[webkit-changes] [199844] trunk/Source/WebCore

Thu, 21 Apr 2016 16:29:32 -0700

Title: [199844] trunk/Source/WebCore
Revision
199844
Author
cdu...@apple.com
Date
2016-04-21 16:28:48 -0700 (Thu, 21 Apr 2016)

Log Message

Element::idForStyleResolution() is a foot-gun
https://bugs.webkit.org/show_bug.cgi?id=156852

Reviewed by Darin Adler.

Element::idForStyleResolution() is a foot-gun. It requires the caller to check
Element::hasID() first or it may end up crashing when dereferencing elementData()
(e.g. see Bug 156806).

This patch updates Element::idForStyleResolution() to return nullAtom is the
Element does not have an ID. I did not see a performance impact on Speedometer,
Dromaeo DOM Core, Dromaeo CSS Selectors and our local performanceTests/.

* css/ElementRuleCollector.cpp:
(WebCore::ElementRuleCollector::collectMatchingRules):
* css/SelectorChecker.cpp:
(WebCore::SelectorChecker::checkOne):
* css/SelectorFilter.cpp:
(WebCore::collectElementIdentifierHashes):
* dom/Element.h:
(WebCore::Element::idForStyleResolution):
* rendering/RenderBlockFlow.cpp:
(WebCore::needsAppleMailPaginationQuirk):
* rendering/RenderTreeAsText.cpp:
(WebCore::writeRenderRegionList):
* style/StyleSharingResolver.cpp:
(WebCore::Style::SharingResolver::canShareStyleWithElement):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (199843 => 199844)


--- trunk/Source/WebCore/ChangeLog	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/ChangeLog	2016-04-21 23:28:48 UTC (rev 199844)
@@ -1,3 +1,33 @@
+2016-04-21  Chris Dumez  <cdu...@apple.com>
+
+        Element::idForStyleResolution() is a foot-gun
+        https://bugs.webkit.org/show_bug.cgi?id=156852
+
+        Reviewed by Darin Adler.
+
+        Element::idForStyleResolution() is a foot-gun. It requires the caller to check
+        Element::hasID() first or it may end up crashing when dereferencing elementData()
+        (e.g. see Bug 156806).
+
+        This patch updates Element::idForStyleResolution() to return nullAtom is the
+        Element does not have an ID. I did not see a performance impact on Speedometer,
+        Dromaeo DOM Core, Dromaeo CSS Selectors and our local performanceTests/.
+
+        * css/ElementRuleCollector.cpp:
+        (WebCore::ElementRuleCollector::collectMatchingRules):
+        * css/SelectorChecker.cpp:
+        (WebCore::SelectorChecker::checkOne):
+        * css/SelectorFilter.cpp:
+        (WebCore::collectElementIdentifierHashes):
+        * dom/Element.h:
+        (WebCore::Element::idForStyleResolution):
+        * rendering/RenderBlockFlow.cpp:
+        (WebCore::needsAppleMailPaginationQuirk):
+        * rendering/RenderTreeAsText.cpp:
+        (WebCore::writeRenderRegionList):
+        * style/StyleSharingResolver.cpp:
+        (WebCore::Style::SharingResolver::canShareStyleWithElement):
+
 2016-04-21  Brady Eidson  <beid...@apple.com>
 
         Modern IDB (Workers): Move IDBConnectionProxy into IDBRequest and IDBDatabase.

Modified: trunk/Source/WebCore/css/ElementRuleCollector.cpp (199843 => 199844)


--- trunk/Source/WebCore/css/ElementRuleCollector.cpp	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/ElementRuleCollector.cpp	2016-04-21 23:28:48 UTC (rev 199844)
@@ -153,8 +153,9 @@
 
     // We need to collect the rules for id, class, tag, and everything else into a buffer and
     // then sort the buffer.
-    if (m_element.hasID())
-        collectMatchingRulesForList(matchRequest.ruleSet->idRules(m_element.idForStyleResolution().impl()), matchRequest, ruleRange);
+    auto& id = m_element.idForStyleResolution();
+    if (!id.isNull())
+        collectMatchingRulesForList(matchRequest.ruleSet->idRules(*id.impl()), matchRequest, ruleRange);
     if (m_element.hasClass()) {
         for (size_t i = 0; i < m_element.classNames().size(); ++i)
             collectMatchingRulesForList(matchRequest.ruleSet->classRules(m_element.classNames()[i].impl()), matchRequest, ruleRange);

Modified: trunk/Source/WebCore/css/RuleSet.h (199843 => 199844)


--- trunk/Source/WebCore/css/RuleSet.h	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/RuleSet.h	2016-04-21 23:28:48 UTC (rev 199844)
@@ -174,7 +174,7 @@
 
     const RuleFeatureSet& features() const { return m_features; }
 
-    const RuleDataVector* idRules(AtomicStringImpl* key) const { return m_idRules.get(key); }
+    const RuleDataVector* idRules(AtomicStringImpl& key) const { return m_idRules.get(&key); }
     const RuleDataVector* classRules(AtomicStringImpl* key) const { return m_classRules.get(key); }
     const RuleDataVector* tagRules(AtomicStringImpl* key, bool isHTMLName) const;
     const RuleDataVector* shadowPseudoElementRules(AtomicStringImpl* key) const { return m_shadowPseudoElementRules.get(key); }

