Skip to site navigation (Press enter)

[webkit-changes] [178363] trunk

akling Tue, 13 Jan 2015 09:00:12 -0800

Title: [178363] trunk

Revision: 178363
Author: [email protected]
Date: 2015-01-13 08:59:49 -0800 (Tue, 13 Jan 2015)

Log Message

Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
<https://webkit.org/b/140379>
<rdar://problem/19446901>


Reviewed by Benjamin Poulain.

Source/WebCore:

Since DOM mutation events may arise below the call to Node::normalize(),
have the loop in Element::normalizeAttributes() make a copy of the Attr nodes
beforehand, to guard against mutations.

Based on a patch by Chris "Chris Dumez" Dumez.

Test: fast/dom/Element/normalize-crash2.html

* dom/Element.cpp:
(WebCore::Element::normalizeAttributes):

LayoutTests:

* fast/dom/Element/normalize-crash2-expected.txt: Added.
* fast/dom/Element/normalize-crash2.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Element.cpp

Added Paths

trunk/LayoutTests/fast/dom/Element/normalize-crash2-expected.txt
trunk/LayoutTests/fast/dom/Element/normalize-crash2.html

Diff

Modified: trunk/LayoutTests/ChangeLog (178362 => 178363)


--- trunk/LayoutTests/ChangeLog	2015-01-13 13:14:09 UTC (rev 178362)
+++ trunk/LayoutTests/ChangeLog	2015-01-13 16:59:49 UTC (rev 178363)
@@ -1,3 +1,14 @@
+2015-01-13  Andreas Kling  <[email protected]>
+
+        Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
+        <https://webkit.org/b/140379>
+        <rdar://problem/19446901>
+
+        Reviewed by Benjamin Poulain.
+
+        * fast/dom/Element/normalize-crash2-expected.txt: Added.
+        * fast/dom/Element/normalize-crash2.html: Added.
+
 2015-01-13  Andrzej Badowski  <[email protected]>
 
         AX: [ATK] Mark accessibility/table-with-footer-section-above-body.html as a suitable test for EFL and GTK

Added: trunk/LayoutTests/fast/dom/Element/normalize-crash2-expected.txt (0 => 178363)


--- trunk/LayoutTests/fast/dom/Element/normalize-crash2-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Element/normalize-crash2-expected.txt	2015-01-13 16:59:49 UTC (rev 178363)
@@ -0,0 +1,9 @@
+This test passes if it does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/Element/normalize-crash2.html (0 => 178363)


--- trunk/LayoutTests/fast/dom/Element/normalize-crash2.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Element/normalize-crash2.html	2015-01-13 16:59:49 UTC (rev 178363)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script src=""
+<div name="testDiv" id="testDiv"></div>
+<script>
+description("This test passes if it does not crash.");
+ 
+var testDiv = document.getElementById("testDiv");
+testDiv.attributes[0].appendChild(new Text("test"));
+testDiv.cloneNode(false);
+gc();
+testDiv.normalize();
+</script>

Modified: trunk/Source/WebCore/ChangeLog (178362 => 178363)


--- trunk/Source/WebCore/ChangeLog	2015-01-13 13:14:09 UTC (rev 178362)
+++ trunk/Source/WebCore/ChangeLog	2015-01-13 16:59:49 UTC (rev 178363)
@@ -1,3 +1,22 @@
+2015-01-13  Andreas Kling  <[email protected]>
+
+        Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
+        <https://webkit.org/b/140379>
+        <rdar://problem/19446901>
+
+        Reviewed by Benjamin Poulain.
+
+        Since DOM mutation events may arise below the call to Node::normalize(),
+        have the loop in Element::normalizeAttributes() make a copy of the Attr nodes
+        beforehand, to guard against mutations.
+
+        Based on a patch by Chris "Chris Dumez" Dumez.
+
+        Test: fast/dom/Element/normalize-crash2.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::normalizeAttributes):
+
 2015-01-13  Shivakumar JM  <[email protected]>
 
         Fix Debug Build Error in Webcore module.

Modified: trunk/Source/WebCore/dom/Element.cpp (178362 => 178363)


--- trunk/Source/WebCore/dom/Element.cpp	2015-01-13 13:14:09 UTC (rev 178362)
+++ trunk/Source/WebCore/dom/Element.cpp	2015-01-13 16:59:49 UTC (rev 178363)
@@ -2313,10 +2313,17 @@
 {
     if (!hasAttributes())
         return;
-    for (const Attribute& attribute : attributesIterator()) {
-        if (RefPtr<Attr> attr = attrIfExists(attribute.name()))
-            attr->normalize();
-    }
+
+    auto* attrNodeList = attrNodeListForElement(*this);
+    if (!attrNodeList)
+        return;
+
+    // Copy the Attr Vector because Node::normalize() can fire synchronous JS
+    // events (e.g. DOMSubtreeModified) and a JS listener could add / remove
+    // attributes while we are iterating.
+    auto copyOfAttrNodeList = *attrNodeList;
+    for (auto& attrNode : copyOfAttrNodeList)
+        attrNode->normalize();
 }
 
 PseudoElement* Element::beforePseudoElement() const

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes