Changeset 93032 in webkit


Ignore:
Timestamp:
Aug 14, 2011 4:08:11 PM (13 years ago)
Author:
inferno@chromium.org
Message:

Source/WebCore: Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody
https://bugs.webkit.org/show_bug.cgi?id=66187

Reviewed by Adam Barth.

RefPtr a few ContainerNodes to prevent premature deletion.

Test: fast/html/process-end-tag-for-inbody-crash.html

  • html/parser/HTMLTreeBuilder.cpp:

(WebCore::HTMLTreeBuilder::processCloseWhenNestedTag):
(WebCore::HTMLTreeBuilder::processAnyOtherEndTagForInBody):
(WebCore::HTMLTreeBuilder::callTheAdoptionAgency):

LayoutTests: Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody.
https://bugs.webkit.org/show_bug.cgi?id=66187

Reviewed by Adam Barth.

  • fast/html/process-end-tag-for-inbody-crash-expected.txt: Added.
  • fast/html/process-end-tag-for-inbody-crash.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r93006 r93032  
     12011-08-13  Abhishek Arya  <inferno@chromium.org>
     2
     3        Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody.
     4        https://bugs.webkit.org/show_bug.cgi?id=66187
     5
     6        Reviewed by Adam Barth.
     7
     8        * fast/html/process-end-tag-for-inbody-crash-expected.txt: Added.
     9        * fast/html/process-end-tag-for-inbody-crash.html: Added.
     10
    1112011-08-12  Ryosuke Niwa  <rniwa@webkit.org>
    212

  • trunk/Source/WebCore/ChangeLog

    r93030 r93032  
     12011-08-13  Abhishek Arya  <inferno@chromium.org>
     2
     3        Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody
     4        https://bugs.webkit.org/show_bug.cgi?id=66187
     5
     6        Reviewed by Adam Barth.
     7
     8        RefPtr a few ContainerNodes to prevent premature deletion.
     9
     10        Test: fast/html/process-end-tag-for-inbody-crash.html
     11
     12        * html/parser/HTMLTreeBuilder.cpp:
     13        (WebCore::HTMLTreeBuilder::processCloseWhenNestedTag):
     14        (WebCore::HTMLTreeBuilder::processAnyOtherEndTagForInBody):
     15        (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
     16
    1172011-08-14  Kalev Lember  <kalevlember@gmail.com>
    218

  • trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp

    r91643 r93032  
    606606    HTMLElementStack::ElementRecord* nodeRecord = m_tree.openElements()->topRecord();
    607607    while (1) {
    608         ContainerNode* node = nodeRecord->node();
    609         if (shouldClose(node)) {
     608        RefPtr<ContainerNode> node = nodeRecord->node();
     609        if (shouldClose(node.get())) {
    610610            ASSERT(node->isElementNode());
    611             processFakeEndTag(toElement(node)->tagQName());
     611            processFakeEndTag(toElement(node.get())->tagQName());
    612612            break;
    613613        }
    614         if (isSpecialNode(node) && !node->hasTagName(addressTag) && !node->hasTagName(divTag) && !node->hasTagName(pTag))
     614        if (isSpecialNode(node.get()) && !node->hasTagName(addressTag) && !node->hasTagName(divTag) && !node->hasTagName(pTag))
    615615            break;
    616616        nodeRecord = nodeRecord->next();
     
    15571557    HTMLElementStack::ElementRecord* record = m_tree.openElements()->topRecord();
    15581558    while (1) {
    1559         ContainerNode* node = record->node();
     1559        RefPtr<ContainerNode> node = record->node();
    15601560        if (node->hasLocalName(token.name())) {
    15611561            m_tree.generateImpliedEndTags();
     
    15711571                // We might have already popped the node for the token in
    15721572                // generateImpliedEndTags, just abort.
    1573                 if (!m_tree.openElements()->contains(toElement(node)))
     1573                if (!m_tree.openElements()->contains(toElement(node.get())))
    15741574                    return;
    15751575            }
    1576             m_tree.openElements()->popUntilPopped(toElement(node));
    1577             return;
    1578         }
    1579         if (isSpecialNode(node)) {
     1576            m_tree.openElements()->popUntilPopped(toElement(node.get()));
     1577            return;
     1578        }
     1579        if (isSpecialNode(node.get())) {
    15801580            parseError(token);
    15811581            return;
     
    16341634        // 4.
    16351635        ASSERT(furthestBlock->isAbove(formattingElementRecord));
    1636         ContainerNode* commonAncestor = formattingElementRecord->next()->node();
     1636        RefPtr<ContainerNode> commonAncestor = formattingElementRecord->next()->node();
    16371637        // 5.
    16381638        HTMLFormattingElementList::Bookmark bookmark = m_tree.activeFormattingElements()->bookmarkFor(formattingElement);
Note: See TracChangeset for help on using the changeset viewer.