- Revision
- 190760
- Author
- [email protected]
- Date
- 2015-10-08 16:45:11 -0700 (Thu, 08 Oct 2015)
Log Message
Gracefully handle XMLDocumentParser being detached by mutation events.
https://bugs.webkit.org/show_bug.cgi?id=149485
<rdar://problem/22811489>
Source/WebCore:
This is a merge of Blink change 200026,
https://codereview.chromium.org/1267283002
Patch by Jiewen Tan <[email protected]> on 2015-10-08
Reviewed by Darin Adler.
Test: fast/parser/xhtml-dom-character-data-modified-crash.html
* xml/parser/XMLDocumentParser.cpp:
(WebCore::XMLDocumentParser::createLeafTextNode):
Renamed from enterText() to make it more descriptive.
(WebCore::XMLDocumentParser::updateLeafTextNode):
Renamed from exitText to firm up this stage.
(WebCore::XMLDocumentParser::end):
Gracefully handle stopped states.
(WebCore::XMLDocumentParser::enterText): Deleted.
(WebCore::XMLDocumentParser::exitText): Deleted.
* xml/parser/XMLDocumentParser.h:
Rename enterText to createLeafTextNode.
Rename exitText to updateLeafTextNode.
* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::startElementNs):
(WebCore::XMLDocumentParser::endElementNs):
(WebCore::XMLDocumentParser::characters):
(WebCore::XMLDocumentParser::processingInstruction):
(WebCore::XMLDocumentParser::cdataBlock):
(WebCore::XMLDocumentParser::comment):
(WebCore::XMLDocumentParser::endDocument):
Rename function calls and firm up updateLeafTextNode stage accordingly.
LayoutTests:
Patch by Jiewen Tan <[email protected]> on 2015-10-08
Reviewed by Darin Adler.
* fast/parser/resources/xhtml-overwrite-frame.xhtml: Added.
* fast/parser/xhtml-dom-character-data-modified-crash-expected.txt: Added.
* fast/parser/xhtml-dom-character-data-modified-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (190759 => 190760)
--- trunk/LayoutTests/ChangeLog 2015-10-08 23:34:08 UTC (rev 190759)
+++ trunk/LayoutTests/ChangeLog 2015-10-08 23:45:11 UTC (rev 190760)
@@ -1,5 +1,17 @@
2015-10-08 Jiewen Tan <[email protected]>
+ Gracefully handle XMLDocumentParser being detached by mutation events.
+ https://bugs.webkit.org/show_bug.cgi?id=149485
+ <rdar://problem/22811489>
+
+ Reviewed by Darin Adler.
+
+ * fast/parser/resources/xhtml-overwrite-frame.xhtml: Added.
+ * fast/parser/xhtml-dom-character-data-modified-crash-expected.txt: Added.
+ * fast/parser/xhtml-dom-character-data-modified-crash.html: Added.
+
+2015-10-08 Jiewen Tan <[email protected]>
+
Cleaning up after revision 190339
https://bugs.webkit.org/show_bug.cgi?id=149732
Added: trunk/LayoutTests/fast/parser/resources/xhtml-overwrite-frame.xhtml (0 => 190760)
--- trunk/LayoutTests/fast/parser/resources/xhtml-overwrite-frame.xhtml (rev 0)
+++ trunk/LayoutTests/fast/parser/resources/xhtml-overwrite-frame.xhtml 2015-10-08 23:45:11 UTC (rev 190760)
@@ -0,0 +1,12 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<script>
+function overwrite() {
+ var testRunner = window.parent.testRunner;
+ window.frameElement.outerHTML = "PASS (no crash)";
+ if (testRunner)
+ testRunner.notifyDone();
+}
+
+document.addEventListener("DOMCharacterDataModified", overwrite);
+</script>
+</html>
Added: trunk/LayoutTests/fast/parser/xhtml-dom-character-data-modified-crash-expected.txt (0 => 190760)
--- trunk/LayoutTests/fast/parser/xhtml-dom-character-data-modified-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/parser/xhtml-dom-character-data-modified-crash-expected.txt 2015-10-08 23:45:11 UTC (rev 190760)
@@ -0,0 +1 @@
+PASS (no crash)
Added: trunk/LayoutTests/fast/parser/xhtml-dom-character-data-modified-crash.html (0 => 190760)
--- trunk/LayoutTests/fast/parser/xhtml-dom-character-data-modified-crash.html (rev 0)
+++ trunk/LayoutTests/fast/parser/xhtml-dom-character-data-modified-crash.html 2015-10-08 23:45:11 UTC (rev 190760)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+<iframe src=""
Modified: trunk/Source/WebCore/ChangeLog (190759 => 190760)
--- trunk/Source/WebCore/ChangeLog 2015-10-08 23:34:08 UTC (rev 190759)
+++ trunk/Source/WebCore/ChangeLog 2015-10-08 23:45:11 UTC (rev 190760)
@@ -1,3 +1,43 @@
+2015-10-08 Jiewen Tan <[email protected]>
+
+ Gracefully handle XMLDocumentParser being detached by mutation events.
+ https://bugs.webkit.org/show_bug.cgi?id=149485
+ <rdar://problem/22811489>
+
+ This is a merge of Blink change 200026,
+ https://codereview.chromium.org/1267283002
+
+ Reviewed by Darin Adler.
+
+ Test: fast/parser/xhtml-dom-character-data-modified-crash.html
+
+ * xml/parser/XMLDocumentParser.cpp:
+ (WebCore::XMLDocumentParser::createLeafTextNode):
+ Renamed from enterText() to make it more descriptive.
+
+ (WebCore::XMLDocumentParser::updateLeafTextNode):
+ Renamed from exitText to firm up this stage.
+
+ (WebCore::XMLDocumentParser::end):
+ Gracefully handle stopped states.
+
+ (WebCore::XMLDocumentParser::enterText): Deleted.
+ (WebCore::XMLDocumentParser::exitText): Deleted.
+
+ * xml/parser/XMLDocumentParser.h:
+ Rename enterText to createLeafTextNode.
+ Rename exitText to updateLeafTextNode.
+
+ * xml/parser/XMLDocumentParserLibxml2.cpp:
+ (WebCore::XMLDocumentParser::startElementNs):
+ (WebCore::XMLDocumentParser::endElementNs):
+ (WebCore::XMLDocumentParser::characters):
+ (WebCore::XMLDocumentParser::processingInstruction):
+ (WebCore::XMLDocumentParser::cdataBlock):
+ (WebCore::XMLDocumentParser::comment):
+ (WebCore::XMLDocumentParser::endDocument):
+ Rename function calls and firm up updateLeafTextNode stage accordingly.
+
2015-10-08 Chris Dumez <[email protected]>
data: URLs should not be preloaded
Modified: trunk/Source/WebCore/xml/parser/XMLDocumentParser.cpp (190759 => 190760)
--- trunk/Source/WebCore/xml/parser/XMLDocumentParser.cpp 2015-10-08 23:34:08 UTC (rev 190759)
+++ trunk/Source/WebCore/xml/parser/XMLDocumentParser.cpp 2015-10-08 23:45:11 UTC (rev 190760)
@@ -136,8 +136,11 @@
stopParsing();
}
-void XMLDocumentParser::enterText()
+void XMLDocumentParser::createLeafTextNode()
{
+ if (m_leafTextNode)
+ return;
+
ASSERT(m_bufferedText.size() == 0);
ASSERT(!m_leafTextNode);
m_leafTextNode = Text::create(m_currentNode->document(), "");
@@ -150,19 +153,23 @@
}
-void XMLDocumentParser::exitText()
+bool XMLDocumentParser::updateLeafTextNode()
{
if (isStopped())
- return;
+ return false;
if (!m_leafTextNode)
- return;
+ return true;
+ // This operation might fire mutation event, see below.
m_leafTextNode->appendData(toString(m_bufferedText.data(), m_bufferedText.size()));
- Vector<xmlChar> empty;
- m_bufferedText.swap(empty);
+ m_bufferedText = { };
m_leafTextNode = nullptr;
+
+ // Hence, we need to check again whether the parser is stopped, since mutation
+ // event handlers executed by appendData might have detached this parser.
+ return !isStopped();
}
void XMLDocumentParser::detach()
@@ -191,7 +198,7 @@
if (m_sawError)
insertErrorMessageBlock();
else {
- exitText();
+ updateLeafTextNode();
document()->styleResolverChanged(RecalcStyleImmediately);
}
Modified: trunk/Source/WebCore/xml/parser/XMLDocumentParser.h (190759 => 190760)
--- trunk/Source/WebCore/xml/parser/XMLDocumentParser.h 2015-10-08 23:34:08 UTC (rev 190759)
+++ trunk/Source/WebCore/xml/parser/XMLDocumentParser.h 2015-10-08 23:45:11 UTC (rev 190760)
@@ -146,8 +146,8 @@
void insertErrorMessageBlock();
- void enterText();
- void exitText();
+ void createLeafTextNode();
+ bool updateLeafTextNode();
void doWrite(const String&);
void doEnd();
Modified: trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (190759 => 190760)
--- trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp 2015-10-08 23:34:08 UTC (rev 190759)
+++ trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp 2015-10-08 23:45:11 UTC (rev 190760)
@@ -797,7 +797,8 @@
return;
}
- exitText();
+ if (!updateLeafTextNode())
+ return;
AtomicString localName = toAtomicString(xmlLocalName);
AtomicString uri = toAtomicString(xmlURI);
@@ -877,7 +878,8 @@
// before the end of this method.
Ref<XMLDocumentParser> protect(*this);
- exitText();
+ if (!updateLeafTextNode())
+ return;
RefPtr<ContainerNode> node = m_currentNode;
node->finishParsingChildren();
@@ -952,7 +954,7 @@
}
if (!m_leafTextNode)
- enterText();
+ createLeafTextNode();
m_bufferedText.append(s, len);
}
@@ -991,7 +993,8 @@
return;
}
- exitText();
+ if (!updateLeafTextNode())
+ return;
// ### handle exceptions
ExceptionCode ec = 0;
@@ -1025,7 +1028,8 @@
return;
}
- exitText();
+ if (!updateLeafTextNode())
+ return;
auto newNode = CDATASection::create(m_currentNode->document(), toString(s, len));
m_currentNode->parserAppendChild(WTF::move(newNode));
@@ -1041,7 +1045,8 @@
return;
}
- exitText();
+ if (!updateLeafTextNode())
+ return;
auto newNode = Comment::create(m_currentNode->document(), toString(s));
m_currentNode->parserAppendChild(WTF::move(newNode));
@@ -1073,7 +1078,7 @@
void XMLDocumentParser::endDocument()
{
- exitText();
+ updateLeafTextNode();
}
void XMLDocumentParser::internalSubset(const xmlChar* name, const xmlChar* externalID, const xmlChar* systemID)
