[webkit-changes] [146562] trunk

Thu, 21 Mar 2013 22:20:20 -0700

Title: [146562] trunk
Revision
146562
Author
[email protected]
Date
2013-03-21 22:22:14 -0700 (Thu, 21 Mar 2013)

Log Message

XMLDocumentParser doesn't parse <template> correctly.
https://bugs.webkit.org/show_bug.cgi?id=112328

Reviewed by Hajime Morrita.

Source/WebCore:

XMLDocumentParser should check whether a parent node is attached or not
when a new element is appended.

Test: fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash.xhtml

* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::startElementNs):
m_currentNode is a parent node of newElement, but it is updated by
pushCurrentNode. So firstly stored copied m_curretNode's value into
local currentNode and used the currentNode to check whether
newElement's parent is attached or not.

LayoutTests:

* fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash-expected.txt: Added.
* fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash.xhtml: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (146561 => 146562)


--- trunk/LayoutTests/ChangeLog	2013-03-22 04:58:15 UTC (rev 146561)
+++ trunk/LayoutTests/ChangeLog	2013-03-22 05:22:14 UTC (rev 146562)
@@ -1,3 +1,13 @@
+2013-03-21  Takashi Sakamoto  <[email protected]>
+
+        XMLDocumentParser doesn't parse <template> correctly.
+        https://bugs.webkit.org/show_bug.cgi?id=112328
+
+        Reviewed by Hajime Morrita.
+
+        * fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash-expected.txt: Added.
+        * fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash.xhtml: Added.
+
 2013-03-21  Li Yin  <[email protected]>
 
         FileAPI: Remove deprecation warning when ArrayBuffer is in Blob constructor.

Added: trunk/LayoutTests/fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash-expected.txt (0 => 146562)


--- trunk/LayoutTests/fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash-expected.txt	2013-03-22 05:22:14 UTC (rev 146562)
@@ -0,0 +1,3 @@
+[bug 112328] https://bugs.webkit.org/show_bug.cgi?id=112328 This test ensures WebKit does not crash when parsing XHTML which has a title element as a descendant node of a template element. If there is no crash, the test passes.
+
+PASS

Added: trunk/LayoutTests/fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash.xhtml (0 => 146562)


--- trunk/LayoutTests/fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash.xhtml	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash.xhtml	2013-03-22 05:22:14 UTC (rev 146562)
@@ -0,0 +1,17 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+  <p>[bug 112328] <a href="" This test ensures WebKit does not crash when parsing XHTML which has a title element as a descendant node of a template element. If there is no crash, the test passes.</p>
+  <template>
+    <object>
+      <title>replaceWholeText sample</title>
+    </object>
+  </template>
+  <div>PASS</div>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (146561 => 146562)


--- trunk/Source/WebCore/ChangeLog	2013-03-22 04:58:15 UTC (rev 146561)
+++ trunk/Source/WebCore/ChangeLog	2013-03-22 05:22:14 UTC (rev 146562)
@@ -1,3 +1,22 @@
+2013-03-21  Takashi Sakamoto  <[email protected]>
+
+        XMLDocumentParser doesn't parse <template> correctly.
+        https://bugs.webkit.org/show_bug.cgi?id=112328
+
+        Reviewed by Hajime Morrita.
+
+        XMLDocumentParser should check whether a parent node is attached or not
+        when a new element is appended.
+
+        Test: fast/dom/HTMLTemplateElement/xhtml-with-titleElement-parsing-crash.xhtml
+
+        * xml/parser/XMLDocumentParserLibxml2.cpp:
+        (WebCore::XMLDocumentParser::startElementNs):
+        m_currentNode is a parent node of newElement, but it is updated by
+        pushCurrentNode. So firstly stored copied m_curretNode's value into
+        local currentNode and used the currentNode to check whether
+        newElement's parent is attached or not.
+
 2013-03-21  David Grogan  <[email protected]>
 
         Unreviewed, rolling out r146560.

Modified: trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (146561 => 146562)


--- trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2013-03-22 04:58:15 UTC (rev 146561)
+++ trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2013-03-22 05:22:14 UTC (rev 146562)
@@ -826,6 +826,7 @@
 
     m_currentNode->parserAppendChild(newElement.get());
 
+    const ContainerNode* currentNode = m_currentNode;
 #if ENABLE(TEMPLATE_ELEMENT)
     if (newElement->hasTagName(HTMLNames::templateTag))
         pushCurrentNode(toHTMLTemplateElement(newElement.get())->content());
@@ -835,7 +836,7 @@
     pushCurrentNode(newElement.get());
 #endif
 
-    if (m_view && !newElement->attached())
+    if (m_view && currentNode->attached() && !newElement->attached())
         newElement->attach();
 
     if (newElement->hasTagName(HTMLNames::htmlTag))

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to