Title: [252667] trunk
- Revision
- 252667
- Author
- commit-qu...@webkit.org
- Date
- 2019-11-19 17:27:35 -0800 (Tue, 19 Nov 2019)
Log Message
Nullptr crash in Node::setTextContent via Document::setTitle if title element is removed before setTextContent call.
https://bugs.webkit.org/show_bug.cgi?id=204332
Patch by Sunny He <sunny...@apple.com> on 2019-11-19
Reviewed by Ryosuke Niwa.
Source/WebCore:
Test: fast/dom/Document/title-property-set-with-dom-event.html
* dom/Document.cpp:
(WebCore::Document::setTitle):
LayoutTests:
* fast/dom/Document/title-property-set-with-dom-event-expected.txt: Added.
* fast/dom/Document/title-property-set-with-dom-event.html: Added.
* fast/dom/Document/title-property-set-with-dom-event-svg-expected.html: Added.
* fast/dom/Document/title-property-set-with-dom-event-svg.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (252666 => 252667)
--- trunk/LayoutTests/ChangeLog 2019-11-20 01:24:53 UTC (rev 252666)
+++ trunk/LayoutTests/ChangeLog 2019-11-20 01:27:35 UTC (rev 252667)
@@ -1,3 +1,14 @@
+2019-11-19 Sunny He <sunny...@apple.com>
+
+ Nullptr crash in Node::setTextContent via Document::setTitle if title element is removed before setTextContent call.
+ https://bugs.webkit.org/show_bug.cgi?id=204332
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/dom/Document/title-property-set-with-dom-event-expected.txt: Added.
+ * fast/dom/Document/title-property-set-with-dom-event.html: Added.
+ * fast/dom/Document/title-property-set-with-dom-event-svg-expected.html: Added.
+ * fast/dom/Document/title-property-set-with-dom-event-svg.html: Added.
2019-11-19 Jiewen Tan <jiewen_...@apple.com>
Unreviewed, test gardening
Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-expected.txt (0 => 252667)
--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-expected.txt 2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1 @@
+Test that setting title while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.
Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg-expected.txt (0 => 252667)
--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg-expected.txt 2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1 @@
+Test that setting title of a SVG document while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.
Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg.html (0 => 252667)
--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg.html (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg.html 2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+function test() {
+ if (window.testRunner) {
+ window.testRunner.dumpAsText();
+ }
+ var SVG_NAMESPACE = "http://www.w3.org/2000/svg";
+ var svgDocument = document.implementation.createDocument(SVG_NAMESPACE, "svg", null);
+
+ svgDocument.addEventListener("DOMNodeInserted", () => {
+ var a = svgDocument.querySelector("title").remove();
+ });
+ svgDocument.title = "abc"
+}
+test()
+</script>
+</head>
+<body>
+ <p>Test that setting title of a SVG document while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.
+ </p>
+</body>
+</html>
\ No newline at end of file
Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event.html (0 => 252667)
--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event.html (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event.html 2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1,21 @@
+<html>
+<head>
+<script>
+function test() {
+ if (window.testRunner) {
+ window.testRunner.dumpAsText();
+ }
+
+ window.top.addEventListener("DOMNodeInserted", () => {
+ document.head.innerHTML = 123;
+ }, {once : true});
+ document.title = "abc";
+}
+test()
+</script>
+</head>
+<body>
+ <p>Test that setting title while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.
+ </p>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (252666 => 252667)
--- trunk/Source/WebCore/ChangeLog 2019-11-20 01:24:53 UTC (rev 252666)
+++ trunk/Source/WebCore/ChangeLog 2019-11-20 01:27:35 UTC (rev 252667)
@@ -1,3 +1,15 @@
+2019-11-19 Sunny He <sunny...@apple.com>
+
+ Nullptr crash in Node::setTextContent via Document::setTitle if title element is removed before setTextContent call.
+ https://bugs.webkit.org/show_bug.cgi?id=204332
+
+ Reviewed by Ryosuke Niwa.
+
+ Test: fast/dom/Document/title-property-set-with-dom-event.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::setTitle):
+
2019-11-19 Youenn Fablet <you...@apple.com>
Introduce a mock implementation of CoreAudioSharedUnit
Modified: trunk/Source/WebCore/dom/Document.cpp (252666 => 252667)
--- trunk/Source/WebCore/dom/Document.cpp 2019-11-20 01:24:53 UTC (rev 252666)
+++ trunk/Source/WebCore/dom/Document.cpp 2019-11-20 01:27:35 UTC (rev 252667)
@@ -1609,7 +1609,9 @@
m_titleElement = SVGTitleElement::create(SVGNames::titleTag, *this);
element->insertBefore(*m_titleElement, element->firstChild());
}
- m_titleElement->setTextContent(title);
+ // insertBefore above may have ran scripts which removed m_titleElement
+ if (m_titleElement)
+ m_titleElement->setTextContent(title);
} else if (is<HTMLElement>(element)) {
if (!m_titleElement) {
auto* headElement = head();
@@ -1618,7 +1620,9 @@
m_titleElement = HTMLTitleElement::create(HTMLNames::titleTag, *this);
headElement->appendChild(*m_titleElement);
}
- m_titleElement->setTextContent(title);
+ // appendChild above may have ran scripts which removed m_titleElement
+ if (m_titleElement)
+ m_titleElement->setTextContent(title);
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes