Changeset 190760 in webkit


Ignore:
Timestamp:
Oct 8, 2015 4:45:11 PM (8 years ago)
Author:
commit-queue@webkit.org
Message:

Gracefully handle XMLDocumentParser being detached by mutation events.
https://bugs.webkit.org/show_bug.cgi?id=149485
<rdar://problem/22811489>

Source/WebCore:

This is a merge of Blink change 200026,
https://codereview.chromium.org/1267283002

Patch by Jiewen Tan <jiewen_tan@apple.com> on 2015-10-08
Reviewed by Darin Adler.

Test: fast/parser/xhtml-dom-character-data-modified-crash.html

  • xml/parser/XMLDocumentParser.cpp:

(WebCore::XMLDocumentParser::createLeafTextNode):
Renamed from enterText() to make it more descriptive.

(WebCore::XMLDocumentParser::updateLeafTextNode):
Renamed from exitText to firm up this stage.

(WebCore::XMLDocumentParser::end):
Gracefully handle stopped states.

(WebCore::XMLDocumentParser::enterText): Deleted.
(WebCore::XMLDocumentParser::exitText): Deleted.

  • xml/parser/XMLDocumentParser.h:

Rename enterText to createLeafTextNode.
Rename exitText to updateLeafTextNode.

  • xml/parser/XMLDocumentParserLibxml2.cpp:

(WebCore::XMLDocumentParser::startElementNs):
(WebCore::XMLDocumentParser::endElementNs):
(WebCore::XMLDocumentParser::characters):
(WebCore::XMLDocumentParser::processingInstruction):
(WebCore::XMLDocumentParser::cdataBlock):
(WebCore::XMLDocumentParser::comment):
(WebCore::XMLDocumentParser::endDocument):
Rename function calls and firm up updateLeafTextNode stage accordingly.

LayoutTests:

Patch by Jiewen Tan <jiewen_tan@apple.com> on 2015-10-08
Reviewed by Darin Adler.

  • fast/parser/resources/xhtml-overwrite-frame.xhtml: Added.
  • fast/parser/xhtml-dom-character-data-modified-crash-expected.txt: Added.
  • fast/parser/xhtml-dom-character-data-modified-crash.html: Added.
Location:
trunk
Files:
3 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r190757 r190760  
     12015-10-08  Jiewen Tan  <jiewen_tan@apple.com>
     2
     3        Gracefully handle XMLDocumentParser being detached by mutation events.
     4        https://bugs.webkit.org/show_bug.cgi?id=149485
     5        <rdar://problem/22811489>
     6
     7        Reviewed by Darin Adler.
     8
     9        * fast/parser/resources/xhtml-overwrite-frame.xhtml: Added.
     10        * fast/parser/xhtml-dom-character-data-modified-crash-expected.txt: Added.
     11        * fast/parser/xhtml-dom-character-data-modified-crash.html: Added.
     12
    1132015-10-08  Jiewen Tan  <jiewen_tan@apple.com>
    214
  • trunk/Source/WebCore/ChangeLog

    r190755 r190760  
     12015-10-08  Jiewen Tan  <jiewen_tan@apple.com>
     2
     3        Gracefully handle XMLDocumentParser being detached by mutation events.
     4        https://bugs.webkit.org/show_bug.cgi?id=149485
     5        <rdar://problem/22811489>
     6
     7        This is a merge of Blink change 200026,
     8        https://codereview.chromium.org/1267283002
     9
     10        Reviewed by Darin Adler.
     11
     12        Test: fast/parser/xhtml-dom-character-data-modified-crash.html
     13
     14        * xml/parser/XMLDocumentParser.cpp:
     15        (WebCore::XMLDocumentParser::createLeafTextNode):
     16        Renamed from enterText() to make it more descriptive.
     17
     18        (WebCore::XMLDocumentParser::updateLeafTextNode):
     19        Renamed from exitText to firm up this stage.
     20
     21        (WebCore::XMLDocumentParser::end):
     22        Gracefully handle stopped states.
     23
     24        (WebCore::XMLDocumentParser::enterText): Deleted.
     25        (WebCore::XMLDocumentParser::exitText): Deleted.
     26
     27        * xml/parser/XMLDocumentParser.h:
     28        Rename enterText to createLeafTextNode.
     29        Rename exitText to updateLeafTextNode.
     30
     31        * xml/parser/XMLDocumentParserLibxml2.cpp:
     32        (WebCore::XMLDocumentParser::startElementNs):
     33        (WebCore::XMLDocumentParser::endElementNs):
     34        (WebCore::XMLDocumentParser::characters):
     35        (WebCore::XMLDocumentParser::processingInstruction):
     36        (WebCore::XMLDocumentParser::cdataBlock):
     37        (WebCore::XMLDocumentParser::comment):
     38        (WebCore::XMLDocumentParser::endDocument):
     39        Rename function calls and firm up updateLeafTextNode stage accordingly.
     40
    1412015-10-08  Chris Dumez  <cdumez@apple.com>
    242
  • trunk/Source/WebCore/xml/parser/XMLDocumentParser.cpp

