[webkit-changes] [199282] releases/WebKitGTK/webkit-2.4

Sun, 10 Apr 2016 00:50:16 -0700

Title: [199282] releases/WebKitGTK/webkit-2.4
Revision
199282
Author
[email protected]
Date
2016-04-10 00:49:54 -0700 (Sun, 10 Apr 2016)

Log Message

Merge r165044 - REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
https://bugs.webkit.org/show_bug.cgi?id=129550

Reviewed by Andreas Kling.

Source/WebCore:

We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.

Test: fast/dom/uniquing-attributes-via-setAttribute.html

* dom/Element.cpp:
(WebCore::Element::setAttributeInternal):

LayoutTests:

Added a regression test.

* fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
* fast/dom/uniquing-attributes-via-setAttribute.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (199281 => 199282)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2016-04-10 07:45:55 UTC (rev 199281)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2016-04-10 07:49:54 UTC (rev 199282)
@@ -1,3 +1,15 @@
+2014-03-04  Ryosuke Niwa  <[email protected]>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        Added a regression test.
+
+        * fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
+        * fast/dom/uniquing-attributes-via-setAttribute.html: Added.
+
 2015-02-06  Zalan Bujtas  <[email protected]>
 
         ASSERT repaintContainer->hasLayer() in WebCore::RenderObject::repaintUsingContainer

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt (0 => 199282)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt	2016-04-10 07:49:54 UTC (rev 199282)
@@ -0,0 +1,3 @@
+Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.
+
+PASS. WebKit didn't crash.

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html (0 => 199282)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html	2016-04-10 07:49:54 UTC (rev 199282)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.</p>
+<div></div>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var div = document.querySelector('div');
+div.setAttribute('name', 'a');
+
+var divClone = div.cloneNode(true);
+document.body.appendChild(divClone);
+
+div.setAttribute('name', 'b');
+divClone.setAttribute('name', 'b');
+
+document.write("PASS. WebKit didn't crash.");
+
+</script>
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (199281 => 199282)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2016-04-10 07:45:55 UTC (rev 199281)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2016-04-10 07:49:54 UTC (rev 199282)
@@ -1,3 +1,17 @@
+2014-03-04  Ryosuke Niwa  <[email protected]>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
+
+        Test: fast/dom/uniquing-attributes-via-setAttribute.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::setAttributeInternal):
+
 2014-03-25  Gabor Rapcsanyi  <[email protected]>
 
         [ARM64] GNU assembler fails in TransformationMatrix::multiply

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/dom/Element.cpp (199281 => 199282)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/dom/Element.cpp	2016-04-10 07:45:55 UTC (rev 199281)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/dom/Element.cpp	2016-04-10 07:49:54 UTC (rev 199282)
@@ -1056,7 +1056,7 @@
     const Attribute& attribute = attributeAt(index);
     AtomicString oldValue = attribute.value();
     bool valueChanged = newValue != oldValue;
-    const QualifiedName& attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
+    QualifiedName attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
 
     if (!inSynchronizationOfLazyAttribute)
         willModifyAttribute(attributeName, oldValue, newValue);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to