[webkit-changes] [88434] trunk

Thu, 09 Jun 2011 01:42:32 -0700

Title: [88434] trunk
Revision
88434
Author
[email protected]
Date
2011-06-09 01:41:56 -0700 (Thu, 09 Jun 2011)

Log Message

2011-06-09  Adam Barth  <[email protected]>

        Reviewed by Eric Seidel.

        Running script from attach can remove elements from the stack of open elements
        https://bugs.webkit.org/show_bug.cgi?id=62160

        * fast/parser/document-write-onload-clear-expected.txt: Added.
        * fast/parser/document-write-onload-clear.html: Added.
2011-06-09  Adam Barth  <[email protected]>

        Reviewed by Eric Seidel.

        Running script from attach can remove elements from the stack of open elements
        https://bugs.webkit.org/show_bug.cgi?id=62160

        When the tree build runs script synchronously, that script can remove
        arbitrary elements from the stack of open elements.  We need to hold a
        reference to |parent| in attach instead of rely upon the reference in
        the stack of open elements.

        Test: fast/parser/document-write-onload-clear.html

        * html/parser/HTMLConstructionSite.cpp:
        (WebCore::HTMLConstructionSite::attach):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (88433 => 88434)


--- trunk/LayoutTests/ChangeLog	2011-06-09 07:42:53 UTC (rev 88433)
+++ trunk/LayoutTests/ChangeLog	2011-06-09 08:41:56 UTC (rev 88434)
@@ -1,3 +1,13 @@
+2011-06-09  Adam Barth  <[email protected]>
+
+        Reviewed by Eric Seidel.
+
+        Running script from attach can remove elements from the stack of open elements
+        https://bugs.webkit.org/show_bug.cgi?id=62160
+
+        * fast/parser/document-write-onload-clear-expected.txt: Added.
+        * fast/parser/document-write-onload-clear.html: Added.
+
 2011-06-09  Mario Sanchez Prada  <[email protected]>
 
         Reviewed by Chris Fleizach.

Added: trunk/LayoutTests/fast/parser/document-write-onload-clear-expected.txt (0 => 88434)


--- trunk/LayoutTests/fast/parser/document-write-onload-clear-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/document-write-onload-clear-expected.txt	2011-06-09 08:41:56 UTC (rev 88434)
@@ -0,0 +1,2 @@
+PASS
+

Added: trunk/LayoutTests/fast/parser/document-write-onload-clear.html (0 => 88434)


--- trunk/LayoutTests/fast/parser/document-write-onload-clear.html	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/document-write-onload-clear.html	2011-06-09 08:41:56 UTC (rev 88434)
@@ -0,0 +1,5 @@
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<iframe _onload_="document.write('<p>FAIL<iframe _onload_=&quot;document.write(\'<p>\')&quot;></iframe><script>document.body.innerHTML = \'PASS\';</script>');document.close();"></iframe>

Modified: trunk/Source/WebCore/ChangeLog (88433 => 88434)


--- trunk/Source/WebCore/ChangeLog	2011-06-09 07:42:53 UTC (rev 88433)
+++ trunk/Source/WebCore/ChangeLog	2011-06-09 08:41:56 UTC (rev 88434)
@@ -1,3 +1,20 @@
+2011-06-09  Adam Barth  <[email protected]>
+
+        Reviewed by Eric Seidel.
+
+        Running script from attach can remove elements from the stack of open elements
+        https://bugs.webkit.org/show_bug.cgi?id=62160
+
+        When the tree build runs script synchronously, that script can remove
+        arbitrary elements from the stack of open elements.  We need to hold a
+        reference to |parent| in attach instead of rely upon the reference in
+        the stack of open elements.
+
+        Test: fast/parser/document-write-onload-clear.html
+
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::HTMLConstructionSite::attach):
+
 2011-06-08  Luke Macpherson   <[email protected]>
 
         Reviewed by Eric Seidel.

Modified: trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp (88433 => 88434)


--- trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2011-06-09 07:42:53 UTC (rev 88433)
+++ trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2011-06-09 08:41:56 UTC (rev 88434)
@@ -82,13 +82,14 @@
 } // namespace
 
 template<typename ChildType>
-PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild)
+PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild)
 {
     RefPtr<ChildType> child = prpChild;
+    RefPtr<ContainerNode> parent = rawParent;
 
     // FIXME: It's confusing that HTMLConstructionSite::attach does the magic
     // redirection to the foster parent but HTMLConstructionSite::attachAtSite
-    // doesn't.  It feels like we're missing a concept somehow.
+    // doesn't. It feels like we're missing a concept somehow.
     if (shouldFosterParent()) {
         fosterParent(child.get());
         ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached());
@@ -102,11 +103,6 @@
     if (!child->parentNode())
         return child.release();
 
-    // It's slightly unfortunate that we need to hold a reference to child
-    // here to call attach().  We should investigate whether we can rely on
-    // |parent| to hold a ref at this point.  In the common case (at least
-    // for elements), however, we'll get to use this ref in the stack of
-    // open elements.
     if (parent->attached() && !child->attached())
         child->attach();
     return child.release();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to