Reviewed by Justin.
        <rdar://problem/4542925> 10.4.7 regression: Mail: Using the delete key may cause application crash in DOM::NodeImpl::isBlockFlow() const from khtml::DeleteSelectionCommand::mergeParagraphs()
        * khtml/editing/htmlediting.cpp:
        Fix special element handling to not create selection that does not completely surround the element.
        Incorporate the remainder of the improved merge code.
        * xml/dom_position.cpp:
        Allow br 0 unconditionally.

=== WebCore-418.6 ===

2006-05-16  Justin Garcia  <>

        Reviewed by levi
        <rdar://problem/4547278> 10.4.7 regression: Mail: Triple click, then drag, fails to select an empty line following a non-empty line
        Merged in the fix for: 
        <rdar://problem/4364427> triple-click includes first item on next line (, but I think I've seen it elsewhere)

        * khtml/editing/htmlediting.cpp:
        * khtml/editing/selection.cpp:
        * khtml/editing/visible_units.cpp:
        * khtml/editing/visible_units.h:

2006-05-16  Timothy Hatcher  <>

        Reviewed by Hyatt.

        REGRESSION: revert SGML comment parsing fix (comment parsing causes most of page to be missing)

        This also fixes:
        <rdar://problem/4543829> -[DOMComment nodeValue] and -[DOMComment data] returning too much

        * khtml/html/htmltokenizer.cpp:
        (khtml::HTMLTokenizer::parseComment): Revert one change made for acid2, 

=== WebCore-418.5 ===

2006-05-12  Beth Dakin  <>

	Merged fix from TOT to Safari-2-0 branch. Fixes <rdar://problem/
        4536941> Branch regression: : Random crash occurs when navigating 
        site at (KHTMLParser::popOneBlock(bool) + 

        2006-01-26  Maciej Stachowiak  <>

        Reviewed by Eric.

        - various leaks on "fast" LayoutTests
        It turns out these all had the same cause.
        * page/Frame.cpp:
        (Frame::clear): If we have a document, make sure to cancel 
        parsing, in case it has a tokenizer and parser that are 
        keeping it alive. Use cancelParsing to avoid possibly 
        accidentally firing the onload handler.
        * khtml/xml/DocumentImpl.cpp:
        (WebCore::DocumentImpl::cancelParsing): Factored out of
        (WebCore::DocumentImpl::implicitOpen): Call cancelParsing now.
        * khtml/xml/DocumentImpl.h:

=== WebCore-418.4 ===

2006-05-11  Beth Dakin  <>

        Reviewed by Maciej.

        Fix for <rdar://problem/4539954> 10.4.7 regression:DHTML menu 
        closes prematurely when hovering over it at http://

        This fix already exists on TOT, though I am not sure when it was 
        checked in, nor am I aure what in particular caused this regression 
        on the branch. Whatever the cause of the badness, though, we need 
        to take borderTopExtra() and borderBottomExtra() into consideration 
        when hitTesting the background of a RenderBlock.

        * khtml/rendering/render_block.cpp:

2006-05-10  David Harrison  <>

        Reviewed by Justin.
        <rdar://problem/4543847> 10.4.7 regression: Mail: selecting the bottom of a message and deleting it leaves a stray newline
        Merged most of the DeleteSelectionCommand parts of r14143.

        * khtml/editing/htmlediting.cpp:
        Removed erroneous check that disabled merging based on paragraph boundaries.
        Return early if upstreamStart and downstreamEnd are flipped, or startblock == endblock.
=== WebCore-418.3 ===

2006-05-09  Timothy Hatcher  <>

        Reviewed by Justin.

        <rdar://problem/4540011> Random crash occurs at when loading (khtml::RenderObject::PaintInfo&, int, int)
        The crash occured because the document element was cached but later replaced by a script.
        So the render object was accessing the old document element that no longer had a renderer.
        When the document's children change we now invalidate the document element in case it is replaced.

        * khtml/xml/dom_docimpl.cpp:
        * khtml/xml/dom_docimpl.h:

=== WebCore-418.2 ===

2006-05-08  Justin Garcia  <>

        Reviewed by Timothy.

        <rdar://problem/4538833> 10.4.7 regression: Mail crashing frequently since updating to SUTiLondon 8J110

        * khtml/editing/markup.cpp:
        (khtml::createMarkup): add an early return if the range is collapsed

2006-05-05  Adele Peterson  <>

       Reviewed by Timothy

       Merged this fix for:
       <rdar://problem/4537287> REGRESSION: All text links are broken at

       A recent change to dispatching click events exposed this bug in a new way.

