Title: [93032] trunk
- Revision
- 93032
- Author
- [email protected]
- Date
- 2011-08-14 16:08:11 -0700 (Sun, 14 Aug 2011)
Log Message
Source/WebCore: Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody
https://bugs.webkit.org/show_bug.cgi?id=66187
Reviewed by Adam Barth.
RefPtr a few ContainerNodes to prevent premature deletion.
Test: fast/html/process-end-tag-for-inbody-crash.html
* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processCloseWhenNestedTag):
(WebCore::HTMLTreeBuilder::processAnyOtherEndTagForInBody):
(WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
LayoutTests: Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody.
https://bugs.webkit.org/show_bug.cgi?id=66187
Reviewed by Adam Barth.
* fast/html/process-end-tag-for-inbody-crash-expected.txt: Added.
* fast/html/process-end-tag-for-inbody-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (93031 => 93032)
--- trunk/LayoutTests/ChangeLog 2011-08-14 17:54:21 UTC (rev 93031)
+++ trunk/LayoutTests/ChangeLog 2011-08-14 23:08:11 UTC (rev 93032)
@@ -1,3 +1,13 @@
+2011-08-13 Abhishek Arya <[email protected]>
+
+ Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody.
+ https://bugs.webkit.org/show_bug.cgi?id=66187
+
+ Reviewed by Adam Barth.
+
+ * fast/html/process-end-tag-for-inbody-crash-expected.txt: Added.
+ * fast/html/process-end-tag-for-inbody-crash.html: Added.
+
2011-08-12 Ryosuke Niwa <[email protected]>
Skip the test added by r92997 on Qt port because it uses a method on EventSender that hasn't been
Added: trunk/LayoutTests/fast/html/process-end-tag-for-inbody-crash-expected.txt (0 => 93032)
--- trunk/LayoutTests/fast/html/process-end-tag-for-inbody-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/html/process-end-tag-for-inbody-crash-expected.txt 2011-08-14 23:08:11 UTC (rev 93032)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/fast/html/process-end-tag-for-inbody-crash.html (0 => 93032)
--- trunk/LayoutTests/fast/html/process-end-tag-for-inbody-crash.html (rev 0)
+++ trunk/LayoutTests/fast/html/process-end-tag-for-inbody-crash.html 2011-08-14 23:08:11 UTC (rev 93032)
@@ -0,0 +1,8 @@
+<rt>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.body.innerHTML = "PASS";
+</script>
+</rt>
Modified: trunk/Source/WebCore/ChangeLog (93031 => 93032)
--- trunk/Source/WebCore/ChangeLog 2011-08-14 17:54:21 UTC (rev 93031)
+++ trunk/Source/WebCore/ChangeLog 2011-08-14 23:08:11 UTC (rev 93032)
@@ -1,3 +1,19 @@
+2011-08-13 Abhishek Arya <[email protected]>
+
+ Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody
+ https://bugs.webkit.org/show_bug.cgi?id=66187
+
+ Reviewed by Adam Barth.
+
+ RefPtr a few ContainerNodes to prevent premature deletion.
+
+ Test: fast/html/process-end-tag-for-inbody-crash.html
+
+ * html/parser/HTMLTreeBuilder.cpp:
+ (WebCore::HTMLTreeBuilder::processCloseWhenNestedTag):
+ (WebCore::HTMLTreeBuilder::processAnyOtherEndTagForInBody):
+ (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
+
2011-08-14 Kalev Lember <[email protected]>
Fix GTK Windows build after r92308.
Modified: trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (93031 => 93032)
--- trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2011-08-14 17:54:21 UTC (rev 93031)
+++ trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2011-08-14 23:08:11 UTC (rev 93032)
@@ -605,13 +605,13 @@
m_framesetOk = false;
HTMLElementStack::ElementRecord* nodeRecord = m_tree.openElements()->topRecord();
while (1) {
- ContainerNode* node = nodeRecord->node();
- if (shouldClose(node)) {
+ RefPtr<ContainerNode> node = nodeRecord->node();
+ if (shouldClose(node.get())) {
ASSERT(node->isElementNode());
- processFakeEndTag(toElement(node)->tagQName());
+ processFakeEndTag(toElement(node.get())->tagQName());
break;
}
- if (isSpecialNode(node) && !node->hasTagName(addressTag) && !node->hasTagName(divTag) && !node->hasTagName(pTag))
+ if (isSpecialNode(node.get()) && !node->hasTagName(addressTag) && !node->hasTagName(divTag) && !node->hasTagName(pTag))
break;
nodeRecord = nodeRecord->next();
}
@@ -1556,7 +1556,7 @@
ASSERT(token.type() == HTMLTokenTypes::EndTag);
HTMLElementStack::ElementRecord* record = m_tree.openElements()->topRecord();
while (1) {
- ContainerNode* node = record->node();
+ RefPtr<ContainerNode> node = record->node();
if (node->hasLocalName(token.name())) {
m_tree.generateImpliedEndTags();
// FIXME: The ElementRecord pointed to by record might be deleted by
@@ -1570,13 +1570,13 @@
// http://www.w3.org/Bugs/Public/show_bug.cgi?id=10080
// We might have already popped the node for the token in
// generateImpliedEndTags, just abort.
- if (!m_tree.openElements()->contains(toElement(node)))
+ if (!m_tree.openElements()->contains(toElement(node.get())))
return;
}
- m_tree.openElements()->popUntilPopped(toElement(node));
+ m_tree.openElements()->popUntilPopped(toElement(node.get()));
return;
}
- if (isSpecialNode(node)) {
+ if (isSpecialNode(node.get())) {
parseError(token);
return;
}
@@ -1633,7 +1633,7 @@
}
// 4.
ASSERT(furthestBlock->isAbove(formattingElementRecord));
- ContainerNode* commonAncestor = formattingElementRecord->next()->node();
+ RefPtr<ContainerNode> commonAncestor = formattingElementRecord->next()->node();
// 5.
HTMLFormattingElementList::Bookmark bookmark = m_tree.activeFormattingElements()->bookmarkFor(formattingElement);
// 6.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
