[webkit-changes] [106072] trunk

Thu, 26 Jan 2012 17:55:47 -0800

Title: [106072] trunk
Revision
106072
Author
aba...@webkit.org
Date
2012-01-26 17:55:36 -0800 (Thu, 26 Jan 2012)

Log Message

NULL ptr in WebCore::ContainerNode::parserAddChild
https://bugs.webkit.org/show_bug.cgi?id=76258

Reviewed by Eric Seidel.

Source/WebCore:

Test: fast/parser/nested-fragment-parser-crash.html

We always need a parent element to attach to.  In crazy cases, we can
have elements in the stack of open elements that are already detached
from the DOM.  In those cases, they don't have a parent, so we aren't
able to enforce the maximum DOM depth.  (Fortunately, they're not
attached to the DOM anymore so we don't need to enforce the maximum DOM
depth!)

* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::attachLater):
(WebCore::HTMLConstructionSite::fosterParent):

LayoutTests:

This crazy test case causes the parser to do all manner of crazy
things, which is good times for testing.

* fast/parser/nested-fragment-parser-crash-expected.txt: Added.
* fast/parser/nested-fragment-parser-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (106071 => 106072)


--- trunk/LayoutTests/ChangeLog	2012-01-27 01:35:52 UTC (rev 106071)
+++ trunk/LayoutTests/ChangeLog	2012-01-27 01:55:36 UTC (rev 106072)
@@ -1,3 +1,16 @@
+2012-01-26  Adam Barth  <aba...@webkit.org>
+
+        NULL ptr in WebCore::ContainerNode::parserAddChild
+        https://bugs.webkit.org/show_bug.cgi?id=76258
+
+        Reviewed by Eric Seidel.
+
+        This crazy test case causes the parser to do all manner of crazy
+        things, which is good times for testing.
+
+        * fast/parser/nested-fragment-parser-crash-expected.txt: Added.
+        * fast/parser/nested-fragment-parser-crash.html: Added.
+
 2012-01-25  Filip Pizlo  <fpi...@apple.com>
 
         All DFG helpers that may call out to arbitrary JS code must know where they

Added: trunk/LayoutTests/fast/parser/nested-fragment-parser-crash-expected.txt (0 => 106072)


--- trunk/LayoutTests/fast/parser/nested-fragment-parser-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/nested-fragment-parser-crash-expected.txt	2012-01-27 01:55:36 UTC (rev 106072)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 19: Uncaught RangeError: Maximum call stack size exceeded.
+x
+x This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/parser/nested-fragment-parser-crash.html (0 => 106072)


--- trunk/LayoutTests/fast/parser/nested-fragment-parser-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/nested-fragment-parser-crash.html	2012-01-27 01:55:36 UTC (rev 106072)
@@ -0,0 +1,22 @@
+x<h4><strike>x
+This test passes if it doesn't crash.
+<script>
+  if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+  var counter = 0;
+  window._onload_=function(){
+    document.execCommand("SelectAll");
+    document.designMode="on";
+    document.execCommand("Indent");
+    document.execCommand("InsertOrderedList", false);
+  };
+  function handler() {
+    // This constant is somewhat magic. It's the smallest constant such that
+    // we'll exceed the maxium call stack size.
+    if (++counter >= 34)
+      document.removeEventListener("DOMSubtreeModified", handler, false);
+    document.execCommand("outdent", false);
+  };
+  document.addEventListener("DOMSubtreeModified", handler, false);
+</script>

Modified: trunk/Source/WebCore/ChangeLog (106071 => 106072)


--- trunk/Source/WebCore/ChangeLog	2012-01-27 01:35:52 UTC (rev 106071)
+++ trunk/Source/WebCore/ChangeLog	2012-01-27 01:55:36 UTC (rev 106072)
@@ -1,3 +1,23 @@
+2012-01-26  Adam Barth  <aba...@webkit.org>
+
+        NULL ptr in WebCore::ContainerNode::parserAddChild
+        https://bugs.webkit.org/show_bug.cgi?id=76258
+
+        Reviewed by Eric Seidel.
+
+        Test: fast/parser/nested-fragment-parser-crash.html
+
+        We always need a parent element to attach to.  In crazy cases, we can
+        have elements in the stack of open elements that are already detached
+        from the DOM.  In those cases, they don't have a parent, so we aren't
+        able to enforce the maximum DOM depth.  (Fortunately, they're not
+        attached to the DOM anymore so we don't need to enforce the maximum DOM
+        depth!)
+
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::HTMLConstructionSite::attachLater):
+        (WebCore::HTMLConstructionSite::fosterParent):
+
 2012-01-26  Cris Neckar  <c...@chromium.org>
 
         The registration of schemes is currently racey as they are not registered from the main thread.

Modified: trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp (106071 => 106072)


--- trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2012-01-27 01:35:52 UTC (rev 106071)
+++ trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2012-01-27 01:55:36 UTC (rev 106072)
@@ -118,9 +118,10 @@
     }
 
     // Add as a sibling of the parent if we have reached the maximum depth allowed.
-    if (m_openElements.stackDepth() > m_maximumDOMTreeDepth)
+    if (m_openElements.stackDepth() > m_maximumDOMTreeDepth && task.parent->parentNode())
         task.parent = task.parent->parentNode();
 
+    ASSERT(task.parent);
     m_attachmentQueue.append(task);
 }
 
@@ -528,6 +529,7 @@
     HTMLConstructionSiteTask task;
     findFosterSite(task);
     task.child = node;
+    ASSERT(task.parent);
     m_attachmentQueue.append(task);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to