    2005-10-03  Maciej Stachowiak  <>

        Reviewed by Darin.
	event.stopPropagation() prevents the default action - it shouldn't

        * khtml/ecma/kjs_events.cpp:
        (KJS::DOMEventProtoFunc::callAsFunction): Don't let stopPropagation fall through
        to preventDefault.
        * khtml/xml/dom_nodeimpl.cpp:
        (DOM::NodeImpl::dispatchGenericEvent): Don't let stopPropagation prevent calling
        default event handlers; only preventDefault does that.

=== WebCore-418.1 ===

2006-05-04  Timothy Hatcher  <>

        Reviewed by Harrison.

        <rdar://problem/4523536> SUTiLondon: Dashcode removes commented code from HTML files

        * khtml/editing/markup.cpp:
        * khtml/html/html_documentimpl.cpp:
        * khtml/html/html_documentimpl.h:
        * khtml/html/htmlparser.cpp:
        * khtml/html/htmltokenizer.cpp:
        * khtml/html/htmltokenizer.h:
        * khtml/xml/dom_docimpl.cpp:
        * khtml/xml/dom_docimpl.h:
        * kwq/WebCoreBridge.h:
        * kwq/
        (+[WebCoreBridge includesCommentsInDOM]):
        (+[WebCoreBridge setIncludesCommentsInDOM:]):

2006-05-04  Justin Garcia  <>

        Reviewed by thatcher
        Used the StayInBlock variant of upstream/downstream since they behave that way in
        tip of tree (where there is no StayInBlock parameter).

2006-05-03  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-04-04  Justin Garcia  <>

        Reviewed by darin
        REGRESSION: Line disappears when deleting
        Rewrote moveNodesAfterNode to address these problems:
        It moved nodes without preserving their style. 
        It traversed over siblings looking for a br to know when
        to stop merging.  If the br was burried inside a span, it 
        wouldn't find it.  If the text is whitespace:pre, it wouldn't
        In theory it would crash if the "enclosingInlineElements" of the start of the
        selection to delete and the end of the selection to delete were the
        same.  We think that this will fix these:
        CrashTracer: 2116 crashes in Mail at khtml::CompositeEditCommand::insertNodeAfter + 32
        CrashTracer: 1569 crashes in Mail at khtml::DeleteSelectionCommand::moveNodesAfterNode + 340
        But we haven't been able to construct a reproducible case.
        * editing/CompositeEditCommand.cpp:
        (WebCore::CompositeEditCommand::removeNodeAndPruneAncestors): Moved from ReplaceSelectionCommand.
        (WebCore::CompositeEditCommand::prune): Ditto.
        * editing/CompositeEditCommand.h:
        * editing/DeleteSelectionCommand.cpp:
        * editing/DeleteSelectionCommand.h:
        * editing/ReplaceSelectionCommand.cpp:
        * editing/ReplaceSelectionCommand.h:
        * editing/markup.cpp:
        Was crashing when passed a collapsed range.  I early return an empty string instead.

2006-05-02  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-03-20  Justin Garcia  <>

        Reviewed by darin
        REGRESSION (Mail): Mail takes half of forever to paste >1500 lines - replaceSelectionWithNode

        * dom/Position.cpp:
        (WebCore::Position::upstream): Avoid calling previous() when we know that 
        it will 1) end the search and 2) be expensive to compute.
        (WebCore::Position::downstream): Removed some dead code.
        (WebCore::Position::inRenderedText): Return false for offsets inside composed characters.
        * dom/Position.h:
        * editing/VisiblePosition.cpp:
        (WebCore::VisiblePosition::init): If there are two visually equivalent candidates, we choose
        the one that occurs first in document order.  Using upstream() to find the one that occurs first is
        much faster than the old code.

2006-05-02  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2005-11-07  Maciej Stachowiak  <>

        Reviewed by Eric, Geoff and Darin.

        - fixed <rdar://problem/4118258> XML DOM trees freed prematurely unless reference held to document node (causes crash)
        I changed the design for how DOM nodes maintain their reference to
        the document. Instead of using DocumentPtr, an indirect reference
        which would go null in a clean way when the document is destroyed,
        they now have a different strategy.
        Nodes that belong to the document now hold a special kind of
        reference on the document - a "self only reference". When a
        document has no regular references but still has self-only
        references, it won't be destroyed, but it will drop all its
        children. This allows detached nodees to still have a valid
        document reference, but they won't keep the rest of the DOM alive
        or cause circular references.

        * khtml/editing/SelectionController.cpp:
        * khtml/editing/visible_position.cpp:
        * khtml/editing/visible_text.cpp:
        * khtml/html/html_baseimpl.cpp:
        * khtml/html/html_baseimpl.h:
        * khtml/html/html_blockimpl.cpp:
        * khtml/html/html_blockimpl.h:
        * khtml/html/html_canvasimpl.cpp:
        * khtml/html/html_canvasimpl.h:
        * khtml/html/html_documentimpl.cpp:
        * khtml/html/html_elementimpl.cpp:
        * khtml/html/html_elementimpl.h:
        * khtml/html/html_formimpl.cpp:
        * khtml/html/html_formimpl.h:
        * khtml/html/html_headimpl.cpp:
        * khtml/html/html_headimpl.h:
        * khtml/html/html_imageimpl.cpp:
        * khtml/html/html_imageimpl.h:
        * khtml/html/html_inlineimpl.cpp:
        * khtml/html/html_inlineimpl.h:
        * khtml/html/html_listimpl.h:
        * khtml/html/html_miscimpl.cpp:
        * khtml/html/html_miscimpl.h:
        * khtml/html/html_objectimpl.cpp:
        * khtml/html/html_objectimpl.h:
        * khtml/html/html_tableimpl.cpp:
        * khtml/html/html_tableimpl.h:
        * khtml/html/htmlfactory.cpp:
        * khtml/html/htmlparser.cpp:
        * khtml/html/htmlparser.h:
        * khtml/html/htmltokenizer.cpp:
        * khtml/html/htmltokenizer.h:
        * khtml/misc/loader.h:
        * khtml/misc/shared.h:
        * khtml/xbl/xbl_tokenizer.cpp:
        * khtml/xbl/xbl_tokenizer.h:
        * khtml/xml/dom2_rangeimpl.cpp:
        * khtml/xml/dom2_rangeimpl.h:
        * khtml/xml/dom_docimpl.cpp:
        * khtml/xml/dom_docimpl.h:
        * khtml/xml/dom_elementimpl.cpp:
        * khtml/xml/dom_elementimpl.h:
        * khtml/xml/dom_nodeimpl.cpp:
        * khtml/xml/dom_nodeimpl.h:
        * khtml/xml/dom_textimpl.cpp:
        * khtml/xml/dom_textimpl.h:
        * khtml/xml/dom_xmlimpl.cpp:
        * khtml/xml/dom_xmlimpl.h:
        * khtml/xml/xml_tokenizer.cpp:
        * khtml/xml/xml_tokenizer.h:
        * khtml/xsl/xslt_processorimpl.cpp:

2006-05-01  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-01-02  Vicki Murley  <>

        Reviewed by Maciej.
        - fix for <rdar://problem/4389622> *Pan EU2* iframe swallows events for overlapping elements (part 2)
        We originally added a call to passSubframeEventToSubframe here to fix the hand cursor updating problem
        reported in <rdar://problem/4316201> REGRESSION: cursor and text in status bar is not updated when 
        mousing over links in a frame (5509). However, when we return early after passSubframeEventToSubframe,
        we fail to fire onmouseout events.  Since the call to passSubframeEventToSubframe was originally added
        to fix the hand cursor updating problem, remove the early return and make cursor updating conditional
        on passSubframeEventToSubframe.

        * khtml/khtmlview.cpp:

2006-05-01  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-03-29  Geoffrey Garen  <>

        Reviewed by Darin.

        - WebCore side of fix for <rdar://problem/4308243> 8F36 Regression: 
        crash in malloc_consolidate if you use a .PAC file

        (1) To ensure thread-safe deallocation, set the "unsafe to destroy on 
        non-main threads" bit in the DOMObject constructor.

        (2) Made all binding objects inherit from DOMObject, because the
        WebCore data structures they wrap are not thread-safe. "DOMObject" is
        a slightly awkward name for things like the Window object, but the 
        DOM spec is considering adding a Window object, and creating a whole
        new base class for this purpose seemed like overkill.

        * khtml/ecma/JSDOMParser.h:
        * khtml/ecma/JSXMLHttpRequest.h:
        * khtml/ecma/JSXMLSerializer.cpp:
        * khtml/ecma/JSXMLSerializer.h:
        * khtml/ecma/JSXSLTProcessor.h:
        * khtml/ecma/kjs_binding.h:
        (KJS::DOMObject::DOMObject): Unset the "safe to collect on non-main
        threads bit" to ensure thread-safe deallocation.
        * khtml/ecma/kjs_html.h:
        * khtml/ecma/kjs_navigator.cpp:
        * khtml/ecma/kjs_navigator.h:
        * khtml/ecma/kjs_proxy.cpp:
        * khtml/ecma/kjs_window.cpp:
        * khtml/ecma/kjs_window.h:

2006-05-01  Eric Seidel  <>

        Reviewed by Tim Hatcher.

        Reenabled disabled code on the branch.
        <rdar://problem/4335156> XMLHttpRequest ignores username/password passed to open()

        * kwq/

2006-05-01  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-04-24  Eric Seidel  <>

        Reviewed by mjs.

