- Revision
- 199844
- Author
- cdu...@apple.com
- Date
- 2016-04-21 16:28:48 -0700 (Thu, 21 Apr 2016)
Log Message
Element::idForStyleResolution() is a foot-gun
https://bugs.webkit.org/show_bug.cgi?id=156852
Reviewed by Darin Adler.
Element::idForStyleResolution() is a foot-gun. It requires the caller to check
Element::hasID() first or it may end up crashing when dereferencing elementData()
(e.g. see Bug 156806).
This patch updates Element::idForStyleResolution() to return nullAtom is the
Element does not have an ID. I did not see a performance impact on Speedometer,
Dromaeo DOM Core, Dromaeo CSS Selectors and our local performanceTests/.
* css/ElementRuleCollector.cpp:
(WebCore::ElementRuleCollector::collectMatchingRules):
* css/SelectorChecker.cpp:
(WebCore::SelectorChecker::checkOne):
* css/SelectorFilter.cpp:
(WebCore::collectElementIdentifierHashes):
* dom/Element.h:
(WebCore::Element::idForStyleResolution):
* rendering/RenderBlockFlow.cpp:
(WebCore::needsAppleMailPaginationQuirk):
* rendering/RenderTreeAsText.cpp:
(WebCore::writeRenderRegionList):
* style/StyleSharingResolver.cpp:
(WebCore::Style::SharingResolver::canShareStyleWithElement):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (199843 => 199844)
--- trunk/Source/WebCore/ChangeLog 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/ChangeLog 2016-04-21 23:28:48 UTC (rev 199844)
@@ -1,3 +1,33 @@
+2016-04-21 Chris Dumez <cdu...@apple.com>
+
+ Element::idForStyleResolution() is a foot-gun
+ https://bugs.webkit.org/show_bug.cgi?id=156852
+
+ Reviewed by Darin Adler.
+
+ Element::idForStyleResolution() is a foot-gun. It requires the caller to check
+ Element::hasID() first or it may end up crashing when dereferencing elementData()
+ (e.g. see Bug 156806).
+
+ This patch updates Element::idForStyleResolution() to return nullAtom is the
+ Element does not have an ID. I did not see a performance impact on Speedometer,
+ Dromaeo DOM Core, Dromaeo CSS Selectors and our local performanceTests/.
+
+ * css/ElementRuleCollector.cpp:
+ (WebCore::ElementRuleCollector::collectMatchingRules):
+ * css/SelectorChecker.cpp:
+ (WebCore::SelectorChecker::checkOne):
+ * css/SelectorFilter.cpp:
+ (WebCore::collectElementIdentifierHashes):
+ * dom/Element.h:
+ (WebCore::Element::idForStyleResolution):
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::needsAppleMailPaginationQuirk):
+ * rendering/RenderTreeAsText.cpp:
+ (WebCore::writeRenderRegionList):
+ * style/StyleSharingResolver.cpp:
+ (WebCore::Style::SharingResolver::canShareStyleWithElement):
+
2016-04-21 Brady Eidson <beid...@apple.com>
Modern IDB (Workers): Move IDBConnectionProxy into IDBRequest and IDBDatabase.
Modified: trunk/Source/WebCore/css/ElementRuleCollector.cpp (199843 => 199844)
--- trunk/Source/WebCore/css/ElementRuleCollector.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/ElementRuleCollector.cpp 2016-04-21 23:28:48 UTC (rev 199844)
@@ -153,8 +153,9 @@
// We need to collect the rules for id, class, tag, and everything else into a buffer and
// then sort the buffer.
- if (m_element.hasID())
- collectMatchingRulesForList(matchRequest.ruleSet->idRules(m_element.idForStyleResolution().impl()), matchRequest, ruleRange);
+ auto& id = m_element.idForStyleResolution();
+ if (!id.isNull())
+ collectMatchingRulesForList(matchRequest.ruleSet->idRules(*id.impl()), matchRequest, ruleRange);
if (m_element.hasClass()) {
for (size_t i = 0; i < m_element.classNames().size(); ++i)
collectMatchingRulesForList(matchRequest.ruleSet->classRules(m_element.classNames()[i].impl()), matchRequest, ruleRange);
Modified: trunk/Source/WebCore/css/RuleSet.h (199843 => 199844)
--- trunk/Source/WebCore/css/RuleSet.h 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/RuleSet.h 2016-04-21 23:28:48 UTC (rev 199844)
@@ -174,7 +174,7 @@
const RuleFeatureSet& features() const { return m_features; }
- const RuleDataVector* idRules(AtomicStringImpl* key) const { return m_idRules.get(key); }
+ const RuleDataVector* idRules(AtomicStringImpl& key) const { return m_idRules.get(&key); }
const RuleDataVector* classRules(AtomicStringImpl* key) const { return m_classRules.get(key); }
const RuleDataVector* tagRules(AtomicStringImpl* key, bool isHTMLName) const;
const RuleDataVector* shadowPseudoElementRules(AtomicStringImpl* key) const { return m_shadowPseudoElementRules.get(key); }
Modified: trunk/Source/WebCore/css/SelectorChecker.cpp (199843 => 199844)
--- trunk/Source/WebCore/css/SelectorChecker.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/SelectorChecker.cpp 2016-04-21 23:28:48 UTC (rev 199844)
@@ -652,8 +652,10 @@
if (selector.match() == CSSSelector::Class)
return element.hasClass() && element.classNames().contains(selector.value());
- if (selector.match() == CSSSelector::Id)
- return element.hasID() && element.idForStyleResolution() == selector.value();
+ if (selector.match() == CSSSelector::Id) {
+ ASSERT(!selector.value().isNull());
+ return element.idForStyleResolution() == selector.value();
+ }
if (selector.isAttributeSelector()) {
if (!element.hasAttributes())
Modified: trunk/Source/WebCore/css/SelectorFilter.cpp (199843 => 199844)
--- trunk/Source/WebCore/css/SelectorFilter.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/SelectorFilter.cpp 2016-04-21 23:28:48 UTC (rev 199844)
@@ -43,8 +43,9 @@
AtomicString tagLowercaseLocalName = element->localName().convertToASCIILowercase();
identifierHashes.append(tagLowercaseLocalName.impl()->existingHash() * TagNameSalt);
- if (element->hasID())
- identifierHashes.append(element->idForStyleResolution().impl()->existingHash() * IdAttributeSalt);
+ auto& id = element->idForStyleResolution();
+ if (!id.isNull())
+ identifierHashes.append(id.impl()->existingHash() * IdAttributeSalt);
const StyledElement* styledElement = element->isStyledElement() ? static_cast<const StyledElement*>(element) : 0;
if (styledElement && styledElement->hasClass()) {
const SpaceSplitString& classNames = styledElement->classNames();
Modified: trunk/Source/WebCore/dom/Element.h (199843 => 199844)
--- trunk/Source/WebCore/dom/Element.h 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/dom/Element.h 2016-04-21 23:28:48 UTC (rev 199844)
@@ -664,8 +664,7 @@
inline const AtomicString& Element::idForStyleResolution() const
{
- ASSERT(hasID());
- return elementData()->idForStyleResolution();
+ return hasID() ? elementData()->idForStyleResolution() : nullAtom;
}
inline const AtomicString& Element::getIdAttribute() const
Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (199843 => 199844)
--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2016-04-21 23:28:48 UTC (rev 199844)
@@ -1643,7 +1643,7 @@
if (!renderer.document().settings()->appleMailPaginationQuirkEnabled())
return false;
- if (renderer.element() && renderer.element()->hasID() && renderer.element()->idForStyleResolution() == "messageContentContainer")
+ if (renderer.element() && renderer.element()->idForStyleResolution() == "messageContentContainer")
return true;
return false;
Modified: trunk/Source/WebCore/rendering/RenderTreeAsText.cpp (199843 => 199844)
--- trunk/Source/WebCore/rendering/RenderTreeAsText.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/rendering/RenderTreeAsText.cpp 2016-04-21 23:28:48 UTC (rev 199844)
@@ -690,8 +690,9 @@
ts << " {" << tagName.toString() << "}";
- if (generatingElement->hasID())
- ts << " #" << generatingElement->idForStyleResolution();
+ auto& generatingElementId = generatingElement->idForStyleResolution();
+ if (!generatingElementId.isNull())
+ ts << " #" << generatingElementId;
if (isRenderNamedFlowFragment)
ts << ")";
Modified: trunk/Source/WebCore/style/StyleSharingResolver.cpp (199843 => 199844)
--- trunk/Source/WebCore/style/StyleSharingResolver.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/style/StyleSharingResolver.cpp 2016-04-21 23:28:48 UTC (rev 199844)
@@ -88,7 +88,8 @@
if (element.isSVGElement() && downcast<SVGElement>(element).animatedSMILStyleProperties())
return nullptr;
// Ids stop style sharing if they show up in the stylesheets.
- if (element.hasID() && m_ruleSets.features().idsInRules.contains(element.idForStyleResolution().impl()))
+ auto& id = element.idForStyleResolution();
+ if (!id.isNull() && m_ruleSets.features().idsInRules.contains(id.impl()))
return nullptr;
if (parentElementPreventsSharing(parentElement))
return nullptr;
@@ -237,7 +238,8 @@
if (candidateElement.affectsNextSiblingElementStyle() || candidateElement.styleIsAffectedByPreviousSibling())
return false;
- if (candidateElement.hasID() && m_ruleSets.features().idsInRules.contains(candidateElement.idForStyleResolution().impl()))
+ auto& candidateElementId = candidateElement.idForStyleResolution();
+ if (!candidateElementId.isNull() && m_ruleSets.features().idsInRules.contains(candidateElementId.impl()))
return false;
bool isControl = is<HTMLFormControlElement>(candidateElement);