Title: [88827] branches/chromium/742
- Revision
- 88827
- Author
- [email protected]
- Date
- 2011-06-14 11:14:12 -0700 (Tue, 14 Jun 2011)
Log Message
Merge 88411
BUG=85102
Review URL: http://codereview.chromium.org/7155003
Modified Paths
Added Paths
Diff
Copied: branches/chromium/742/LayoutTests/fast/parser/document-write-onload-nesting-expected.txt (from rev 88411, trunk/LayoutTests/fast/parser/document-write-onload-nesting-expected.txt) (0 => 88827)
--- branches/chromium/742/LayoutTests/fast/parser/document-write-onload-nesting-expected.txt (rev 0)
+++ branches/chromium/742/LayoutTests/fast/parser/document-write-onload-nesting-expected.txt 2011-06-14 18:14:12 UTC (rev 88827)
@@ -0,0 +1,3 @@
+PASS
+
+
Copied: branches/chromium/742/LayoutTests/fast/parser/document-write-onload-nesting.html (from rev 88411, trunk/LayoutTests/fast/parser/document-write-onload-nesting.html) (0 => 88827)
--- branches/chromium/742/LayoutTests/fast/parser/document-write-onload-nesting.html (rev 0)
+++ branches/chromium/742/LayoutTests/fast/parser/document-write-onload-nesting.html 2011-06-14 18:14:12 UTC (rev 88827)
@@ -0,0 +1,5 @@
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<iframe _onload_="document.write('<p>PASS<iframe _onload_="document.write(\'<p>\')"></iframe>');"></iframe>
Copied: branches/chromium/742/LayoutTests/fast/parser/document-write-onload-ordering-expected.txt (from rev 88411, trunk/LayoutTests/fast/parser/document-write-onload-ordering-expected.txt) (0 => 88827)
--- branches/chromium/742/LayoutTests/fast/parser/document-write-onload-ordering-expected.txt (rev 0)
+++ branches/chromium/742/LayoutTests/fast/parser/document-write-onload-ordering-expected.txt 2011-06-14 18:14:12 UTC (rev 88827)
@@ -0,0 +1,9 @@
+ALERT: 0
+ALERT: 1
+ALERT: 2
+ALERT: 3
+ALERT: 4
+ALERT: 5
+PASS
+
+
Copied: branches/chromium/742/LayoutTests/fast/parser/document-write-onload-ordering.html (from rev 88411, trunk/LayoutTests/fast/parser/document-write-onload-ordering.html) (0 => 88827)
--- branches/chromium/742/LayoutTests/fast/parser/document-write-onload-ordering.html (rev 0)
+++ branches/chromium/742/LayoutTests/fast/parser/document-write-onload-ordering.html 2011-06-14 18:14:12 UTC (rev 88827)
@@ -0,0 +1,5 @@
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<iframe _onload_="alert(0);document.write('<p>PASS<iframe _onload_="alert(1);document.write(\'<p><iframe _onload_=alert(3)></iframe>\');alert(4);"></iframe><iframe _onload_=alert(2)></iframe>');alert(5);document.close();"></iframe>
Modified: branches/chromium/742/Source/WebCore/html/parser/HTMLDocumentParser.cpp (88826 => 88827)
--- branches/chromium/742/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2011-06-14 18:05:02 UTC (rev 88826)
+++ branches/chromium/742/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2011-06-14 18:14:12 UTC (rev 88827)
@@ -274,7 +274,7 @@
}
m_treeBuilder->constructTreeFromToken(m_token);
- m_token.clear();
+ ASSERT(m_token.isUninitialized());
}
// Ensure we haven't been totally deref'ed after pumping. Any caller of this
Modified: branches/chromium/742/Source/WebCore/html/parser/HTMLToken.h (88826 => 88827)
--- branches/chromium/742/Source/WebCore/html/parser/HTMLToken.h 2011-06-14 18:05:02 UTC (rev 88826)
+++ branches/chromium/742/Source/WebCore/html/parser/HTMLToken.h 2011-06-14 18:14:12 UTC (rev 88827)
@@ -73,6 +73,8 @@
m_data.clear();
}
+ bool isUninitialized() { return m_type == Uninitialized; }
+
int startIndex() const { return m_range.m_start; }
int endIndex() const { return m_range.m_end; }
Modified: branches/chromium/742/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (88826 => 88827)
--- branches/chromium/742/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2011-06-14 18:05:02 UTC (rev 88826)
+++ branches/chromium/742/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2011-06-14 18:14:12 UTC (rev 88827)
@@ -434,7 +434,26 @@
void HTMLTreeBuilder::constructTreeFromToken(HTMLToken& rawToken)
{
AtomicHTMLToken token(rawToken);
+
+ // We clear the rawToken in case constructTreeFromAtomicToken
+ // synchronously re-enters the parser. We don't clear the token immedately
+ // for Character tokens because the AtomicHTMLToken avoids copying the
+ // characters by keeping a pointer to the underlying buffer in the
+ // HTMLToken. Fortuantely, Character tokens can't cause use to re-enter
+ // the parser.
+ //
+ // FIXME: Top clearing the rawToken once we start running the parser off
+ // the main thread or once we stop allowing synchronous _javascript_
+ // execution from parseMappedAttribute.
+ if (rawToken.type() != HTMLToken::Character)
+ rawToken.clear();
+
constructTreeFromAtomicToken(token);
+
+ if (!rawToken.isUninitialized()) {
+ ASSERT(rawToken.type() == HTMLToken::Character);
+ rawToken.clear();
+ }
}
void HTMLTreeBuilder::constructTreeFromAtomicToken(AtomicHTMLToken& token)
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
