Context Navigation

← Previous Changeset
Next Changeset →

Changeset 178363 in webkit

Timestamp:

Jan 13, 2015 8:59:49 AM (9 years ago)

Author:

akling@apple.com

Message:

Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
<https://webkit.org/b/140379>
<rdar://problem/19446901>

Reviewed by Benjamin Poulain.

Source/WebCore:

Since DOM mutation events may arise below the call to Node::normalize(),
have the loop in Element::normalizeAttributes() make a copy of the Attr nodes
beforehand, to guard against mutations.

Based on a patch by Chris "Chris Dumez" Dumez.

Test: fast/dom/Element/normalize-crash2.html

dom/Element.cpp:

(WebCore::Element::normalizeAttributes):

LayoutTests:

fast/dom/Element/normalize-crash2-expected.txt: Added.
fast/dom/Element/normalize-crash2.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/dom/Element/normalize-crash2-expected.txt (added)
LayoutTests/fast/dom/Element/normalize-crash2.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/dom/Element.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r178362
+                      r178363
+-01-13  Andreas Kling  <akling@apple.com>
+        Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
+        <https://webkit.org/b/140379>
+        <rdar://problem/19446901>
+        Reviewed by Benjamin Poulain.
+        * fast/dom/Element/normalize-crash2-expected.txt: Added.
+        * fast/dom/Element/normalize-crash2.html: Added.
 -01-13  Andrzej Badowski  <a.badowski@samsung.com>

trunk/Source/WebCore/ChangeLog

-                      r178349
+                      r178363
+-01-13  Andreas Kling  <akling@apple.com>
+        Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations.
+        <https://webkit.org/b/140379>
+        <rdar://problem/19446901>
+        Reviewed by Benjamin Poulain.
+        Since DOM mutation events may arise below the call to Node::normalize(),
+        have the loop in Element::normalizeAttributes() make a copy of the Attr nodes
+        beforehand, to guard against mutations.
+        Based on a patch by Chris "Chris Dumez" Dumez.
+        Test: fast/dom/Element/normalize-crash2.html
+        * dom/Element.cpp:
+        (WebCore::Element::normalizeAttributes):
 -01-13  Shivakumar JM  <shiva.jm@samsung.com>

trunk/Source/WebCore/dom/Element.cpp

-                      r178048
+                      r178363
     if (!hasAttributes())
         return;
+    for (const Attribute& attribute : attributesIterator()) {
+        if (RefPtr<Attr> attr = attrIfExists(attribute.name()))
+            attr->normalize();
+    }
+    auto* attrNodeList = attrNodeListForElement(*this);
+    if (!attrNodeList)
+        return;
+    // Copy the Attr Vector because Node::normalize() can fire synchronous JS
+    // events (e.g. DOMSubtreeModified) and a JS listener could add / remove
+    // attributes while we are iterating.
+    auto copyOfAttrNodeList = *attrNodeList;
+    for (auto& attrNode : copyOfAttrNodeList)
+        attrNode->normalize();
+}

Note: See TracChangeset for help on using the changeset viewer.