Bug 90240 - DOMHTMLCollection::item may return a wrong element after namedItem is called
Summary: DOMHTMLCollection::item may return a wrong element after namedItem is called
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords:
Depends on:
Blocks: 90118
  Show dependency treegraph
 
Reported: 2012-06-28 20:19 PDT by Ryosuke Niwa
Modified: 2012-06-29 00:00 PDT (History)
3 users (show)

See Also:


Attachments
Fixes the bug (15.71 KB, patch)
2012-06-28 20:22 PDT, Ryosuke Niwa
no flags Details | Formatted Diff | Diff
Fixed the bug (16.01 KB, patch)
2012-06-28 23:20 PDT, Ryosuke Niwa
koivisto: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2012-06-28 20:19:49 PDT
DOMHTMLCollection::item may return a wrong element after namedItem is called
Comment 1 Ryosuke Niwa 2012-06-28 20:22:20 PDT
Created attachment 150071 [details]
Fixes the bug
Comment 2 Ryosuke Niwa 2012-06-28 20:45:35 PDT
Comment on attachment 150071 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=150071&action=review

> Source/WebCore/html/HTMLCollection.cpp:285
>      m_cache.current = 0;

I guess I should have removed this line as well (it'll degrade the performance to some extent and needs to be removed in the bug 90118 but doesn't introduce any incorrect behavior).
Comment 3 Antti Koivisto 2012-06-28 22:33:23 PDT
Comment on attachment 150071 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=150071&action=review

> Source/WebCore/html/HTMLCollection.cpp:275
> +    unsigned i = 0;
>      for (Element* e = itemAfter(0); e; e = itemAfter(e)) {
>          if (checkForNameMatch(e, /* checkName */ false, name)) {
>              m_cache.current = e;
> +            m_cache.position = i;
>              return e;
>          }
>      }
>  
> +    i = 0;

You are not incrementing i.
Comment 4 Ryosuke Niwa 2012-06-28 23:20:06 PDT
Created attachment 150089 [details]
Fixed the bug
Comment 5 Antti Koivisto 2012-06-28 23:25:55 PDT
Comment on attachment 150089 [details]
Fixed the bug

r=me. nice API test!
Comment 6 Ryosuke Niwa 2012-06-28 23:38:46 PDT
Committed r121521: <http://trac.webkit.org/changeset/121521>
Comment 7 Alexey Proskuryakov 2012-06-29 00:00:25 PDT
Nice!