Modified: trunk/Source/WebCore/css/SelectorChecker.cpp (199843 => 199844)


--- trunk/Source/WebCore/css/SelectorChecker.cpp	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/SelectorChecker.cpp	2016-04-21 23:28:48 UTC (rev 199844)
@@ -652,8 +652,10 @@
     if (selector.match() == CSSSelector::Class)
         return element.hasClass() && element.classNames().contains(selector.value());
 
-    if (selector.match() == CSSSelector::Id)
-        return element.hasID() && element.idForStyleResolution() == selector.value();
+    if (selector.match() == CSSSelector::Id) {
+        ASSERT(!selector.value().isNull());
+        return element.idForStyleResolution() == selector.value();
+    }
 
     if (selector.isAttributeSelector()) {
         if (!element.hasAttributes())

Modified: trunk/Source/WebCore/css/SelectorFilter.cpp (199843 => 199844)


--- trunk/Source/WebCore/css/SelectorFilter.cpp	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/SelectorFilter.cpp	2016-04-21 23:28:48 UTC (rev 199844)
@@ -43,8 +43,9 @@
     AtomicString tagLowercaseLocalName = element->localName().convertToASCIILowercase();
     identifierHashes.append(tagLowercaseLocalName.impl()->existingHash() * TagNameSalt);
 
-    if (element->hasID())
-        identifierHashes.append(element->idForStyleResolution().impl()->existingHash() * IdAttributeSalt);
+    auto& id = element->idForStyleResolution();
+    if (!id.isNull())
+        identifierHashes.append(id.impl()->existingHash() * IdAttributeSalt);
     const StyledElement* styledElement = element->isStyledElement() ? static_cast<const StyledElement*>(element) : 0;
     if (styledElement && styledElement->hasClass()) {
         const SpaceSplitString& classNames = styledElement->classNames();

Modified: trunk/Source/WebCore/dom/Element.h (199843 => 199844)


--- trunk/Source/WebCore/dom/Element.h	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/dom/Element.h	2016-04-21 23:28:48 UTC (rev 199844)
@@ -664,8 +664,7 @@
 
 inline const AtomicString& Element::idForStyleResolution() const
 {
-    ASSERT(hasID());
-    return elementData()->idForStyleResolution();
+    return hasID() ? elementData()->idForStyleResolution() : nullAtom;
 }
 
 inline const AtomicString& Element::getIdAttribute() const

Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (199843 => 199844)


--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp	2016-04-21 23:28:48 UTC (rev 199844)
@@ -1643,7 +1643,7 @@
     if (!renderer.document().settings()->appleMailPaginationQuirkEnabled())
         return false;
 
-    if (renderer.element() && renderer.element()->hasID() && renderer.element()->idForStyleResolution() == "messageContentContainer")
+    if (renderer.element() && renderer.element()->idForStyleResolution() == "messageContentContainer")
         return true;
 
     return false;

Modified: trunk/Source/WebCore/rendering/RenderTreeAsText.cpp (199843 => 199844)


--- trunk/Source/WebCore/rendering/RenderTreeAsText.cpp	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/rendering/RenderTreeAsText.cpp	2016-04-21 23:28:48 UTC (rev 199844)
@@ -690,8 +690,9 @@
 
             ts << " {" << tagName.toString() << "}";
 
-            if (generatingElement->hasID())
-                ts << " #" << generatingElement->idForStyleResolution();
+            auto& generatingElementId = generatingElement->idForStyleResolution();
+            if (!generatingElementId.isNull())
+                ts << " #" << generatingElementId;
 
             if (isRenderNamedFlowFragment)
                 ts << ")";

Modified: trunk/Source/WebCore/style/StyleSharingResolver.cpp (199843 => 199844)


--- trunk/Source/WebCore/style/StyleSharingResolver.cpp	2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/style/StyleSharingResolver.cpp	2016-04-21 23:28:48 UTC (rev 199844)
@@ -88,7 +88,8 @@
     if (element.isSVGElement() && downcast<SVGElement>(element).animatedSMILStyleProperties())
         return nullptr;
     // Ids stop style sharing if they show up in the stylesheets.
-    if (element.hasID() && m_ruleSets.features().idsInRules.contains(element.idForStyleResolution().impl()))
+    auto& id = element.idForStyleResolution();
+    if (!id.isNull() && m_ruleSets.features().idsInRules.contains(id.impl()))
         return nullptr;
     if (parentElementPreventsSharing(parentElement))
         return nullptr;
@@ -237,7 +238,8 @@
     if (candidateElement.affectsNextSiblingElementStyle() || candidateElement.styleIsAffectedByPreviousSibling())
         return false;
 
-    if (candidateElement.hasID() && m_ruleSets.features().idsInRules.contains(candidateElement.idForStyleResolution().impl()))
+    auto& candidateElementId = candidateElement.idForStyleResolution();
+    if (!candidateElementId.isNull() && m_ruleSets.features().idsInRules.contains(candidateElementId.impl()))
         return false;
 
     bool isControl = is<HTMLFormControlElement>(candidateElement);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to