        Speculative fix for our 7th worst crasher.
        Also added ASSERTs to help us better understand the issue.
        <rdar://problem/4153404> CrashTracer: 2412 crashes in Safari at khtml::RenderStyle::RenderStyle[unified] + 44

        * dom/Document.cpp:
        * dom/Document.h:
        * dom/Element.cpp:

=== WebCore-418 ===

2006-04-28  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-04-28  Eric Seidel  <>

        Fix by beth.  Reviewed by darin.  Landed by eseidel.

        Make hackish fix to avoid crash in Xcode and Filemaker.
        <rdar://problem/4059059> Crash in RenderFlow::detach (XCode Documentation Window)

        * bridge/mac/
        (-[WebCoreFrameBridge didNotOpenURL:pageCache:]):

2006-04-28  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-03-23  Darin Adler  <>

        Reviewed by Beth.

        - fix <rdar://problem/4335038> REGRESSION: when max-height is none, height value is ignored

        * css/cssstyleselector.cpp: (WebCore::CSSStyleSelector::applyProperty):
        For max-height of none, set it to Length(undefinedLength, Fixed), which
        is the correct value (same as the default). Also did some formatting fixes
        to the height section.

2006-04-28  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-04-26  Tim Omernick  <>

        Reviewed by Hyatt.

        <rdar://problem/4068375> Flash inserted via innerHTML Fails to Show when CSS Display
        Style is Toggled via Javascript

        * html/html_objectimpl.cpp:
        Set needWidgetUpdate when finished parsing, even if the object element is not in
        a document.  That way, when the element attaches to a document, it will update its
        widget (creating the plug-in view if necessary).  This is important when the object
        is being inserted via setInnerHTML, since the parsed nodes are not added to the
        document until the whole HTML string is parsed.

2006-04-28  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-04-22  Beth Dakin  <>

        Reviewed by Hyatt.

        Fix for 
        DOMCSSPrimitiveValue is always returning values in pixels when 
        using getComputedStyle:

        getFloatValue() took a unit type as a parameter, ignored it, and 
        returned m_value.num. This patch writes a second version of the 
        function that actually converts m_value.num to the specified unites 
        before returning it. Where a conversion is not required, I removed 
        the unit type from the caller so that it would go directly to the 
        inline version of the function.

        * css/css_valueimpl.cpp:
        (WebCore::CSSPrimitiveValue::computeLengthFloat): Remove type 
        parameter since a conversion is not needed.
        (WebCore::scaleFactorForConversion): Helper function for 
        (WebCore::CSSPrimitiveValue::getFloatValue): This version of 
        getFloatValue() takes a unit type parameter and converts 
        * css/css_valueimpl.h:
        (WebCore::CSSPrimitiveValue::getFloatValue): This version does not 
        take a parameter and just returns m_value.num.
        * css/cssparser.cpp:
        (WebCore::BorderImageParseContext::commitBorderImage): Remove type 
        parameter since a conversion is not needed.
        * css/cssstyleselector.cpp:
        (WebCore::convertToLength): Same.
        (WebCore::CSSStyleSelector::applyProperty): Same.
        (WebCore::CSSStyleSelector::mapBackgroundSize): Same.
        (WebCore::CSSStyleSelector::mapBackgroundXPosition): Same.
        (WebCore::CSSStyleSelector::mapBackgroundYPosition): Same.
        * editing/ApplyStyleCommand.cpp:
        (WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): Same.
        * ksvg2/css/SVGCSSStyleSelector.cpp:
        (WebCore::CSSStyleSelector::applySVGProperty): Same.
        * ksvg2/misc/KCanvasRenderingStyle.cpp:
        (WebCore::KSVGPainterFactory::cssPrimitiveToLength): Same.

2006-04-28  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-01-24  Tim Omernick  <>

        Reviewed by Dave Harrison.

        <> "Fix for possible leak of applet, object, or embed
        (and plugin view)"
        * khtml/html/html_objectimpl.cpp:
        Assert that appletInstance has been deleted by detach().
        Delete appletInstance, because it references the widget owned by the renderer we're about to destroy.
        It is assumed elsewhere (getRuntimeObject(), kjs_dom.cpp) that the instance is owned by the applet
        element.  Therefore, it is required that the element destroy the instance in its tear-down phase.
        Assert that embedInstance has been deleted by detach().
        Delete embedInstance, same reason.  This is the one that fixes <rdar://problem/4339024>.
        Assert that objectInstance has been deleted by detach().
        Delete embedInstance, same reason.
        * khtml/html/html_objectimpl.h:
        Declared HTMLAppletElementImpl::detach() and HTMLEmbedElementImpl::detach().

2006-04-28  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-04-27  Eric Seidel  <>

        Reviewed by andersca.

        Make WebCore accept any */*+xml type as XML.
        <rdar://problem/4031511> XmlHttpRequest doesn't allow responses with Content-Type: application/soap+xml

        Test: http/tests/xmlhttprequest/supported-xml-content-types.html

        * dom/DOMImplementation.cpp:

2006-04-27  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-02-27  Mitz Pettel  <>

        Reviewed by Darin.

        - added test case for
          Incorrect selectorText for multiple subselectors

        * fast/dom/css-selectorText-expected.checksum: Updated.
        * fast/dom/css-selectorText-expected.png: Updated.
        * fast/dom/css-selectorText-expected.txt: Updated.
        * fast/dom/css-selectorText.html: Added a case with multiple subselectors.

2006-04-27  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2005-12-12  Timothy Hatcher  <>

        Reviewed by Dave Hyatt.

        Test: fast/dom/css-selectorText.html

        Fixes selecotrText serialization to only print "*"
        when it is stand alone. Fixes the attribute set selector,
        along with general cleanup. Also print chained selectors.

        * khtml/css/css_base.cpp:
        * khtml/css/css_ruleimpl.cpp:

2006-04-27  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-04-25  Beth Dakin  <>

        Reviewed by Maciej.

        Fix for <rdar://problem/4518632> getComputedStyle returns 'auto' 
        for dimensions like 'margin-left'

        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue): For 
        margin and padding, to match Firefox we now go to the renderer to 
        get the property value instead of calling valueForLength() on the 
        style attribute. valueForLength() will return the string 'auto' if 
        that was what was specified in the CSS, or a percentage if it was 
        specified as a percent. But to match Firefox, we always want to 
        return a pixel value for margin and padding.

2006-04-27  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-02-10  Eric Seidel  <>

        Reviewed by hyatt.

        Adding support for external entity declarations in XSLT.
        <rdar://problem/4271696> support external DTD references in XSLT

        * dom/xml_tokenizer.cpp:
        (WebCore::OffsetBuffer::OffsetBuffer): new support class
        (WebCore::OffsetBuffer::readOutBytes): read method
        (WebCore::shouldAllowExternalLoad): for preventing common urls
        (WebCore::openFunc): now does a synchronous data load
        (WebCore::readFunc): returns data from the offset buffer
        (WebCore::closeFunc): deletes offset buffer
        (WebCore::setLoaderForLibXMLCallbacks): helper function
        (WebCore::createQStringParser): cleanup
        * dom/xml_tokenizer.h:
        * khtml/xsl/xsl_stylesheetimpl.cpp:
        * khtml/xsl/xsl_stylesheetimpl.h:

2006-04-27  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-02-20  Eric Seidel  <>

        Reviewed by darin.

        <rdar://problem/4449442> GMAIL: XMLHttpRequest does not correctly report "Interactive" state on receipt of load data
        Also cleaned up spacing a little.

        No layout test possible (local loads are non incremental).

        * xml/xmlhttprequest.cpp:

2006-04-27  Adele Peterson  <>

        Reviewed by Beth.

        Fix for <rdar://problem/4073701> click event not sent with dispatchEvent


        * khtml/ecma/kjs_binding.cpp: (KJS::ScriptInterpreter::wasRunByUserGesture):
        * khtml/ecma/kjs_dom.cpp:
        * khtml/ecma/kjs_window.cpp:
        * khtml/html/html_elementimpl.cpp:
        * khtml/html/html_formimpl.cpp: (DOM::HTMLInputElementImpl::defaultEventHandler):
        * khtml/html/html_inlineimpl.cpp: (HTMLAnchorElementImpl::defaultEventHandler):
        * khtml/html/html_objectimpl.h:
        * khtml/khtmlview.cpp: (KHTMLView::dispatchMouseEvent):
        * khtml/rendering/render_form.cpp: (RenderFormElement::slotClicked):
        * khtml/xml/dom2_eventsimpl.cpp: (EventImpl::idToType):
        * khtml/xml/dom2_eventsimpl.h: (DOM::EventImpl::):
        * khtml/xml/dom_nodeimpl.cpp: (NodeImpl::dispatchMouseEvent):
        * kwq/ (-[KWQAccObject mouseButtonListener]):

2006-04-26  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-02-23  Vicki Murley <>

        Reviewed by Tim Omernick.
        - fix <rdar://problem/4394910> calling Javascript window.close() does not trigger onbeforeunload event

        Check shouldClose() before actually scheduling a close.

        shouldClose() checks for the onbeforeunload handler, displays the onbeforeunload dialog, and returns a 
        result based on whether the user clicks "OK" or "Cancel".  In cases where the window is closed with cmd-w 
        or by clicking the red globe, shouldClose() is checked in the windowShouldClose delegate method.  Since 
        windowShouldClose isn't invoked when a window is closed with Javascript, it makes sense to add a check 
        for shouldClose() in scheduleClose(), returning early when appropriate before the chain of events that 
        closes a window even gets started.  

