[webkit-changes] [134779] trunk

[kling]

Title: [134779] trunk

Revision

134779

Author

kl...@webkit.org

Date

2012-11-15 08:35:30 -0800 (Thu, 15 Nov 2012)

Log Message

REGRESSION(r134408): Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement().
<http://webkit.org/b/102304>

Reviewed by Anders Carlsson.

Source/WebCore:

Test: fast/dom/cloneNode-below-body-attribute-merging.html

* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):

    Use Element::fastHasAttribute() to determine if a given attribute is already present on the element
    we're merging attributes into.

* dom/ElementAttributeData.h:
(ElementAttributeData):

    Remove a now-unnecessary friend declaration.

LayoutTests:

* fast/dom/cloneNode-below-body-attribute-merging-expected.txt: Added.
* fast/dom/cloneNode-below-body-attribute-merging.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/ElementAttributeData.h
• trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp

Added Paths

• trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging-expected.txt
• trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging.html

Diff

Modified: trunk/LayoutTests/ChangeLog (134778 => 134779)

--- trunk/LayoutTests/ChangeLog	2012-11-15 16:11:02 UTC (rev 134778)
+++ trunk/LayoutTests/ChangeLog	2012-11-15 16:35:30 UTC (rev 134779)
@@ -1,3 +1,13 @@
+2012-11-15  Andreas Kling  <kl...@webkit.org>
+
+        REGRESSION(r134408): Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement().
+        <http://webkit.org/b/102304>
+
+        Reviewed by Anders Carlsson.
+
+        * fast/dom/cloneNode-below-body-attribute-merging-expected.txt: Added.
+        * fast/dom/cloneNode-below-body-attribute-merging.html: Added.
+
 2012-11-15  Justin Novosad  <ju...@google.com>
 
         Cleanup test expectations after rebaseline r134668

Added: trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging-expected.txt (0 => 134779)

--- trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging-expected.txt	2012-11-15 16:35:30 UTC (rev 134779)
@@ -0,0 +1,9 @@
+Tests that cloning the body node in response to a DOMSubtreeModified event doesn't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging.html (0 => 134779)

--- trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/cloneNode-below-body-attribute-merging.html	2012-11-15 16:35:30 UTC (rev 134779)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+document.addEventListener("DOMSubtreeModified", function() {
+    if (document.body)
+        document.body.cloneNode(false);
+}, false);
+</script>
+<meta charset="utf-8">
+<script src=""
+</head>
+<body id="some_random_id_so_body_creates_attribute_data" class="another_random_attribute_to_increase_crash_surface_area">
+<script>
+
+description("Tests that cloning the body node in response to a DOMSubtreeModified event doesn't crash.");
+
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (134778 => 134779)

--- trunk/Source/WebCore/ChangeLog	2012-11-15 16:11:02 UTC (rev 134778)
+++ trunk/Source/WebCore/ChangeLog	2012-11-15 16:35:30 UTC (rev 134779)
@@ -1,3 +1,23 @@
+2012-11-15  Andreas Kling  <kl...@webkit.org>
+
+        REGRESSION(r134408): Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement().
+        <http://webkit.org/b/102304>
+
+        Reviewed by Anders Carlsson.
+
+        Test: fast/dom/cloneNode-below-body-attribute-merging.html
+
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+            Use Element::fastHasAttribute() to determine if a given attribute is already present on the element
+            we're merging attributes into.
+
+        * dom/ElementAttributeData.h:
+        (ElementAttributeData):
+
+            Remove a now-unnecessary friend declaration.
+
 2012-11-15  Elliott Sprehn  <espr...@chromium.org>
 
         Prevent creation of detached frames in ShadowRoot

Modified: trunk/Source/WebCore/dom/ElementAttributeData.h (134778 => 134779)

--- trunk/Source/WebCore/dom/ElementAttributeData.h	2012-11-15 16:11:02 UTC (rev 134778)
+++ trunk/Source/WebCore/dom/ElementAttributeData.h	2012-11-15 16:35:30 UTC (rev 134779)
@@ -111,7 +111,6 @@
 private:
     friend class Element;
     friend class StyledElement;
-    friend class HTMLConstructionSite;
     friend class ImmutableElementAttributeData;
     friend class MutableElementAttributeData;
 

Modified: trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp (134778 => 134779)

--- trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2012-11-15 16:11:02 UTC (rev 134778)
+++ trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2012-11-15 16:35:30 UTC (rev 134779)
@@ -197,11 +197,9 @@
     if (token->attributes().isEmpty())
         return;
 
-    ElementAttributeData* elementAttributeData = element->mutableAttributeData();
-
     for (unsigned i = 0; i < token->attributes().size(); ++i) {
         const Attribute& tokenAttribute = token->attributes().at(i);
-        if (!elementAttributeData->getAttributeItem(tokenAttribute.name()))
+        if (!element->fastHasAttribute(tokenAttribute.name()))
             element->setAttribute(tokenAttribute.name(), tokenAttribute.value());
     }
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes