[webkit-changes] [118703] trunk

Mon, 28 May 2012 12:37:16 -0700

Title: [118703] trunk
Revision
118703
Author
commit-qu...@webkit.org
Date
2012-05-28 12:37:04 -0700 (Mon, 28 May 2012)

Log Message

Crash on incomplete :not().
https://bugs.webkit.org/show_bug.cgi?id=86673

Patch by Yong Li <y...@rim.com> on 2012-05-28
Reviewed by Antti Koivisto.

Source/WebCore:

Add back null-checks for incomplete :not() class
which were dropped by r81845.

* css/CSSSelector.cpp:
(WebCore::CSSSelector::specificityForOneSelector):
(WebCore::CSSSelector::selectorText):
* css/SelectorChecker.cpp:
(WebCore::SelectorChecker::checkOneSelector):
(WebCore::SelectorChecker::determineLinkMatchType):

LayoutTests:

Add a test case that makes CSS parser create incomplete
:not selector.

* fast/css/crash-on-incomplete-not.html: Added.
* fast/css/crash-on-incomplete-not-expected.txt: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (118702 => 118703)


--- trunk/LayoutTests/ChangeLog	2012-05-28 19:21:23 UTC (rev 118702)
+++ trunk/LayoutTests/ChangeLog	2012-05-28 19:37:04 UTC (rev 118703)
@@ -1,3 +1,16 @@
+2012-05-28  Yong Li  <y...@rim.com>
+
+        Crash on incomplete :not().
+        https://bugs.webkit.org/show_bug.cgi?id=86673
+
+        Reviewed by Antti Koivisto.
+
+        Add a test case that makes CSS parser create incomplete
+        :not selector.
+
+        * fast/css/crash-on-incomplete-not.html: Added.
+        * fast/css/crash-on-incomplete-not-expected.txt: Added.
+
 2012-05-28  Marcus Bulach  <bul...@chromium.org>
 
         [chromium] Adjust expectations for fast/layers/clip-rects-assertion-expected.txt

Added: trunk/LayoutTests/fast/css/crash-on-incomplete-not-expected.txt (0 => 118703)


--- trunk/LayoutTests/fast/css/crash-on-incomplete-not-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/crash-on-incomplete-not-expected.txt	2012-05-28 19:37:04 UTC (rev 118703)
@@ -0,0 +1 @@
+PASS without crash.

Added: trunk/LayoutTests/fast/css/crash-on-incomplete-not.html (0 => 118703)


--- trunk/LayoutTests/fast/css/crash-on-incomplete-not.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/crash-on-incomplete-not.html	2012-05-28 19:37:04 UTC (rev 118703)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<style id="m"></style>
+</head>
+<body>
+<script>
+    var g = ":not\\( .title{}";
+    var me = document.getElementById("m");
+    window.setTimeout(runTest,0);
+    function runTest(){
+        me.textContent=g;
+        if (window.layoutTestController) {
+            layoutTestController.notifyDone();
+        }
+    }
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+</script>
+<p>PASS without crash.</p>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (118702 => 118703)


--- trunk/Source/WebCore/ChangeLog	2012-05-28 19:21:23 UTC (rev 118702)
+++ trunk/Source/WebCore/ChangeLog	2012-05-28 19:37:04 UTC (rev 118703)
@@ -1,3 +1,20 @@
+2012-05-28  Yong Li  <y...@rim.com>
+
+        Crash on incomplete :not().
+        https://bugs.webkit.org/show_bug.cgi?id=86673
+
+        Reviewed by Antti Koivisto.
+
+        Add back null-checks for incomplete :not() class
+        which were dropped by r81845.
+
+        * css/CSSSelector.cpp:
+        (WebCore::CSSSelector::specificityForOneSelector):
+        (WebCore::CSSSelector::selectorText):
+        * css/SelectorChecker.cpp:
+        (WebCore::SelectorChecker::checkOneSelector):
+        (WebCore::SelectorChecker::determineLinkMatchType):
+
 2012-05-28  Leo Yang  <leo.y...@torchmobile.com.cn>
 
         FileWriterSync binding should have no static table

Modified: trunk/Source/WebCore/css/CSSSelector.cpp (118702 => 118703)


--- trunk/Source/WebCore/css/CSSSelector.cpp	2012-05-28 19:21:23 UTC (rev 118702)
+++ trunk/Source/WebCore/css/CSSSelector.cpp	2012-05-28 19:37:04 UTC (rev 118703)
@@ -81,10 +81,9 @@
     case End:
         // FIXME: PsuedoAny should base the specificity on the sub-selectors.
         // See http://lists.w3.org/Archives/Public/www-style/2010Sep/0530.html
-        if (pseudoType() == PseudoNot) {
-            ASSERT(selectorList());
+        if (pseudoType() == PseudoNot && selectorList())
             s += selectorList()->first()->specificityForOneSelector();
-        } else
+        else
             s += 0x100;
     case None:
         break;
@@ -544,8 +543,8 @@
 
             switch (cs->pseudoType()) {
             case PseudoNot:
-                ASSERT(cs->selectorList());
-                str += cs->selectorList()->first()->selectorText();
+                if (CSSSelectorList* selectorList = cs->selectorList())
+                    str += selectorList->first()->selectorText();
                 str += ")";
                 break;
             case PseudoLang:

Modified: trunk/Source/WebCore/css/SelectorChecker.cpp (118702 => 118703)


--- trunk/Source/WebCore/css/SelectorChecker.cpp	2012-05-28 19:21:23 UTC (rev 118702)
+++ trunk/Source/WebCore/css/SelectorChecker.cpp	2012-05-28 19:37:04 UTC (rev 118703)
@@ -732,10 +732,15 @@
     if (selector->m_match == CSSSelector::PseudoClass) {
         // Handle :not up front.
         if (selector->pseudoType() == CSSSelector::PseudoNot) {
-            ASSERT(selector->selectorList());
+            CSSSelectorList* selectorList = selector->selectorList();
+
+            // FIXME: We probably should fix the parser and make it never produce :not rules with missing selector list.
+            if (!selectorList)
+                return false;
+
             SelectorCheckingContext subContext(context);
             subContext.isSubSelector = true;
-            for (subContext.selector = selector->selectorList()->first(); subContext.selector; subContext.selector = subContext.selector->tagHistory()) {
+            for (subContext.selector = selectorList->first(); subContext.selector; subContext.selector = subContext.selector->tagHistory()) {
                 // :not cannot nest. I don't really know why this is a
                 // restriction in CSS3, but it is, so let's honor it.
                 // the parser enforces that this never occurs
@@ -1324,13 +1329,19 @@
     for (; selector; selector = selector->tagHistory()) {
         switch (selector->pseudoType()) {
         case CSSSelector::PseudoNot:
-            // :not(:visited) is equivalent to :link. Parser enforces that :not can't nest.
-            for (CSSSelector* subSelector = selector->selectorList()->first(); subSelector; subSelector = subSelector->tagHistory()) {
-                CSSSelector::PseudoType subType = subSelector->pseudoType();
-                if (subType == CSSSelector::PseudoVisited)
-                    linkMatchType &= ~SelectorChecker::MatchVisited;
-                else if (subType == CSSSelector::PseudoLink)
-                    linkMatchType &= ~SelectorChecker::MatchLink;
+            {
+                // :not(:visited) is equivalent to :link. Parser enforces that :not can't nest.
+                CSSSelectorList* selectorList = selector->selectorList();
+                if (!selectorList)
+                    break;
+
+                for (CSSSelector* subSelector = selectorList->first(); subSelector; subSelector = subSelector->tagHistory()) {
+                    CSSSelector::PseudoType subType = subSelector->pseudoType();
+                    if (subType == CSSSelector::PseudoVisited)
+                        linkMatchType &= ~SelectorChecker::MatchVisited;
+                    else if (subType == CSSSelector::PseudoLink)
+                        linkMatchType &= ~SelectorChecker::MatchLink;
+                }
             }
             break;
         case CSSSelector::PseudoLink:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to