    r189945 r190760  
    137137}
    138138
    139 void XMLDocumentParser::enterText()
    140 {
     139void XMLDocumentParser::createLeafTextNode()
     140{
     141    if (m_leafTextNode)
     142        return;
     143
    141144    ASSERT(m_bufferedText.size() == 0);
    142145    ASSERT(!m_leafTextNode);
     
    151154
    152155
    153 void XMLDocumentParser::exitText()
     156bool XMLDocumentParser::updateLeafTextNode()
    154157{
    155158    if (isStopped())
    156         return;
     159        return false;
    157160
    158161    if (!m_leafTextNode)
    159         return;
    160 
     162        return true;
     163
     164    // This operation might fire mutation event, see below.
    161165    m_leafTextNode->appendData(toString(m_bufferedText.data(), m_bufferedText.size()));
    162     Vector<xmlChar> empty;
    163     m_bufferedText.swap(empty);
     166    m_bufferedText = { };
    164167
    165168    m_leafTextNode = nullptr;
     169
     170    // Hence, we need to check again whether the parser is stopped, since mutation
     171    // event handlers executed by appendData might have detached this parser.
     172    return !isStopped();
    166173}
    167174
     
    192199        insertErrorMessageBlock();
    193200    else {
    194         exitText();
     201        updateLeafTextNode();
    195202        document()->styleResolverChanged(RecalcStyleImmediately);
    196203    }
  • trunk/Source/WebCore/xml/parser/XMLDocumentParser.h

    r189776 r190760  
    147147        void insertErrorMessageBlock();
    148148
    149         void enterText();
    150         void exitText();
     149        void createLeafTextNode();
     150        bool updateLeafTextNode();
    151151
    152152        void doWrite(const String&);
  • trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

    r190068 r190760  
    798798    }
    799799
    800     exitText();
     800    if (!updateLeafTextNode())
     801        return;
    801802
    802803    AtomicString localName = toAtomicString(xmlLocalName);
     
    878879    Ref<XMLDocumentParser> protect(*this);
    879880
    880     exitText();
     881    if (!updateLeafTextNode())
     882        return;
    881883
    882884    RefPtr<ContainerNode> node = m_currentNode;
     
    953955
    954956    if (!m_leafTextNode)
    955         enterText();
     957        createLeafTextNode();
    956958    m_bufferedText.append(s, len);
    957959}
     
    992994    }
    993995
    994     exitText();
     996    if (!updateLeafTextNode())
     997        return;
    995998
    996999    // ### handle exceptions
     
    10261029    }
    10271030
    1028     exitText();
     1031    if (!updateLeafTextNode())
     1032        return;
    10291033
    10301034    auto newNode = CDATASection::create(m_currentNode->document(), toString(s, len));
     
    10421046    }
    10431047
    1044     exitText();
     1048    if (!updateLeafTextNode())
     1049        return;
    10451050
    10461051    auto newNode = Comment::create(m_currentNode->document(), toString(s));
     
    10741079void XMLDocumentParser::endDocument()
    10751080{
    1076     exitText();
     1081    updateLeafTextNode();
    10771082}
    10781083
Note: See TracChangeset for help on using the changeset viewer.