Changeset 145464 in webkit


Ignore:
Timestamp:
Mar 11, 2013 7:09:50 PM (11 years ago)
Author:
abarth@webkit.org
Message:

Make BackgroundHTMLParser work with doc.writes that enter or leave foreign content
https://bugs.webkit.org/show_bug.cgi?id=109764

Reviewed by Eric Seidel.

Source/WebCore:

Previously, we were not reseting the state of the
HTMLTreeBuilderSimulator when we failed speculative parsing. This had a
number of observable consequences, including not parsing CDATA sections
correctly when document.write caused us to enter foreign content.

Test: fast/parser/document-write-svg-cdata.html

  • html/parser/BackgroundHTMLParser.cpp:

(WebCore::BackgroundHTMLParser::BackgroundHTMLParser):
(WebCore::BackgroundHTMLParser::resumeFrom):
(WebCore::BackgroundHTMLParser::pumpTokenizer):
(WebCore::BackgroundHTMLParser::sendTokensToMainThread):

  • html/parser/BackgroundHTMLParser.h:

(Checkpoint):
(BackgroundHTMLParser):

  • html/parser/HTMLDocumentParser.cpp:

(WebCore::HTMLDocumentParser::validateSpeculations):
(WebCore::HTMLDocumentParser::didFailSpeculation):

  • html/parser/HTMLDocumentParser.h:

(ParsedChunk):

  • html/parser/HTMLElementStack.h:

(WebCore::HTMLElementStack::ElementRecord::namespaceURI):

  • html/parser/HTMLTreeBuilder.h:

(WebCore::HTMLTreeBuilder::options):
(WebCore::HTMLTreeBuilder::openElements):
(HTMLTreeBuilder):

  • html/parser/HTMLTreeBuilderSimulator.cpp:

(WebCore::HTMLTreeBuilderSimulator::stateFor):
(WebCore):

  • html/parser/HTMLTreeBuilderSimulator.h:

(WebCore):
(WebCore::HTMLTreeBuilderSimulator::state):
(WebCore::HTMLTreeBuilderSimulator::setState):
(HTMLTreeBuilderSimulator):

LayoutTests:

  • fast/parser/document-write-svg-cdata-expected.txt: Added.
  • fast/parser/document-write-svg-cdata.html: Added.
Location:
trunk
Files:
2 added
10 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r145451 r145464  
     12013-03-11  Adam Barth  <abarth@webkit.org>
     2
     3        Make BackgroundHTMLParser work with doc.writes that enter or leave foreign content
     4        https://bugs.webkit.org/show_bug.cgi?id=109764
     5
     6        Reviewed by Eric Seidel.
     7
     8        * fast/parser/document-write-svg-cdata-expected.txt: Added.
     9        * fast/parser/document-write-svg-cdata.html: Added.
     10
    1112013-03-11  Yuki Sekiguchi  <yuki.sekiguchi@access-company.com>
    212

  • trunk/Source/WebCore/ChangeLog

    r145462 r145464  
     12013-03-11  Adam Barth  <abarth@webkit.org>
     2
     3        Make BackgroundHTMLParser work with doc.writes that enter or leave foreign content
     4        https://bugs.webkit.org/show_bug.cgi?id=109764
     5
     6        Reviewed by Eric Seidel.
     7
     8        Previously, we were not reseting the state of the
     9        HTMLTreeBuilderSimulator when we failed speculative parsing. This had a
     10        number of observable consequences, including not parsing CDATA sections
     11        correctly when document.write caused us to enter foreign content.
     12
     13        Test: fast/parser/document-write-svg-cdata.html
     14
     15        * html/parser/BackgroundHTMLParser.cpp:
     16        (WebCore::BackgroundHTMLParser::BackgroundHTMLParser):
     17        (WebCore::BackgroundHTMLParser::resumeFrom):
     18        (WebCore::BackgroundHTMLParser::pumpTokenizer):
     19        (WebCore::BackgroundHTMLParser::sendTokensToMainThread):
     20        * html/parser/BackgroundHTMLParser.h:
     21        (Checkpoint):
     22        (BackgroundHTMLParser):
     23        * html/parser/HTMLDocumentParser.cpp:
     24        (WebCore::HTMLDocumentParser::validateSpeculations):
     25        (WebCore::HTMLDocumentParser::didFailSpeculation):
     26        * html/parser/HTMLDocumentParser.h:
     27        (ParsedChunk):
     28        * html/parser/HTMLElementStack.h:
     29        (WebCore::HTMLElementStack::ElementRecord::namespaceURI):
     30        * html/parser/HTMLTreeBuilder.h:
     31        (WebCore::HTMLTreeBuilder::options):
     32        (WebCore::HTMLTreeBuilder::openElements):
     33        (HTMLTreeBuilder):
     34        * html/parser/HTMLTreeBuilderSimulator.cpp:
     35        (WebCore::HTMLTreeBuilderSimulator::stateFor):
     36        (WebCore):
     37        * html/parser/HTMLTreeBuilderSimulator.h:
     38        (WebCore):
     39        (WebCore::HTMLTreeBuilderSimulator::state):
     40        (WebCore::HTMLTreeBuilderSimulator::setState):
     41        (HTMLTreeBuilderSimulator):
     42
    1432013-03-11  Abhishek Arya  <inferno@chromium.org>
    244

