[webkit-changes] [159588] branches/safari-537.73-branch

Wed, 20 Nov 2013 15:34:29 -0800

Title: [159588] branches/safari-537.73-branch

Diff

Modified: branches/safari-537.73-branch/LayoutTests/ChangeLog (159587 => 159588)


--- branches/safari-537.73-branch/LayoutTests/ChangeLog	2013-11-20 23:25:38 UTC (rev 159587)
+++ branches/safari-537.73-branch/LayoutTests/ChangeLog	2013-11-20 23:36:04 UTC (rev 159588)
@@ -1,3 +1,20 @@
+2013-11-20  Lucas Forschler  <[email protected]>
+
+        Merge r159481
+
+    2013-11-18  Zalan Bujtas  <[email protected]>
+
+            use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeElementById
+            https://bugs.webkit.org/show_bug.cgi?id=121324
+
+            Reviewed by Ryosuke Niwa.
+
+            Update the document ordered map for an image element before dispatching load or error events
+            when it's inserted into a document.
+
+            * fast/dom/modify-node-and-while-in-the-callback-too-crash-expected.txt: Added.
+            * fast/dom/modify-node-and-while-in-the-callback-too-crash.html: Added.
+
 2013-11-14  Brent Fulgham  <[email protected]>
 
         Unreviewed. Rebaselines branch after r158468

Copied: branches/safari-537.73-branch/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash-expected.txt (from rev 159481, trunk/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash-expected.txt) (0 => 159588)


--- branches/safari-537.73-branch/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash-expected.txt	                        (rev 0)
+++ branches/safari-537.73-branch/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash-expected.txt	2013-11-20 23:36:04 UTC (rev 159588)
@@ -0,0 +1,3 @@
+This tests that making changes on a node that triggers a callback where we make changes again on the same node does not result in an assert/crash. Test passes if no crash is observed.
+
+

Copied: branches/safari-537.73-branch/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash.html (from rev 159481, trunk/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash.html) (0 => 159588)


--- branches/safari-537.73-branch/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash.html	                        (rev 0)
+++ branches/safari-537.73-branch/LayoutTests/fast/dom/modify-node-and-while-in-the-callback-too-crash.html	2013-11-20 23:36:04 UTC (rev 159588)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This tests that making changes on a node that triggers a callback where we make changes 
+    again on the same node does not result in an assert/crash.
+    Test passes if no crash is observed.</p>  
+    <img id="error-image" src=""
+    <div id="container"></div>
+
+    <script> 
+        if (window.testRunner)
+            testRunner.dumpAsText();
+        
+        var img = document.getElementById('error-image');
+        var container = document.getElementById('container');
+
+        img._onerror_ = function() { 
+            container.parentNode.removeChild(container);
+        }
+        
+        container.appendChild(img);
+    </script>
+</body>
+</html>

Modified: branches/safari-537.73-branch/Source/WebCore/ChangeLog (159587 => 159588)


--- branches/safari-537.73-branch/Source/WebCore/ChangeLog	2013-11-20 23:25:38 UTC (rev 159587)
+++ branches/safari-537.73-branch/Source/WebCore/ChangeLog	2013-11-20 23:36:04 UTC (rev 159588)
@@ -1,3 +1,27 @@
+2013-11-20  Lucas Forschler  <[email protected]>
+
+        Merge r159481
+
+    2013-11-18  Zalan Bujtas  <[email protected]>
+
+            use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeElementById
+            https://bugs.webkit.org/show_bug.cgi?id=121324
+
+            Reviewed by Ryosuke Niwa.
+
+            Update the document ordered map for an image element before dispatching load or error events
+            when it's inserted into a document.
+
+            Test: fast/dom/modify-node-and-while-in-the-callback-too-crash.html
+
+            * dom/DocumentOrderedMap.cpp: defensive fix to avoid use after free issues.
+            (WebCore::DocumentOrderedMap::remove):
+            * html/HTMLImageElement.cpp:
+            (WebCore::HTMLImageElement::insertedInto):
+            * loader/ImageLoader.cpp:
+            (WebCore::ImageLoader::updateFromElement): setting m_failedLoadURL makes
+            repeated updateFromElement calls return early.
+
 2013-11-13  Dean Jackson  <[email protected]>
 
         <rdar://problem/15292359>

Modified: branches/safari-537.73-branch/Source/WebCore/dom/DocumentOrderedMap.cpp (159587 => 159588)


--- branches/safari-537.73-branch/Source/WebCore/dom/DocumentOrderedMap.cpp	2013-11-20 23:25:38 UTC (rev 159587)
+++ branches/safari-537.73-branch/Source/WebCore/dom/DocumentOrderedMap.cpp	2013-11-20 23:36:04 UTC (rev 159588)
@@ -106,6 +106,9 @@
     m_map.checkConsistency();
     Map::iterator it = m_map.find(key);
     ASSERT(it != m_map.end());
+    if (it == m_map.end())
+        return;
+
     MapEntry& entry = it->value;
 
     ASSERT(entry.count);

Modified: branches/safari-537.73-branch/Source/WebCore/html/HTMLImageElement.cpp (159587 => 159588)


--- branches/safari-537.73-branch/Source/WebCore/html/HTMLImageElement.cpp	2013-11-20 23:25:38 UTC (rev 159587)
+++ branches/safari-537.73-branch/Source/WebCore/html/HTMLImageElement.cpp	2013-11-20 23:36:04 UTC (rev 159588)
@@ -203,12 +203,16 @@
         }
     }
 
+    // Insert needs to complete first, before we start updating the loader. Loader dispatches events which could result
+    // in callbacks back to this node.
+    Node::InsertionNotificationRequest insertNotificationRequest = HTMLElement::insertedInto(insertionPoint);
+
     // If we have been inserted from a renderer-less document,
     // our loader may have not fetched the image, so do it now.
     if (insertionPoint->inDocument() && !m_imageLoader.image())
         m_imageLoader.updateFromElement();
 
-    return HTMLElement::insertedInto(insertionPoint);
+    return insertNotificationRequest;
 }
 
 void HTMLImageElement::removedFrom(ContainerNode* insertionPoint)

Modified: branches/safari-537.73-branch/Source/WebCore/loader/ImageLoader.cpp (159587 => 159588)


--- branches/safari-537.73-branch/Source/WebCore/loader/ImageLoader.cpp	2013-11-20 23:25:38 UTC (rev 159587)
+++ branches/safari-537.73-branch/Source/WebCore/loader/ImageLoader.cpp	2013-11-20 23:36:04 UTC (rev 159588)
@@ -212,8 +212,9 @@
             clearFailedLoadURL();
     } else if (!attr.isNull()) {
         // Fire an error event if the url is empty.
-        // FIXME: Should we fire this event asynchronoulsy via errorEventSender()?
-        m_element->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
+        m_failedLoadURL = attr;
+        m_hasPendingErrorEvent = true;
+        errorEventSender().dispatchEventSoon(this);
     }
     
     CachedImage* oldImage = m_image.get();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to