        * bridge/mac/
        (WebCore::MacFrame::scheduleClose): add a check for shouldClose()

2006-04-26  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-02-15  Geoffrey Garen  <>

        Reviewed by Maciej, Eric.

        - WebCore half of fix for <rdar://problem/4176077> CrashTracer: 6569 
        crashes in DashboardClient at 

        WebCore and JavaScriptCore weren't sharing Instance objects very
        nicely. I made them use SharedPtrs, and sent them to bed without dessert.

        * khtml/html/html_objectimpl.cpp: 
        (WebCore::HTMLAppletElementImpl::HTMLAppletElementImpl): Made 
        appletInstance a SharedPtr
        (WebCore::HTMLEmbedElementImpl::HTMLEmbedElementImpl): Made
        embedInstance a SharedPtr
        (WebCore::HTMLObjectElementImpl::HTMLObjectElementImpl): Made
        m_objectInstance a SharedPtr
        * bindings/js/JSDOMCore.cpp:
        * khtml/ecma/kjs_dom.cpp:
        * khtml/html/html_objectimpl.h:

2006-04-25  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-03-31  John Sullivan  <>

        Reviewed by Tim Hatcher.
        - fixed <rdar://problem/4372842> 10.4.4 Regression: control-clicking on a misspelled word 
        doesn't select it or offer corrections (first click only)

        * bridge/mac/
        Rolled in this one-line change that Hyatt wrote ages ago.

2006-04-25  Eric Seidel  <>

        Reviewed by ggaren.

        Fixes for our 3rd and 5th most common crashtracers:
        <rdar://problem/4233435> CrashTracer: 2698 crashes in Safari at khtml::RenderBlock::addChildToFlow + 156
        <rdar://problem/4129744> [REGRESSION]CrashTracer: ..400 crashes at DOM::NodeImpl::createRendererIfNeeded + 44

        Test case landed on trunk but not on branch.

        * khtml/xml/dom_docimpl.cpp:
        (DocumentImpl::setFocusNode): use m_inDetach bool copied from trunk
        * khtml/xml/dom_nodeimpl.cpp:
        (NodeImpl::detach): set m_inDetach
        (NodeBaseImpl::removeChildren): remove node from tree before calling detach.
        * khtml/xml/dom_nodeimpl.h:

2006-04-25  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-03-13  Eric Seidel  <>

        Reviewed by ggaren & TimH.

        <rdar://problem/4473288> XSL file containing <xsl:include href="../Styles/EscapeString.xsl" /> fails to load file
        XML_DTD_NODE objects in the tree were causing loadChildSheets to 
        fail to preload child stylesheets, this patch causes us to 
        correctly ignore all nodes besides the first XML_ELEMENT_NODE at 
        the root level when searching the tree for xsl:include statements 
        to pre-load.

        Test: fast/xsl/xslt-second-level-import.xml

        * khtml/xsl/xsl_stylesheetimpl.cpp:

2006-04-25  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-03-20  Maciej Stachowiak  <>

        Reviewed by Darin.
        <rdar://problem/4458568> WebCore should not disclose https referrers

        * bridge/mac/
        (-[WebCoreFrameBridge canLoadURL:fromReferrer:hideReferrer:]):
        Don't send https URLs as referrers to non-secure http sites.

=== WebCore-417.24 ===

2006-03-13  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-02-16  Tim Omernick  <>

        Reviewed by Geoff.

        <rdar://problem/4428609> Flash Player 8.0.22 can crash Safari (and WebKit apps)
        with javascript disabled (7015)

        Added a test case, manual-tests/NPN_Invoke.  This is a skeleton of a Netscape
        plugin which uses NPN_Invoke() to call the window.alert() JavaScript function.
        * bridge/mac/
        Removed the check Darin added to return 0 when JavaScript is disabled.
        This method cannot return 0, because plugins are not guaranteed to check
        for that.
        Removed my old fix for Radar 4428609 (7015) in favor of a better solution.
        Instead of creating a "dummy" JSObject to represent the window script object
        when JavaScript is disabled, we use the new JavaScriptCore bindings API to 
        create a "no script" NPObject.  This solution is better because it does not
        cause entry into any JavaScript interpreter code.

