[webkit-changes] [165044] trunk

[rniwa]

Title: [165044] trunk

Revision

165044

Author

rn...@webkit.org

Date

2014-03-04 01:45:55 -0800 (Tue, 04 Mar 2014)

Log Message

REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
https://bugs.webkit.org/show_bug.cgi?id=129550

Reviewed by Andreas Kling.

Source/WebCore: 

We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.

Test: fast/dom/uniquing-attributes-via-setAttribute.html

* dom/Element.cpp:
(WebCore::Element::setAttributeInternal):

LayoutTests: 

Added a regression test.

* fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
* fast/dom/uniquing-attributes-via-setAttribute.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/Element.cpp

Added Paths

• trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt
• trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html

Diff

Modified: trunk/LayoutTests/ChangeLog (165043 => 165044)

--- trunk/LayoutTests/ChangeLog	2014-03-04 08:26:28 UTC (rev 165043)
+++ trunk/LayoutTests/ChangeLog	2014-03-04 09:45:55 UTC (rev 165044)
@@ -1,3 +1,15 @@
+2014-03-04  Ryosuke Niwa  <rn...@webkit.org>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        Added a regression test.
+
+        * fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
+        * fast/dom/uniquing-attributes-via-setAttribute.html: Added.
+
 2014-03-03  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         Space between double underlines does not scale with font size

Added: trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt (0 => 165044)

--- trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt	2014-03-04 09:45:55 UTC (rev 165044)
@@ -0,0 +1,3 @@
+Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.
+
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html (0 => 165044)

--- trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html	2014-03-04 09:45:55 UTC (rev 165044)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.</p>
+<div></div>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var div = document.querySelector('div');
+div.setAttribute('name', 'a');
+
+var divClone = div.cloneNode(true);
+document.body.appendChild(divClone);
+
+div.setAttribute('name', 'b');
+divClone.setAttribute('name', 'b');
+
+document.write("PASS. WebKit didn't crash.");
+
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (165043 => 165044)

--- trunk/Source/WebCore/ChangeLog	2014-03-04 08:26:28 UTC (rev 165043)
+++ trunk/Source/WebCore/ChangeLog	2014-03-04 09:45:55 UTC (rev 165044)
@@ -1,3 +1,17 @@
+2014-03-04  Ryosuke Niwa  <rn...@webkit.org>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
+
+        Test: fast/dom/uniquing-attributes-via-setAttribute.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::setAttributeInternal):
+
 2014-03-04  Hyowon Kim  <hw1008....@samsung.com>
 
         Move EvasGLContext and EvasGLSurface files into the efl common directory.

Modified: trunk/Source/WebCore/dom/Element.cpp (165043 => 165044)

--- trunk/Source/WebCore/dom/Element.cpp	2014-03-04 08:26:28 UTC (rev 165043)
+++ trunk/Source/WebCore/dom/Element.cpp	2014-03-04 09:45:55 UTC (rev 165044)
@@ -1029,7 +1029,7 @@
     const Attribute& attribute = attributeAt(index);
     AtomicString oldValue = attribute.value();
     bool valueChanged = newValue != oldValue;
-    const QualifiedName& attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
+    QualifiedName attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
 
     if (!inSynchronizationOfLazyAttribute)
         willModifyAttribute(attributeName, oldValue, newValue);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes