[webkit-changes] [211645] trunk

[cdumez]

Title: [211645] trunk

Revision

211645

Author

cdu...@apple.com

Date

2017-02-03 12:49:39 -0800 (Fri, 03 Feb 2017)

Log Message

Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody()
https://bugs.webkit.org/show_bug.cgi?id=167799
<rdar://problem/30237241>

Reviewed by Brent Fulgham.

Source/WebCore:

Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody() that was
expecting the root element to be an <html> element when parsing a <frameset>.
While this assertion is true in theory and as per the specification, it does
not hold in WebKit when parsing a DocumentFragment. This is because WebKit
has an optimization causing us to have a DocumentFragment as root element
when parsing a fragment. See the following constructor:
"HTMLTreeBuilder(HTMLDocumentParser&, DocumentFragment&, Element&, ParserContentPolicy, const HTMLParserOptions&)"

which has the following code:
"""
// https://html.spec.whatwg.org/multipage/syntax.html#parsing-html-fragments
// For efficiency, we skip step 5 ("Let root be a new html element with no attributes") and instead use the DocumentFragment as a root node.
m_tree.openElements().pushRootNode(HTMLStackItem::create(fragment));
"""

Update the assertion to expect a DocumentFragment as root element when parsing
a fragment, and keep expecting an <html> element otherwise.

Test: fast/parser/fragment-with-frameset-crash.html

* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processStartTagForInBody):

LayoutTests:

Add layout test coverage. This test passes in all major browsers but used to hit
the bad assertion in WebKit debug builds.

* fast/parser/fragment-with-frameset-crash-expected.txt: Added.
* fast/parser/fragment-with-frameset-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp

Added Paths

• trunk/LayoutTests/fast/parser/fragment-with-frameset-crash-expected.txt
• trunk/LayoutTests/fast/parser/fragment-with-frameset-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (211644 => 211645)

--- trunk/LayoutTests/ChangeLog	2017-02-03 20:28:40 UTC (rev 211644)
+++ trunk/LayoutTests/ChangeLog	2017-02-03 20:49:39 UTC (rev 211645)
@@ -1,3 +1,17 @@
+2017-02-03  Chris Dumez  <cdu...@apple.com>
+
+        Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody()
+        https://bugs.webkit.org/show_bug.cgi?id=167799
+        <rdar://problem/30237241>
+
+        Reviewed by Brent Fulgham.
+
+        Add layout test coverage. This test passes in all major browsers but used to hit
+        the bad assertion in WebKit debug builds.
+
+        * fast/parser/fragment-with-frameset-crash-expected.txt: Added.
+        * fast/parser/fragment-with-frameset-crash.html: Added.
+
 2017-02-03  Antoine Quint  <grao...@apple.com>
 
         [Modern Media Controls] Skip back button is visible with a live broadcast video

Added: trunk/LayoutTests/fast/parser/fragment-with-frameset-crash-expected.txt (0 => 211645)

--- trunk/LayoutTests/fast/parser/fragment-with-frameset-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/fragment-with-frameset-crash-expected.txt	2017-02-03 20:49:39 UTC (rev 211645)
@@ -0,0 +1,10 @@
+Test that we do not crash when parsing a fragment that contains a frameset.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frames[0].document.documentElement.innerHTML is "<head></head><frameset cols=\"50%,50%\"><frame src="" src=""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/parser/fragment-with-frameset-crash.html (0 => 211645)

--- trunk/LayoutTests/fast/parser/fragment-with-frameset-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/fragment-with-frameset-crash.html	2017-02-03 20:49:39 UTC (rev 211645)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<iframe srcdoc='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"><html></html>'></iframe>
+<script>
+description("Test that we do not crash when parsing a fragment that contains a frameset.");
+jsTestIsAsync = true;
+
+_onload_ = function() {
+    frames[0].document.documentElement.innerHTML = "<caption><frameset cols='50%,50%'><frame src=''/><frame src=''></frameset>";
+    shouldBeEqualToString("frames[0].document.documentElement.innerHTML", '<head></head><frameset cols="50%,50%"><frame src="" src=""
+    finishJSTest();
+}
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (211644 => 211645)

--- trunk/Source/WebCore/ChangeLog	2017-02-03 20:28:40 UTC (rev 211644)
+++ trunk/Source/WebCore/ChangeLog	2017-02-03 20:49:39 UTC (rev 211645)
@@ -1,3 +1,34 @@
+2017-02-03  Chris Dumez  <cdu...@apple.com>
+
+        Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody()
+        https://bugs.webkit.org/show_bug.cgi?id=167799
+        <rdar://problem/30237241>
+
+        Reviewed by Brent Fulgham.
+
+        Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody() that was
+        expecting the root element to be an <html> element when parsing a <frameset>.
+        While this assertion is true in theory and as per the specification, it does
+        not hold in WebKit when parsing a DocumentFragment. This is because WebKit
+        has an optimization causing us to have a DocumentFragment as root element
+        when parsing a fragment. See the following constructor:
+        "HTMLTreeBuilder(HTMLDocumentParser&, DocumentFragment&, Element&, ParserContentPolicy, const HTMLParserOptions&)"
+
+        which has the following code:
+        """
+        // https://html.spec.whatwg.org/multipage/syntax.html#parsing-html-fragments
+        // For efficiency, we skip step 5 ("Let root be a new html element with no attributes") and instead use the DocumentFragment as a root node.
+        m_tree.openElements().pushRootNode(HTMLStackItem::create(fragment));
+        """
+
+        Update the assertion to expect a DocumentFragment as root element when parsing
+        a fragment, and keep expecting an <html> element otherwise.
+
+        Test: fast/parser/fragment-with-frameset-crash.html
+
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::processStartTagForInBody):
+
 2017-02-03  Antoine Quint  <grao...@apple.com>
 
         [Modern Media Controls] Skip back button is visible with a live broadcast video

Modified: trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (211644 => 211645)

--- trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2017-02-03 20:28:40 UTC (rev 211644)
+++ trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2017-02-03 20:49:39 UTC (rev 211645)
@@ -599,7 +599,9 @@
         m_tree.openElements().bodyElement().remove();
         m_tree.openElements().popUntil(m_tree.openElements().bodyElement());
         m_tree.openElements().popHTMLBodyElement();
-        ASSERT(&m_tree.openElements().top() == &m_tree.openElements().htmlElement());
+        // Note: in the fragment case the root is a DocumentFragment instead of a proper html element which is a quirk / optimization in WebKit.
+        ASSERT(!isParsingFragment() || is<DocumentFragment>(m_tree.openElements().topNode()));
+        ASSERT(isParsingFragment() || &m_tree.openElements().top() == &m_tree.openElements().htmlElement());
         m_tree.insertHTMLElement(WTFMove(token));
         m_insertionMode = InsertionMode::InFrameset;
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes