Skip to site navigation (Press enter)

[webkit-changes] [157470] trunk

rniwa Tue, 15 Oct 2013 14:12:49 -0700

Title: [157470] trunk

Revision: 157470
Author: [email protected]
Date: 2013-10-15 14:13:31 -0700 (Tue, 15 Oct 2013)

Log Message

REGRESSION: Crash in XMLDocumentParser::startElementNs
https://bugs.webkit.org/show_bug.cgi?id=122817


Reviewed by Darin Adler.

Source/WebCore: 

Exit early in startElementNs when listeners and handlers of synchronous events such as load event
removes the inserted node inside parserAppendChild.

Test: fast/parser/xhtml-synchronous-detach-crash.html

* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::startElementNs):

LayoutTests: 

Add a regression test from https://chromium.googlesource.com/chromium/blink/+/57afab5d21cccd89f032b9a3e62f3a61c6a0e9c2

* fast/parser/resources/remove-parent.xhtml: Added.
* fast/parser/xhtml-synchronous-detach-crash-expected.txt: Added.
* fast/parser/xhtml-synchronous-detach-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

Added Paths

trunk/LayoutTests/fast/parser/resources/remove-parent.xhtml
trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash-expected.txt
trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (157469 => 157470)


--- trunk/LayoutTests/ChangeLog	2013-10-15 21:11:47 UTC (rev 157469)
+++ trunk/LayoutTests/ChangeLog	2013-10-15 21:13:31 UTC (rev 157470)
@@ -1,3 +1,16 @@
+2013-10-14  Ryosuke Niwa  <[email protected]>
+
+        REGRESSION: Crash in XMLDocumentParser::startElementNs
+        https://bugs.webkit.org/show_bug.cgi?id=122817
+
+        Reviewed by Darin Adler.
+
+        Add a regression test from https://chromium.googlesource.com/chromium/blink/+/57afab5d21cccd89f032b9a3e62f3a61c6a0e9c2
+
+        * fast/parser/resources/remove-parent.xhtml: Added.
+        * fast/parser/xhtml-synchronous-detach-crash-expected.txt: Added.
+        * fast/parser/xhtml-synchronous-detach-crash.html: Added.
+
 2013-10-15  Commit Queue  <[email protected]>
 
         Unreviewed, rolling out r157460.

Added: trunk/LayoutTests/fast/parser/resources/remove-parent.xhtml (0 => 157470)


--- trunk/LayoutTests/fast/parser/resources/remove-parent.xhtml	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/resources/remove-parent.xhtml	2013-10-15 21:13:31 UTC (rev 157470)
@@ -0,0 +1,5 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<body>
+<iframe src="" _onload_="parent.document.getElementsByTagName('iframe')[0].remove();"></iframe>
+</body>
+</html>

Added: trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash-expected.txt (0 => 157470)


--- trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash-expected.txt	2013-10-15 21:13:31 UTC (rev 157470)
@@ -0,0 +1 @@
+This test passes if it does not crash.

Added: trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash.html (0 => 157470)


--- trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/xhtml-synchronous-detach-crash.html	2013-10-15 21:13:31 UTC (rev 157470)
@@ -0,0 +1,14 @@
+<body>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+window._onload_ = function() {
+    setTimeout(function() {
+        testRunner.dumpAsText();
+        testRunner.notifyDone();
+    }, 0);
+}
+</script>
+<iframe src=''></iframe>
+This test passes if it does not crash.

Modified: trunk/Source/WebCore/ChangeLog (157469 => 157470)


--- trunk/Source/WebCore/ChangeLog	2013-10-15 21:11:47 UTC (rev 157469)
+++ trunk/Source/WebCore/ChangeLog	2013-10-15 21:13:31 UTC (rev 157470)
@@ -1,3 +1,18 @@
+2013-10-14  Ryosuke Niwa  <[email protected]>
+
+        REGRESSION: Crash in XMLDocumentParser::startElementNs
+        https://bugs.webkit.org/show_bug.cgi?id=122817
+
+        Reviewed by Darin Adler.
+
+        Exit early in startElementNs when listeners and handlers of synchronous events such as load event
+        removes the inserted node inside parserAppendChild.
+
+        Test: fast/parser/xhtml-synchronous-detach-crash.html
+
+        * xml/parser/XMLDocumentParserLibxml2.cpp:
+        (WebCore::XMLDocumentParser::startElementNs):
+
 2013-10-15  Joseph Pecoraro  <[email protected]>
 
         Web Inspector: Remove old frontend localizedStrings.js

Modified: trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (157469 => 157470)


--- trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2013-10-15 21:11:47 UTC (rev 157469)
+++ trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2013-10-15 21:13:31 UTC (rev 157470)
@@ -849,6 +849,8 @@
         m_scriptStartPosition = textPosition();
 
     m_currentNode->parserAppendChild(newElement.get());
+    if (!m_currentNode) // Synchronous DOM events may have removed the current node.
+        return;
 
     const ContainerNode* currentNode = m_currentNode;
 #if ENABLE(TEMPLATE_ELEMENT)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes