Changeset 147144 in webkit
- Timestamp:
- Mar 28, 2013 12:57:35 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r147140 r147144 1 2013-03-28 Sheriff Bot <webkit.review.bot@gmail.com> 2 3 Unreviewed, rolling out r143834. 4 http://trac.webkit.org/changeset/143834 5 https://bugs.webkit.org/show_bug.cgi?id=113530 6 7 Multiple use-after-free regressions on ClusterFuzz (Requested 8 by inferno-sec on #webkit). 9 10 * dom/Attr.cpp: 11 (WebCore::Attr::Attr): 12 (WebCore::Attr::setValue): 13 (WebCore::Attr::childrenChanged): 14 * dom/Attr.h: 15 (Attr): 16 * dom/Element.cpp: 17 (WebCore::Element::setAttributeInternal): 18 * dom/Element.h: 19 (Element): 20 1 21 2013-03-28 Julien Chaffraix <jchaffraix@webkit.org> 2 22 -
trunk/Source/WebCore/dom/Attr.cpp
r143926 r147144 4 4 * (C) 2001 Peter Kelly (pmk@post.com) 5 5 * (C) 2001 Dirk Mueller (mueller@kde.org) 6 * Copyright (C) 2004, 2005, 2006, 2007, 2009, 2010, 2012 , 2013Apple Inc. All rights reserved.6 * Copyright (C) 2004, 2005, 2006, 2007, 2009, 2010, 2012 Apple Inc. All rights reserved. 7 7 * 8 8 * This library is free software; you can redistribute it and/or … … 31 31 #include "Text.h" 32 32 #include "XMLNSNames.h" 33 #include <wtf/TemporaryChange.h>34 33 #include <wtf/text/AtomicString.h> 35 34 #include <wtf/text/StringBuilder.h> … … 44 43 , m_name(name) 45 44 , m_ignoreChildrenChanged(0) 46 , m_inChildrenChanged(false)47 45 , m_specified(true) 48 46 { … … 55 53 , m_standaloneValue(standaloneValue) 56 54 , m_ignoreChildrenChanged(0) 57 , m_inChildrenChanged(false)58 55 , m_specified(true) 59 56 { … … 112 109 } 113 110 114 void Attr::recreateTextChildAfterAttributeValueChanged() 115 { 116 if (m_inChildrenChanged) 117 return; 111 void Attr::setValue(const AtomicString& value) 112 { 118 113 EventQueueScope scope; 119 114 m_ignoreChildrenChanged++; 120 115 removeChildren(); 116 if (m_element) 117 elementAttribute().setValue(value); 118 else 119 m_standaloneValue = value; 121 120 createTextChild(); 122 121 m_ignoreChildrenChanged--; 123 } 124 125 void Attr::setValue(const AtomicString& value) 126 { 122 127 123 invalidateNodeListCachesInAncestors(&m_name, m_element); 128 129 if (m_element) {130 m_element->setAttribute(m_name, value);131 return;132 }133 m_standaloneValue = value;134 recreateTextChildAfterAttributeValueChanged();135 124 } 136 125 137 126 void Attr::setValue(const AtomicString& value, ExceptionCode&) 138 127 { 128 if (m_element) 129 m_element->willModifyAttribute(qualifiedName(), this->value(), value); 130 139 131 setValue(value); 132 133 if (m_element) 134 m_element->didModifyAttribute(qualifiedName(), value); 140 135 } 141 136 … … 169 164 return; 170 165 171 TemporaryChange<bool> changeInChildrenChanged(m_inChildrenChanged, true);166 invalidateNodeListCachesInAncestors(&qualifiedName(), m_element); 172 167 173 168 // FIXME: We should include entity references in the value … … 179 174 } 180 175 181 setValue(valueBuilder.toAtomicString()); 176 AtomicString newValue = valueBuilder.toAtomicString(); 177 if (m_element) 178 m_element->willModifyAttribute(qualifiedName(), value(), newValue); 179 180 if (m_element) 181 elementAttribute().setValue(newValue); 182 else 183 m_standaloneValue = newValue; 184 185 if (m_element) 186 m_element->attributeChanged(qualifiedName(), newValue); 182 187 } 183 188 -
trunk/Source/WebCore/dom/Attr.h
r143834 r147144 65 65 void detachFromElementWithValue(const AtomicString&); 66 66 67 void recreateTextChildAfterAttributeValueChanged();68 69 67 private: 70 68 Attr(Element*, const QualifiedName&); … … 104 102 105 103 RefPtr<StylePropertySet> m_style; 106 unsigned short m_ignoreChildrenChanged; 107 bool m_inChildrenChanged; 108 bool m_specified; 104 unsigned m_ignoreChildrenChanged : 31; 105 bool m_specified : 1; 109 106 }; 110 107 -
trunk/Source/WebCore/dom/Element.cpp
r147135 r147144 819 819 820 820 if (newValue != attributeItem(index)->value()) { 821 ensureUniqueElementData()->attributeItem(index)->setValue(newValue); 822 821 // If there is an Attr node hooked to this attribute, the Attr::setValue() call below 822 // will write into the ElementData. 823 // FIXME: Refactor this so it makes some sense. 823 824 if (RefPtr<Attr> attrNode = inSynchronizationOfLazyAttribute ? 0 : attrIfExists(name)) 824 attrNode->recreateTextChildAfterAttributeValueChanged(); 825 attrNode->setValue(newValue); 826 else 827 ensureUniqueElementData()->attributeItem(index)->setValue(newValue); 825 828 } 826 829 -
trunk/Source/WebCore/dom/Element.h
r147135 r147144 658 658 virtual bool alwaysCreateUserAgentShadowRoot() const { return false; } 659 659 660 // FIXME: Remove the need for Attr to call willModifyAttribute/didModifyAttribute. 661 friend class Attr; 662 660 663 enum SynchronizationOfLazyAttribute { NotInSynchronizationOfLazyAttribute = 0, InSynchronizationOfLazyAttribute }; 661 664
Note: See TracChangeset
for help on using the changeset viewer.