NodeIterator loses track of the reference node when the reference node is removed from the document (IETC ni_removeReferenceNode)
Created attachment 122167 [details] Patch
Comment on attachment 122167 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=122167&action=review > Source/WebCore/dom/NodeIterator.cpp:185 > + while (node && node->isDescendantOf(removedNode)) > + node = node->traverseNextNode(root()); This is every inefficient way to find the next node. If node is a descendant of the removed node, then the next node should be removedNode->traverseNextSibling(), no?
@darin: I've been told that you're the expert on this code. This function is pretty subtle. If you have a few minutes to sanity-check this patch, that would be great. Thanks!
Comment on attachment 122167 [details] Patch I did fix quite a few bugs in this code a while back. The change in the code looks fine. I think to improve performance and correctness we’d want to add performance and correctness tests. This little-used barely-useful obscure corner of the DOM does not get a lot of attention or love.
It looks like DOM4 has a reasonably simple specification of what to do when nodes are removed: http://dvcs.w3.org/hg/domcore/raw-file/tip/Overview.html#interface-nodeiterator I wonder if we can re-work our implementation to match the spec more closely.
Comment on attachment 122167 [details] Patch I'm going to work on refactoring and adding more tests for NodeIterator in future bug.
Comment on attachment 122167 [details] Patch Clearing flags on attachment: 122167 Committed r104866: <http://trac.webkit.org/changeset/104866>
All reviewed patches have been landed. Closing bug.