Title: [232272] trunk/Source/WebCore
- Revision
- 232272
- Author
- [email protected]
- Date
- 2018-05-29 13:30:18 -0700 (Tue, 29 May 2018)
Log Message
iOS WK1: Occasional crash in sanitizedMarkupForFragmentInDocument
https://bugs.webkit.org/show_bug.cgi?id=186011
Reviewed by David Kilzer.
The crash was caused by the HTML parser in sanitizedMarkupForFragmentInDocument yielding in the web thread
when _WebThreadLock() sets webThreadShouldYield to true in the main thread.
No new tests. This is occasionally caught by existing tests.
* editing/markup.cpp:
(WebCore::createPageForSanitizingWebContent): Fixed the bug by making the HTML parser never yield.
Also release-assert that the body is never null here.
(WebCore::sanitizedMarkupForFragmentInDocument): Removed superflous call to WTFMove since appendChild
takes a reference, not a Ref.
* inspector/InspectorOverlay.cpp:
(WebCore::InspectorOverlay::overlayPage): Deployed the same fix.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::insertDataSynchronously): Added.
* loader/DocumentWriter.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (232271 => 232272)
--- trunk/Source/WebCore/ChangeLog 2018-05-29 20:04:14 UTC (rev 232271)
+++ trunk/Source/WebCore/ChangeLog 2018-05-29 20:30:18 UTC (rev 232272)
@@ -1,3 +1,26 @@
+2018-05-29 Ryosuke Niwa <[email protected]>
+
+ iOS WK1: Occasional crash in sanitizedMarkupForFragmentInDocument
+ https://bugs.webkit.org/show_bug.cgi?id=186011
+
+ Reviewed by David Kilzer.
+
+ The crash was caused by the HTML parser in sanitizedMarkupForFragmentInDocument yielding in the web thread
+ when _WebThreadLock() sets webThreadShouldYield to true in the main thread.
+
+ No new tests. This is occasionally caught by existing tests.
+
+ * editing/markup.cpp:
+ (WebCore::createPageForSanitizingWebContent): Fixed the bug by making the HTML parser never yield.
+ Also release-assert that the body is never null here.
+ (WebCore::sanitizedMarkupForFragmentInDocument): Removed superflous call to WTFMove since appendChild
+ takes a reference, not a Ref.
+ * inspector/InspectorOverlay.cpp:
+ (WebCore::InspectorOverlay::overlayPage): Deployed the same fix.
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::insertDataSynchronously): Added.
+ * loader/DocumentWriter.h:
+
2018-05-29 Chris Dumez <[email protected]>
Avoid unnecessary String allocation in isPublicSuffix(const String&)
Modified: trunk/Source/WebCore/editing/markup.cpp (232271 => 232272)
--- trunk/Source/WebCore/editing/markup.cpp 2018-05-29 20:04:14 UTC (rev 232271)
+++ trunk/Source/WebCore/editing/markup.cpp 2018-05-29 20:30:18 UTC (rev 232272)
@@ -189,10 +189,12 @@
FrameLoader& loader = frame.loader();
static char markup[] = "<!DOCTYPE html><html><body></body></html>";
ASSERT(loader.activeDocumentLoader());
- loader.activeDocumentLoader()->writer().setMIMEType("text/html");
- loader.activeDocumentLoader()->writer().begin();
- loader.activeDocumentLoader()->writer().addData(markup, sizeof(markup));
- loader.activeDocumentLoader()->writer().end();
+ auto& writer = loader.activeDocumentLoader()->writer();
+ writer.setMIMEType("text/html");
+ writer.begin();
+ writer.insertDataSynchronously(String(markup));
+ writer.end();
+ RELEASE_ASSERT(page->mainFrame().document()->body());
return page;
}
@@ -859,7 +861,7 @@
auto bodyElement = makeRefPtr(document.body());
ASSERT(bodyElement);
- bodyElement->appendChild(WTFMove(fragment));
+ bodyElement->appendChild(fragment.get());
auto range = Range::create(document);
range->selectNodeContents(*bodyElement);
Modified: trunk/Source/WebCore/inspector/InspectorOverlay.cpp (232271 => 232272)
--- trunk/Source/WebCore/inspector/InspectorOverlay.cpp 2018-05-29 20:04:14 UTC (rev 232271)
+++ trunk/Source/WebCore/inspector/InspectorOverlay.cpp 2018-05-29 20:30:18 UTC (rev 232272)
@@ -729,10 +729,11 @@
frame.view()->setCanHaveScrollbars(false);
frame.view()->setTransparent(true);
ASSERT(loader.activeDocumentLoader());
- loader.activeDocumentLoader()->writer().setMIMEType("text/html");
- loader.activeDocumentLoader()->writer().begin();
- loader.activeDocumentLoader()->writer().addData(reinterpret_cast<const char*>(InspectorOverlayPage_html), sizeof(InspectorOverlayPage_html));
- loader.activeDocumentLoader()->writer().end();
+ auto& writer = loader.activeDocumentLoader()->writer();
+ writer.setMIMEType("text/html");
+ writer.begin();
+ writer.insertDataSynchronously(String(reinterpret_cast<const char*>(InspectorOverlayPage_html), sizeof(InspectorOverlayPage_html)));
+ writer.end();
#if OS(WINDOWS)
evaluateInOverlay("setPlatform", "windows");
Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (232271 => 232272)
--- trunk/Source/WebCore/loader/DocumentWriter.cpp 2018-05-29 20:04:14 UTC (rev 232271)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp 2018-05-29 20:30:18 UTC (rev 232272)
@@ -253,6 +253,14 @@
m_parser->appendBytes(*this, bytes, length);
}
+void DocumentWriter::insertDataSynchronously(const String& markup)
+{
+ ASSERT(m_state != NotStartedWritingState);
+ ASSERT(m_state != FinishedWritingState);
+ ASSERT(m_parser);
+ m_parser->insert(markup);
+}
+
void DocumentWriter::end()
{
ASSERT(m_frame->page());
Modified: trunk/Source/WebCore/loader/DocumentWriter.h (232271 => 232272)
--- trunk/Source/WebCore/loader/DocumentWriter.h 2018-05-29 20:04:14 UTC (rev 232271)
+++ trunk/Source/WebCore/loader/DocumentWriter.h 2018-05-29 20:30:18 UTC (rev 232272)
@@ -51,8 +51,9 @@
bool begin();
bool begin(const URL&, bool dispatchWindowObjectAvailable = true, Document* ownerDocument = nullptr);
void addData(const char* bytes, size_t length);
+ void insertDataSynchronously(const String&); // For an internal use only to prevent the parser from yielding.
WEBCORE_EXPORT void end();
-
+
void setFrame(Frame* frame) { m_frame = frame; }
WEBCORE_EXPORT void setEncoding(const String& encoding, bool userChosen);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
