Changeset 147144 in webkit


Ignore:
Timestamp:
Mar 28, 2013 12:57:35 PM (11 years ago)
Author:
commit-queue@webkit.org
Message:

Unreviewed, rolling out r143834.
http://trac.webkit.org/changeset/143834
https://bugs.webkit.org/show_bug.cgi?id=113530

Multiple use-after-free regressions on ClusterFuzz (Requested
by inferno-sec on #webkit).

Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2013-03-28

  • dom/Attr.cpp:

(WebCore::Attr::Attr):
(WebCore::Attr::setValue):
(WebCore::Attr::childrenChanged):

  • dom/Attr.h:

(Attr):

  • dom/Element.cpp:

(WebCore::Element::setAttributeInternal):

  • dom/Element.h:

(Element):

Location:
trunk/Source/WebCore
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r147140 r147144  
     12013-03-28  Sheriff Bot  <webkit.review.bot@gmail.com>
     2
     3        Unreviewed, rolling out r143834.
     4        http://trac.webkit.org/changeset/143834
     5        https://bugs.webkit.org/show_bug.cgi?id=113530
     6
     7        Multiple use-after-free regressions on ClusterFuzz (Requested
     8        by inferno-sec on #webkit).
     9
     10        * dom/Attr.cpp:
     11        (WebCore::Attr::Attr):
     12        (WebCore::Attr::setValue):
     13        (WebCore::Attr::childrenChanged):
     14        * dom/Attr.h:
     15        (Attr):
     16        * dom/Element.cpp:
     17        (WebCore::Element::setAttributeInternal):
     18        * dom/Element.h:
     19        (Element):
     20
    1212013-03-28  Julien Chaffraix  <jchaffraix@webkit.org>
    222
  • trunk/Source/WebCore/dom/Attr.cpp

    r143926 r147144  
    44 *           (C) 2001 Peter Kelly (pmk@post.com)
    55 *           (C) 2001 Dirk Mueller (mueller@kde.org)
    6  * Copyright (C) 2004, 2005, 2006, 2007, 2009, 2010, 2012, 2013 Apple Inc. All rights reserved.
     6 * Copyright (C) 2004, 2005, 2006, 2007, 2009, 2010, 2012 Apple Inc. All rights reserved.
    77 *
    88 * This library is free software; you can redistribute it and/or
     
    3131#include "Text.h"
    3232#include "XMLNSNames.h"
    33 #include <wtf/TemporaryChange.h>
    3433#include <wtf/text/AtomicString.h>
    3534#include <wtf/text/StringBuilder.h>
     
    4443    , m_name(name)
    4544    , m_ignoreChildrenChanged(0)
    46     , m_inChildrenChanged(false)
    4745    , m_specified(true)
    4846{
     
    5553    , m_standaloneValue(standaloneValue)
    5654    , m_ignoreChildrenChanged(0)
    57     , m_inChildrenChanged(false)
    5855    , m_specified(true)
    5956{
     
    112109}
    113110
    114 void Attr::recreateTextChildAfterAttributeValueChanged()
    115 {
    116     if (m_inChildrenChanged)
    117         return;
     111void Attr::setValue(const AtomicString& value)
     112{
    118113    EventQueueScope scope;
    119114    m_ignoreChildrenChanged++;
    120115    removeChildren();
     116    if (m_element)
     117        elementAttribute().setValue(value);
     118    else
     119        m_standaloneValue = value;
    121120    createTextChild();
    122121    m_ignoreChildrenChanged--;
    123 }
    124 
    125 void Attr::setValue(const AtomicString& value)
    126 {
     122
    127123    invalidateNodeListCachesInAncestors(&m_name, m_element);
    128 
    129     if (m_element) {
    130         m_element->setAttribute(m_name, value);
    131         return;
    132     }
    133     m_standaloneValue = value;
    134     recreateTextChildAfterAttributeValueChanged();
    135124}
    136125
    137126void Attr::setValue(const AtomicString& value, ExceptionCode&)
    138127{
     128    if (m_element)
     129        m_element->willModifyAttribute(qualifiedName(), this->value(), value);
     130
    139131    setValue(value);
     132
     133    if (m_element)
     134        m_element->didModifyAttribute(qualifiedName(), value);
    140135}
    141136
     
    169164        return;
    170165
    171     TemporaryChange<bool> changeInChildrenChanged(m_inChildrenChanged, true);
     166    invalidateNodeListCachesInAncestors(&qualifiedName(), m_element);
    172167
    173168    // FIXME: We should include entity references in the value
     
    179174    }
    180175
    181     setValue(valueBuilder.toAtomicString());
     176    AtomicString newValue = valueBuilder.toAtomicString();
     177    if (m_element)
     178        m_element->willModifyAttribute(qualifiedName(), value(), newValue);
     179
     180    if (m_element)
     181        elementAttribute().setValue(newValue);
     182    else
     183        m_standaloneValue = newValue;
     184
     185    if (m_element)
     186        m_element->attributeChanged(qualifiedName(), newValue);
    182187}
    183188
  • trunk/Source/WebCore/dom/Attr.h

    r143834 r147144  
    6565    void detachFromElementWithValue(const AtomicString&);
    6666
    67     void recreateTextChildAfterAttributeValueChanged();
    68 
    6967private:
    7068    Attr(Element*, const QualifiedName&);
     
    104102
    105103    RefPtr<StylePropertySet> m_style;
    106     unsigned short m_ignoreChildrenChanged;
    107     bool m_inChildrenChanged;
    108     bool m_specified;
     104    unsigned m_ignoreChildrenChanged : 31;
     105    bool m_specified : 1;
    109106};
    110107
  • trunk/Source/WebCore/dom/Element.cpp

    r147135 r147144  
    819819
    820820    if (newValue != attributeItem(index)->value()) {
    821         ensureUniqueElementData()->attributeItem(index)->setValue(newValue);
    822 
     821        // If there is an Attr node hooked to this attribute, the Attr::setValue() call below
     822        // will write into the ElementData.
     823        // FIXME: Refactor this so it makes some sense.
    823824        if (RefPtr<Attr> attrNode = inSynchronizationOfLazyAttribute ? 0 : attrIfExists(name))
    824             attrNode->recreateTextChildAfterAttributeValueChanged();
     825            attrNode->setValue(newValue);
     826        else
     827            ensureUniqueElementData()->attributeItem(index)->setValue(newValue);
    825828    }
    826829
  • trunk/Source/WebCore/dom/Element.h

    r147135 r147144  
    658658    virtual bool alwaysCreateUserAgentShadowRoot() const { return false; }
    659659
     660    // FIXME: Remove the need for Attr to call willModifyAttribute/didModifyAttribute.
     661    friend class Attr;
     662
    660663    enum SynchronizationOfLazyAttribute { NotInSynchronizationOfLazyAttribute = 0, InSynchronizationOfLazyAttribute };
    661664
Note: See TracChangeset for help on using the changeset viewer.