        * manual-tests/NPN_Invoke: Added.
        * manual-tests/NPN_Invoke/English.lproj: Added.
        * manual-tests/NPN_Invoke/English.lproj/Localized.r: Added.
        * manual-tests/NPN_Invoke/Info.plist: Added.
        * manual-tests/NPN_Invoke/NPN_Invoke.xcodeproj: Added.
        * manual-tests/NPN_Invoke/NPN_Invoke.xcodeproj/project.pbxproj: Added.
        * manual-tests/NPN_Invoke/main.c: Added.
        * manual-tests/NPN_Invoke/test.html: Added.

=== WebCore-417.23 ===

2006-03-02  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch
        This also includes the fix
        <rdar://problem/4462712> REGRESSION (r12872): Repro crash when clicking the Quick Reply box in Gmail

    2006-02-17  Vicki Murley <>

        Reviewed by Justin.
        Get rid of handleFocusOut on text fields and textareas - move this functionality to the place
        where we resign focus on the previous node in setFocusNode.  Add isTextField on RenderObject
        as one way to distinguish from contenteditable elements - Win IE does not fire onChange for 
        contenteditable elements, so we won't either. Also, expose the dirty bit variables previously 
        checked in handleFocusOut methods in isEdited() and setEdited().

        Fixes the following bugs:
        <rdar://problem/4315673> REGRESSION (1.2.2 - 1.3): onChange and onFocus events firing order differs for mouse click and tab (7227)
        <rdar://problem/4447009> for text fields, onChange should fire before onBlur to match Win IE

        Test case is on the way.

        * dom/DocumentImpl.cpp:
        (WebCore::DocumentImpl::setFocusNode): For textareas and text fields, fire a change event
        on the node that is resigning focus.  Make sure the blur event fires after the change event - 4447009.
        * rendering/render_form.cpp:
        (WebCore::RenderLineEdit::slotReturnPressed): Replace call to handleFocusOut with equivalent code.
        (WebCore::RenderLineEdit::isEdited): Added.
        (WebCore::RenderLineEdit::setEdited): Added.
        (WebCore::RenderTextArea::setEdited): Added.
        * rendering/render_form.h:
        (WebCore::RenderLineEdit::isTextField): Added.
        (WebCore::RenderTextArea::isTextArea): Make this non-virtual.
        (WebCore::RenderTextArea::isEdited): Added.
        * rendering/render_object.h:
        (WebCore::RenderObject::isEdited): Added.
        (WebCore::RenderObject::setEdited): Added.
        (WebCore::RenderObject::isTextField): Added.
        * rendering/render_replaced.h: Remove handleFocusOut().
        * rendering/render_replaced.cpp: Ditto.
        (WebCore::RenderWidget::eventFilter): Remove call to handleFocusOut().  Safe to do here,
        since we call setFocusNode immediately beforehand.

=== WebCore-417.22 ===

2006-02-15  Timothy Hatcher  <>

        Reviewed by Beth, Geoff, Maciej.

        Removed #define MALLOC_FAILURE_ACTION abort() letting malloc return NULL

        Fixes <rdar://problem/4365248> *SecUpd: Tiger* SureSec si#182 safari heap overflow.
        <rdar://problem/4416122> *SecUpd: Chardonnay* SureSec si#182 safari heap overflow.

        * khtml/misc/main_thread_malloc.cpp:

=== WebCore-417.21 ===

2006-02-10  Eric Seidel  <>

        Reviewed by darin.

        <rdar://problem/4145813> hang in XMLHttpRequest::cancelRequests
        No test case possible.

        * khtml/ecma/xmlhttprequest.cpp:

2006-02-10  Timothy Hatcher  <>

        Reviewed by Tim O.

        Rolling out r11800 and reworked Tim's original fix
        to call _NPN_DeallocateObject in the destructor.

        * kwq/

=== WebCore-417.20 ===

2006-02-06  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2005-11-01  Justin Garcia  <>

        Reviewed by darin

        Fixes <rdar://problem/4074536> Seed: Mail crash adjusting quote level - KHTMLPart::computeAndSetTypingStyle

        No test cases added, requires Mail

        * kwq/
        (-[WebCoreBridge typingStyle]):
        Crashes were happening after a style was merged with itself.  Mail was doing a setTypingStyle
        with a pointer to our internal typing style.  Fix is to only hand out copies of our typingStyle.

2006-02-06  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-01-16  Tim Omernick  <>

        Reviewed by John Sullivan.

        WebCore part of <rdar://problem/4211707> NPAPI ref count behavior differs with Mozilla

        * bridge/mac/
        Call _NPN_DeallocateObject() instead of _NPN_ReleaseObject() so that we don't leak if a plugin fails to release
        the window script object properly.
        Our old NPN_GetValue() did not properly retain the returned window script object.  Because of this, many plugins
        have WebKit-specific workarounds to not release said window script object.  Forcibly deallocating it here
        should prevent any such issues.  This shouldn't cause any problems for plugins, since they should already be
        stopped and destroyed at this point.
        This also fixes a preexisting leak of the window script NPObject -- it was never actually being freed!

=== WebCore-417.19 ===

2006-01-18  Timothy Hatcher  <>

        Merged fix from TOT to Safari-2-0-branch

    2006-01-17  Beth Dakin  <>

        Reviewed by Hyatt and Darin

        Fix for <rdar://problem/4405836> REGRESSION: crash at 
        when deleting mail in khtml::RenderTableCell::collapsedBottomBorder() const 
        + 232

        RenderTableCell::collapsedBottomBorder() gets nextCell by calling 
        table()->cellBelow(this). In the case of the crash, cellBelow() returns 
        a pointer to a table cell that was already destroyed. cellBelow() thinks 
        that the pointer is still good because the grid of cells has not been updated 
        because all of this code is called through the hitTest and the hitTest does 
        not update the layout. The fix that I have is simply it have the hitTest call 
        updateLayout(). This is the only change in behavior. The rest of the patch 
        preserves behavior for simulated clicks. fast/events/stopPropagation-submit 
        caught this problem that arose from calling updateLayout() in the hitTest; 
        we should always have an x and y position of 0 for simulated clicks. This 
        preserves that behavior by keeping track of whether a click is simulated or not.

        * khtml/html/HTMLInputElementImpl.cpp:
        (DOM::HTMLInputElementImpl::defaultEventHandler): If the click is simulated, 
        set xPos and yPos to 0.
        * khtml/html/html_elementimpl.cpp:
        (HTMLElementImpl::setContentEditable): Fix spacing.
        (HTMLElementImpl::click): It isn't necessary to check if there is a renderer.
        * khtml/rendering/render_layer.cpp:
        (khtml::RenderLayer::hitTest): Call updateLayout().
        * khtml/xml/NodeImpl.cpp:
        (WebCore::NodeImpl::dispatchSimulatedMouseEvent): Set isSimulated to true.
        (WebCore::NodeImpl::dispatchMouseEvent): Keep track of isSimulated.
        * khtml/xml/NodeImpl.h: Same.
        * khtml/xml/dom2_eventsimpl.cpp:
        (DOM::MouseRelatedEventImpl::MouseRelatedEventImpl): Add isSimulated to
        (DOM::MouseRelatedEventImpl::computePositions): Only change the offsets if 
        it's not simulated.
        (DOM::MouseEventImpl::MouseEventImpl): Add isSimulated to MouseEventImpl()
        * khtml/xml/dom2_eventsimpl.h: 
        (DOM::MouseRelatedEventImpl::isSimulated): Declarations of isSimulated
        (DOM::MouseEventImpl::isSimulated): Same.

=== WebCore-417.18.1 ===

2006-01-05  Adele Peterson  <>

        Merged fix from TOT to Safari-2-0-branch

    2005-10-25  Beth Dakin  <>

        Reviewed by Maciej

        Fix for <rdar://problem/4148730> SureSec si#182 safari heap overflow.
        When a table has a really huge rowSpan, Safari used to crash because
        the malloc of the grid for the table failed. This fix just checks for
        the success of the malloc.

        * khtml/rendering/render_table.cpp:
        (RenderTableSection::ensureRows): Return false if the grid resize is not 
        (RenderTableSection::addCell): Return early if ensureRows() returned false.
        * khtml/rendering/render_table.h: Make ensureRows() return a bool instead
        of void.

=== WebCore-417.18 ===

2005-12-23  Geoffrey Garen  <>

        - Fixed <rdar://problem/4392583> REGRESSION: Reproducible crash while viewing Opera's "why we're better than Safari" site,, in khtml::RenderBlock::nodeAtPoint

        Fix by Darin, reviewed and landed by me.

        * khtml/rendering/render_container.cpp:
        (RenderContainer::updatePseudoChild): Don't have the parent call removeChild, because the child calls parent()->removeChild() on itself in detach().

=== WebCore-417.17 ===

2005-12-21  Adele Peterson  <>

        Reviewed by Tim Hatcher.

        Fix for <rdar://problem/4387433> Seed: Radio buttons behave incorrectly in Gmail settings

        * khtml/html/html_formimpl.cpp:
        (DOM::HTMLFormElementImpl::registerFormElement): If this form element is already checked in the default form, remove it from m_selectedRadioButtons and add it for the new form.

=== WebCore-417.16 ===

2005-12-20  Adele Peterson  <>

        Reviewed by Darin.

        Fix for <rdar://problem/4387630> REGRESSION: <select> element's onClick event doesn't fire @

        * kwq/
        (KWQKHTMLPart::passSubframeEventToSubframe): only pass mouse down for khtmlviews.

== Rolled over to ChangeLog-2005-12-19 ==