[webkit-changes] [214515] branches/safari-603-branch

Tue, 28 Mar 2017 20:28:27 -0700

Title: [214515] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/LayoutTests/ChangeLog (214514 => 214515)


--- branches/safari-603-branch/LayoutTests/ChangeLog	2017-03-29 01:56:16 UTC (rev 214514)
+++ branches/safari-603-branch/LayoutTests/ChangeLog	2017-03-29 03:28:05 UTC (rev 214515)
@@ -1,3 +1,21 @@
+2017-03-28  Jason Marcell  <[email protected]>
+
+        Merge r211645. rdar://problem/30922105
+
+    2017-02-03  Chris Dumez  <[email protected]>
+
+            Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody()
+            https://bugs.webkit.org/show_bug.cgi?id=167799
+            <rdar://problem/30237241>
+
+            Reviewed by Brent Fulgham.
+
+            Add layout test coverage. This test passes in all major browsers but used to hit
+            the bad assertion in WebKit debug builds.
+
+            * fast/parser/fragment-with-frameset-crash-expected.txt: Added.
+            * fast/parser/fragment-with-frameset-crash.html: Added.
+
 2017-03-20  Jason Marcell  <[email protected]>
 
         Merge r214096.

Added: branches/safari-603-branch/LayoutTests/fast/parser/fragment-with-frameset-crash-expected.txt (0 => 214515)


--- branches/safari-603-branch/LayoutTests/fast/parser/fragment-with-frameset-crash-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/parser/fragment-with-frameset-crash-expected.txt	2017-03-29 03:28:05 UTC (rev 214515)
@@ -0,0 +1,10 @@
+Test that we do not crash when parsing a fragment that contains a frameset.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frames[0].document.documentElement.innerHTML is "<head></head><frameset cols=\"50%,50%\"><frame src="" src=""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: branches/safari-603-branch/LayoutTests/fast/parser/fragment-with-frameset-crash.html (0 => 214515)


--- branches/safari-603-branch/LayoutTests/fast/parser/fragment-with-frameset-crash.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/parser/fragment-with-frameset-crash.html	2017-03-29 03:28:05 UTC (rev 214515)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<iframe srcdoc='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"><html></html>'></iframe>
+<script>
+description("Test that we do not crash when parsing a fragment that contains a frameset.");
+jsTestIsAsync = true;
+
+_onload_ = function() {
+    frames[0].document.documentElement.innerHTML = "<caption><frameset cols='50%,50%'><frame src=''/><frame src=''></frameset>";
+    shouldBeEqualToString("frames[0].document.documentElement.innerHTML", '<head></head><frameset cols="50%,50%"><frame src="" src=""
+    finishJSTest();
+}
+</script>
+<script src=""
+</body>
+</html>

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (214514 => 214515)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-03-29 01:56:16 UTC (rev 214514)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-03-29 03:28:05 UTC (rev 214515)
@@ -1,3 +1,38 @@
+2017-03-28  Jason Marcell  <[email protected]>
+
+        Merge r211645. rdar://problem/30922105
+
+    2017-02-03  Chris Dumez  <[email protected]>
+
+            Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody()
+            https://bugs.webkit.org/show_bug.cgi?id=167799
+            <rdar://problem/30237241>
+
+            Reviewed by Brent Fulgham.
+
+            Fix bad assertion under HTMLTreeBuilder::processStartTagForInBody() that was
+            expecting the root element to be an <html> element when parsing a <frameset>.
+            While this assertion is true in theory and as per the specification, it does
+            not hold in WebKit when parsing a DocumentFragment. This is because WebKit
+            has an optimization causing us to have a DocumentFragment as root element
+            when parsing a fragment. See the following constructor:
+            "HTMLTreeBuilder(HTMLDocumentParser&, DocumentFragment&, Element&, ParserContentPolicy, const HTMLParserOptions&)"
+
+            which has the following code:
+            """
+            // https://html.spec.whatwg.org/multipage/syntax.html#parsing-html-fragments
+            // For efficiency, we skip step 5 ("Let root be a new html element with no attributes") and instead use the DocumentFragment as a root node.
+            m_tree.openElements().pushRootNode(HTMLStackItem::create(fragment));
+            """
+
+            Update the assertion to expect a DocumentFragment as root element when parsing
+            a fragment, and keep expecting an <html> element otherwise.
+
+            Test: fast/parser/fragment-with-frameset-crash.html
+
+            * html/parser/HTMLTreeBuilder.cpp:
+            (WebCore::HTMLTreeBuilder::processStartTagForInBody):
+
 2017-03-22  Jason Marcell  <[email protected]>
 
         Merge r214125. rdar://problem/30921831

Modified: branches/safari-603-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (214514 => 214515)


--- branches/safari-603-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2017-03-29 01:56:16 UTC (rev 214514)
+++ branches/safari-603-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2017-03-29 03:28:05 UTC (rev 214515)
@@ -595,7 +595,9 @@
         m_tree.openElements().bodyElement().remove();
         m_tree.openElements().popUntil(m_tree.openElements().bodyElement());
         m_tree.openElements().popHTMLBodyElement();
-        ASSERT(&m_tree.openElements().top() == &m_tree.openElements().htmlElement());
+        // Note: in the fragment case the root is a DocumentFragment instead of a proper html element which is a quirk / optimization in WebKit.
+        ASSERT(!isParsingFragment() || is<DocumentFragment>(m_tree.openElements().topNode()));
+        ASSERT(isParsingFragment() || &m_tree.openElements().top() == &m_tree.openElements().htmlElement());
         m_tree.insertHTMLElement(WTFMove(token));
         m_insertionMode = InsertionMode::InFrameset;
         return;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to