[webkit-changes] [137702] trunk

Thu, 13 Dec 2012 19:40:33 -0800

Title: [137702] trunk
Revision
137702
Author
[email protected]
Date
2012-12-13 19:42:14 -0800 (Thu, 13 Dec 2012)

Log Message

ChildNodesLazySnapshot::nextNode() can crash
https://bugs.webkit.org/show_bug.cgi?id=104982

Reviewed by Hajime Morita.

ChildNodesLazySnapshot::nextNode() can crash for
fast/dom/insertedIntoDocument-no-crash.html.
The root cause is that ChildNodesLazySnapshot::m_currentNode
was not a RefPtr. This patch changes it to a RefPtr.

Test: fast/dom/insertedIntoDocument-no-crash.html

Source/WebCore:

* dom/ContainerNode.h:
(WebCore::ChildNodesLazySnapshot::nextNode):
(WebCore::ChildNodesLazySnapshot::takeSnapshot):
(ChildNodesLazySnapshot):

LayoutTests:

* fast/dom/insertedIntoDocument-no-crash-expected.txt: Added.
* fast/dom/insertedIntoDocument-no-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (137701 => 137702)


--- trunk/LayoutTests/ChangeLog	2012-12-14 03:28:45 UTC (rev 137701)
+++ trunk/LayoutTests/ChangeLog	2012-12-14 03:42:14 UTC (rev 137702)
@@ -1,3 +1,20 @@
+2012-12-13  Kentaro Hara  <[email protected]>
+
+        ChildNodesLazySnapshot::nextNode() can crash
+        https://bugs.webkit.org/show_bug.cgi?id=104982
+
+        Reviewed by Hajime Morita.
+
+        ChildNodesLazySnapshot::nextNode() can crash for
+        fast/dom/insertedIntoDocument-no-crash.html.
+        The root cause is that ChildNodesLazySnapshot::m_currentNode
+        was not a RefPtr. This patch changes it to a RefPtr.
+
+        Test: fast/dom/insertedIntoDocument-no-crash.html
+
+        * fast/dom/insertedIntoDocument-no-crash-expected.txt: Added.
+        * fast/dom/insertedIntoDocument-no-crash.html: Added.
+
 2012-12-13  Philip Rogers  <[email protected]>
 
         Clear m_timeContainer on SVGSMILElement removal.

Added: trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash-expected.txt (0 => 137702)


--- trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash-expected.txt	2012-12-14 03:42:14 UTC (rev 137702)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 14: Uncaught Error: NotFoundError: DOM Exception 8
+This test must not crash.
+
+foo
+ <mark>
+<script>f1();</script>
+<xmp>
+foo

Added: trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash.html (0 => 137702)


--- trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/insertedIntoDocument-no-crash.html	2012-12-14 03:42:14 UTC (rev 137702)
@@ -0,0 +1,27 @@
+<html>
+<p>This test must not crash.</p>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function f1() {
+    document.write('<form>'); //Here we need the form tag to trigger the bug
+    document.getElementsByTagName("s")[0].innerHTML = 'foo';
+}
+
+function f2() {
+    document.getElementsByTagName("kbd")[0].innerHTML = 'foo';
+    document.getElementsByTagName("kbd")[0].insertBefore(document.createElement('foo'),document.createElement('foo'));
+}
+</script>
+<s>
+<!-- The following weird mark-up is needed to reproduce the crash -->
+<script>f1();</script>
+<xmp><mark>
+<script>f1();</script>
+<xmp></xmp>
+<kbd>
+<script>f2();</script>
+</kbd>
+</s>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (137701 => 137702)


--- trunk/Source/WebCore/ChangeLog	2012-12-14 03:28:45 UTC (rev 137701)
+++ trunk/Source/WebCore/ChangeLog	2012-12-14 03:42:14 UTC (rev 137702)
@@ -1,3 +1,22 @@
+2012-12-13  Kentaro Hara  <[email protected]>
+
+        ChildNodesLazySnapshot::nextNode() can crash
+        https://bugs.webkit.org/show_bug.cgi?id=104982
+
+        Reviewed by Hajime Morita.
+
+        ChildNodesLazySnapshot::nextNode() can crash for
+        fast/dom/insertedIntoDocument-no-crash.html.
+        The root cause is that ChildNodesLazySnapshot::m_currentNode
+        was not a RefPtr. This patch changes it to a RefPtr.
+
+        Test: fast/dom/insertedIntoDocument-no-crash.html
+
+        * dom/ContainerNode.h:
+        (WebCore::ChildNodesLazySnapshot::nextNode):
+        (WebCore::ChildNodesLazySnapshot::takeSnapshot):
+        (ChildNodesLazySnapshot):
+
 2012-12-13  Philip Rogers  <[email protected]>
 
         Clear m_timeContainer on SVGSMILElement removal.

Modified: trunk/Source/WebCore/dom/ContainerNode.h (137701 => 137702)


--- trunk/Source/WebCore/dom/ContainerNode.h	2012-12-14 03:28:45 UTC (rev 137701)
+++ trunk/Source/WebCore/dom/ContainerNode.h	2012-12-14 03:42:14 UTC (rev 137702)
@@ -299,7 +299,7 @@
     Node* nextNode()
     {
         if (LIKELY(!hasSnapshot())) {
-            Node* node = m_currentNode;
+            Node* node = m_currentNode.get();
             if (m_currentNode)
                 m_currentNode = m_currentNode->nextSibling();
             return node;
@@ -315,7 +315,7 @@
         if (hasSnapshot())
             return;
         m_childNodes = adoptPtr(new Vector<RefPtr<Node> >());
-        Node* node = m_currentNode;
+        Node* node = m_currentNode.get();
         while (node) {
             m_childNodes->append(node);
             node = node->nextSibling();
@@ -337,7 +337,7 @@
 private:
     static ChildNodesLazySnapshot* latestSnapshot;
 
-    Node* m_currentNode;
+    RefPtr<Node> m_currentNode;
     unsigned m_currentIndex;
     OwnPtr<Vector<RefPtr<Node> > > m_childNodes; // Lazily instantiated.
     ChildNodesLazySnapshot* m_nextSnapshot;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to