  • trunk/Source/WebCore/html/parser/BackgroundHTMLParser.cpp

    r145398 r145464  
    6666BackgroundHTMLParser::BackgroundHTMLParser(PassRefPtr<WeakReference<BackgroundHTMLParser> > reference, PassOwnPtr<Configuration> config)
    6767    : m_weakFactory(reference, this)
    68     , m_treeBuilderSimulator(config->options)
    6968    , m_token(adoptPtr(new HTMLToken))
    7069    , m_tokenizer(HTMLTokenizer::create(config->options))
     70    , m_treeBuilderSimulator(config->options)
    7171    , m_options(config->options)
    7272    , m_parser(config->parser)
     
    8989    m_token = checkpoint->token.release();
    9090    m_tokenizer = checkpoint->tokenizer.release();
     91    m_treeBuilderSimulator.setState(checkpoint->treeBuilderState);
    9192    m_input.rewindTo(checkpoint->inputCheckpoint, checkpoint->unparsedInput);
    9293    m_preloadScanner->rewindTo(checkpoint->preloadScannerCheckpoint);
     
    175176    chunk->xssInfos.swap(m_pendingXSSInfos);
    176177    chunk->tokenizerState = m_tokenizer->state();
     178    chunk->treeBuilderState = m_treeBuilderSimulator.state();
    177179    chunk->inputCheckpoint = m_input.createCheckpoint();
    178180    chunk->preloadScannerCheckpoint = m_preloadScanner->createCheckpoint();

  • trunk/Source/WebCore/html/parser/BackgroundHTMLParser.h

    r145398 r145464  
    6868        OwnPtr<HTMLToken> token;
    6969        OwnPtr<HTMLTokenizer> tokenizer;
     70        HTMLTreeBuilderSimulator::State treeBuilderState;
    7071        HTMLInputCheckpoint inputCheckpoint;
    7172        TokenPreloadScannerCheckpoint preloadScannerCheckpoint;
     
    9192    BackgroundHTMLInputStream m_input;
    9293    HTMLSourceTracker m_sourceTracker;
    93     HTMLTreeBuilderSimulator m_treeBuilderSimulator;
    9494    OwnPtr<HTMLToken> m_token;
    9595    OwnPtr<HTMLTokenizer> m_tokenizer;
     96    HTMLTreeBuilderSimulator m_treeBuilderSimulator;
    9697    HTMLParserOptions m_options;
    9798    WeakPtr<HTMLDocumentParser> m_parser;

  • trunk/Source/WebCore/html/parser/HTMLDocumentParser.cpp

    r145292 r145464  
    355355    if (m_currentChunk->tokenizerState == HTMLTokenizer::DataState
    356356        && tokenizer->state() == HTMLTokenizer::DataState
    357         && m_input.current().isEmpty()) {
     357        && m_input.current().isEmpty()
     358        && m_currentChunk->treeBuilderState == HTMLTreeBuilderSimulator::stateFor(m_treeBuilder.get())) {
    358359        ASSERT(token->isUninitialized());
    359360        return;
     
    372373    checkpoint->token = token;
    373374    checkpoint->tokenizer = tokenizer;
     375    checkpoint->treeBuilderState = HTMLTreeBuilderSimulator::stateFor(m_treeBuilder.get());
    374376    checkpoint->inputCheckpoint = m_currentChunk->inputCheckpoint;
    375377    checkpoint->preloadScannerCheckpoint = m_currentChunk->preloadScannerCheckpoint;

  • trunk/Source/WebCore/html/parser/HTMLDocumentParser.h

    r144801 r145464  
    3838#include "HTMLToken.h"
    3939#include "HTMLTokenizer.h"
     40#include "HTMLTreeBuilderSimulator.h"
    4041#include "ScriptableDocumentParser.h"
    4142#include "SegmentedString.h"
     
    9293        XSSInfoStream xssInfos;
    9394        HTMLTokenizer::State tokenizerState;
     95        HTMLTreeBuilderSimulator::State treeBuilderState;
    9496        HTMLInputCheckpoint inputCheckpoint;
    9597        TokenPreloadScannerCheckpoint preloadScannerCheckpoint;

  • trunk/Source/WebCore/html/parser/HTMLElementStack.h

    r136467 r145464  
    5858        Element* element() const { return m_item->element(); }
    5959        ContainerNode* node() const { return m_item->node(); }
     60        const AtomicString& namespaceURI() const { return m_item->namespaceURI(); }
    6061        PassRefPtr<HTMLStackItem> stackItem() const { return m_item; }
    6162        void replaceElement(PassRefPtr<HTMLStackItem>);

  • trunk/Source/WebCore/html/parser/HTMLTreeBuilder.h

    r142635 r145464  
    6868    }
    6969    ~HTMLTreeBuilder();
     70
     71    const HTMLElementStack* openElements() const { return m_tree.openElements(); }
    7072
    7173    bool isParsingFragment() const { return !!m_fragmentContext.fragment(); }

  • trunk/Source/WebCore/html/parser/HTMLTreeBuilderSimulator.cpp

    r145398 r145464  
    3434#include "HTMLParserIdioms.h"
    3535#include "HTMLTokenizer.h"
     36#include "HTMLTreeBuilder.h"
    3637#include "MathMLNames.h"
    3738#include "SVGNames.h"
     
    118119}
    119120
     121HTMLTreeBuilderSimulator::State HTMLTreeBuilderSimulator::stateFor(HTMLTreeBuilder* treeBuilder)
     122{
     123    ASSERT(isMainThread());
     124    State namespaceStack;
     125    for (HTMLElementStack::ElementRecord* record = treeBuilder->openElements()->topRecord(); record; record = record->next()) {
     126        Namespace currentNamespace = HTML;
     127        if (record->namespaceURI() == SVGNames::svgNamespaceURI)
     128            currentNamespace = SVG;
     129        else if (record->namespaceURI() == MathMLNames::mathmlNamespaceURI)
     130            currentNamespace = MathML;
     131
     132        if (namespaceStack.isEmpty() || namespaceStack.last() != currentNamespace)
     133            namespaceStack.append(currentNamespace);
     134    }
     135    namespaceStack.reverse();
     136    return namespaceStack;
     137}
     138
    120139bool HTMLTreeBuilderSimulator::simulate(const CompactHTMLToken& token, HTMLTokenizer* tokenizer)
    121140{

  • trunk/Source/WebCore/html/parser/HTMLTreeBuilderSimulator.h

    r145398 r145464  
    3030
    3131#include "HTMLParserOptions.h"
     32#include <wtf/PassOwnPtr.h>
    3233#include <wtf/Vector.h>
    3334
     
    3637class CompactHTMLToken;
    3738class HTMLTokenizer;
     39class HTMLTreeBuilder;
    3840
    3941class HTMLTreeBuilderSimulator {
    4042    WTF_MAKE_FAST_ALLOCATED;
    41 public:
    42     explicit HTMLTreeBuilderSimulator(const HTMLParserOptions&);
    43     bool simulate(const CompactHTMLToken&, HTMLTokenizer*);
    44 
    4543private:
    4644    enum Namespace {
     
    5048    };
    5149
     50public:
     51    typedef Vector<Namespace, 1> State;
     52
     53    explicit HTMLTreeBuilderSimulator(const HTMLParserOptions&);
     54
     55    static State stateFor(HTMLTreeBuilder*);
     56
     57    const State& state() const { return m_namespaceStack; }
     58    void setState(const State& state) { m_namespaceStack = state; }
     59
     60    bool simulate(const CompactHTMLToken&, HTMLTokenizer*);
     61
     62private:
     63    explicit HTMLTreeBuilderSimulator(HTMLTreeBuilder*);
     64
    5265    bool inForeignContent() const { return m_namespaceStack.last() != HTML; }
    5366
    5467    HTMLParserOptions m_options;
    55     Vector<Namespace, 1> m_namespaceStack;
     68    State m_namespaceStack;
    5669};
    5770
Note: See TracChangeset for help on using the changeset viewer.