[webkit-changes] [192316] trunk

[jhoneycutt]

Title: [192316] trunk

Revision

192316

Author

jhoneyc...@apple.com

Date

2015-11-11 10:48:33 -0800 (Wed, 11 Nov 2015)

Log Message

Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
https://bugs.webkit.org/show_bug.cgi?id=150201
<rdar://problem/23136478>

Reviewed by Brent Fulgham.

Source/WebCore:

Test: fast/parser/strip-script-attrs-on-input.html

* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processStartTagForInBody):
Get the attribute after calling
HTMLConstructionSite::insertSelfClosingHTMLElement(), as this may
mutate the token's attributes.

LayoutTests:

* fast/parser/strip-script-attrs-on-input-expected.txt: Added.
* fast/parser/strip-script-attrs-on-input.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp

Added Paths

• trunk/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt
• trunk/LayoutTests/fast/parser/strip-script-attrs-on-input.html

Diff

Modified: trunk/LayoutTests/ChangeLog (192315 => 192316)

--- trunk/LayoutTests/ChangeLog	2015-11-11 18:20:43 UTC (rev 192315)
+++ trunk/LayoutTests/ChangeLog	2015-11-11 18:48:33 UTC (rev 192316)
@@ -1,3 +1,14 @@
+2015-11-10  Jon Honeycutt  <jhoneyc...@apple.com>
+
+        Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+        https://bugs.webkit.org/show_bug.cgi?id=150201
+        <rdar://problem/23136478>
+
+        Reviewed by Brent Fulgham.
+
+        * fast/parser/strip-script-attrs-on-input-expected.txt: Added.
+        * fast/parser/strip-script-attrs-on-input.html: Added.
+
 2015-11-10  Wenson Hsieh  <wenson_hs...@apple.com>
 
         UI-side scripts in WebKitTestRunner should wait until event handling completes before finishing

Added: trunk/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt (0 => 192316)

--- trunk/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt	2015-11-11 18:48:33 UTC (rev 192316)
@@ -0,0 +1 @@
+Text for WebKit bug #150201. Test passes if it does not crash in an ASan build.

Added: trunk/LayoutTests/fast/parser/strip-script-attrs-on-input.html (0 => 192316)

--- trunk/LayoutTests/fast/parser/strip-script-attrs-on-input.html	                        (rev 0)
+++ trunk/LayoutTests/fast/parser/strip-script-attrs-on-input.html	2015-11-11 18:48:33 UTC (rev 192316)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<body>
+    <div contenteditable="true" id="target">
+        <input _onblur_="_javascript_:false;" _onclick_="_javascript_:false;" type="text"/>
+    </div>
+    <script>
+        if (window.testRunner) {
+            testRunner.dumpAsText();
+            testRunner.waitUntilDone();
+        }
+
+        requestAnimationFrame(function() {
+            var target = document.getElementById("target");
+            var selection = window.getSelection();
+            var range = document.createRange();
+            range.selectNodeContents(target);
+            selection.addRange(range);
+
+            document.execCommand("Cut");
+            document.execCommand("Paste");
+
+            target.innerHTML = '';
+            testRunner.notifyDone();
+        });
+    </script>
+    <p>
+        Text for WebKit bug #<a href=""
+        Test passes if it does not crash in an ASan build.
+    </p>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (192315 => 192316)

--- trunk/Source/WebCore/ChangeLog	2015-11-11 18:20:43 UTC (rev 192315)
+++ trunk/Source/WebCore/ChangeLog	2015-11-11 18:48:33 UTC (rev 192316)
@@ -1,3 +1,19 @@
+2015-11-10  Jon Honeycutt  <jhoneyc...@apple.com>
+
+        Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+        https://bugs.webkit.org/show_bug.cgi?id=150201
+        <rdar://problem/23136478>
+
+        Reviewed by Brent Fulgham.
+
+        Test: fast/parser/strip-script-attrs-on-input.html
+
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::processStartTagForInBody):
+        Get the attribute after calling
+        HTMLConstructionSite::insertSelfClosingHTMLElement(), as this may
+        mutate the token's attributes.
+
 2015-11-11  Xabier Rodriguez Calvar  <calva...@igalia.com>
 
         [Streams API] Remove bind usage

Modified: trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (192315 => 192316)

--- trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2015-11-11 18:20:43 UTC (rev 192315)
+++ trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2015-11-11 18:48:33 UTC (rev 192316)
@@ -774,9 +774,9 @@
         return;
     }
     if (token.name() == inputTag) {
-        Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
         m_tree.reconstructTheActiveFormattingElements();
         m_tree.insertSelfClosingHTMLElement(&token);
+        Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
         if (!typeAttribute || !equalIgnoringCase(typeAttribute->value(), "hidden"))
             m_framesetOk = false;
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes