[webkit-changes] [199693] trunk

Mon, 18 Apr 2016 15:36:35 -0700

Title: [199693] trunk
Revision
199693
Author
[email protected]
Date
2016-04-18 15:36:18 -0700 (Mon, 18 Apr 2016)

Log Message

Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last()
https://bugs.webkit.org/show_bug.cgi?id=156715
<rdar://problem/25750864>

Reviewed by Antti Koivisto.

Source/WebCore:

Fix correctness of ElementDescendantIterator::operator--(). The last element
in the m_ancestorSiblingStack stack is nullptr. However, if our parent does
not have a sibling, m_current->nextSibling() == m_ancestorSiblingStack.last()
would be true and we would end up removing the nullptr element from
m_ancestorSiblingStack. We would crash on a follow-up call to operator--()
because m_ancestorSiblingStack.last() would do an out-of-bound access, given
that m_ancestorSiblingStack is empty.

Test: fast/dom/collection-backward-traversal-crash.html

* dom/ElementDescendantIterator.h:
(WebCore::ElementDescendantIterator::operator--):

LayoutTests:

Add regression test that reproduced the crash.

* fast/dom/collection-backward-traversal-crash-expected.txt: Added.
* fast/dom/collection-backward-traversal-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (199692 => 199693)


--- trunk/LayoutTests/ChangeLog	2016-04-18 22:29:48 UTC (rev 199692)
+++ trunk/LayoutTests/ChangeLog	2016-04-18 22:36:18 UTC (rev 199693)
@@ -1,3 +1,16 @@
+2016-04-18  Chris Dumez  <[email protected]>
+
+        Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last()
+        https://bugs.webkit.org/show_bug.cgi?id=156715
+        <rdar://problem/25750864>
+
+        Reviewed by Antti Koivisto.
+
+        Add regression test that reproduced the crash.
+
+        * fast/dom/collection-backward-traversal-crash-expected.txt: Added.
+        * fast/dom/collection-backward-traversal-crash.html: Added.
+
 2016-04-18  Brent Fulgham  <[email protected]>
 
         CSP: Remove stubs for dynamically-added favicons (via link rel="icon")

Added: trunk/LayoutTests/fast/dom/collection-backward-traversal-crash-expected.txt (0 => 199693)


--- trunk/LayoutTests/fast/dom/collection-backward-traversal-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/collection-backward-traversal-crash-expected.txt	2016-04-18 22:36:18 UTC (rev 199693)
@@ -0,0 +1,13 @@
+Tests that backward traversal of an HTMLCollection works as expected and does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS divs.item(3).id is "D"
+PASS divs.item(2).id is "C"
+PASS divs.item(1).id is "B"
+PASS divs.item(0).id is "A"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/collection-backward-traversal-crash.html (0 => 199693)


--- trunk/LayoutTests/fast/dom/collection-backward-traversal-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/collection-backward-traversal-crash.html	2016-04-18 22:36:18 UTC (rev 199693)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<div id="testArea"><div id="A"><div id="B"><div id="C"><div id="D"></div></div></div></div></div>
+<script>
+description("Tests that backward traversal of an HTMLCollection works as expected and does not crash.");
+
+var testArea = document.getElementById("testArea");
+var divs = testArea.getElementsByTagName("div");
+shouldBeEqualToString("divs.item(3).id", "D");
+shouldBeEqualToString("divs.item(2).id", "C");
+shouldBeEqualToString("divs.item(1).id", "B");
+shouldBeEqualToString("divs.item(0).id", "A");
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (199692 => 199693)


--- trunk/Source/WebCore/ChangeLog	2016-04-18 22:29:48 UTC (rev 199692)
+++ trunk/Source/WebCore/ChangeLog	2016-04-18 22:36:18 UTC (rev 199693)
@@ -1,3 +1,24 @@
+2016-04-18  Chris Dumez  <[email protected]>
+
+        Crash in ElementDescendantIterator::operator--() when calling m_ancestorSiblingStack.last()
+        https://bugs.webkit.org/show_bug.cgi?id=156715
+        <rdar://problem/25750864>
+
+        Reviewed by Antti Koivisto.
+
+        Fix correctness of ElementDescendantIterator::operator--(). The last element
+        in the m_ancestorSiblingStack stack is nullptr. However, if our parent does
+        not have a sibling, m_current->nextSibling() == m_ancestorSiblingStack.last()
+        would be true and we would end up removing the nullptr element from
+        m_ancestorSiblingStack. We would crash on a follow-up call to operator--()
+        because m_ancestorSiblingStack.last() would do an out-of-bound access, given
+        that m_ancestorSiblingStack is empty.
+
+        Test: fast/dom/collection-backward-traversal-crash.html
+
+        * dom/ElementDescendantIterator.h:
+        (WebCore::ElementDescendantIterator::operator--):
+
 2016-04-18  Anders Carlsson  <[email protected]>
 
         Fix build with newer versions of clang.

Modified: trunk/Source/WebCore/dom/ElementDescendantIterator.h (199692 => 199693)


--- trunk/Source/WebCore/dom/ElementDescendantIterator.h	2016-04-18 22:29:48 UTC (rev 199692)
+++ trunk/Source/WebCore/dom/ElementDescendantIterator.h	2016-04-18 22:36:18 UTC (rev 199693)
@@ -171,7 +171,7 @@
     if (!previousSibling) {
         m_current = m_current->parentElement();
         // The stack optimizes for forward traversal only, this just maintains consistency.
-        if (m_current->nextSibling() == m_ancestorSiblingStack.last())
+        if (m_current->nextSibling() && m_current->nextSibling() == m_ancestorSiblingStack.last())
             m_ancestorSiblingStack.removeLast();
         return *this;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to