Crash in HTMLCollection::updateNamedElementCache
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 00:30:23 +0000 (00:30 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 00:30:23 +0000 (00:30 +0000)
commita6e51ec8c7df6fd837fc252bbcc289759b34cc49
tree4c6cc58de964999fb7a4194024be525d9e0ff56f
parent3e041096226e446104fecddfef9421fcf3c45146
Crash in HTMLCollection::updateNamedElementCache
https://bugs.webkit.org/show_bug.cgi?id=192347

Reviewed by Darin Adler.

Source/WebCore:

The bug was caused by CollectionIndexCache's nodeAt caching the length of 1
when there are no matching elements in the subtree when the index is non-zero.

A related bug was fixed in r182125 but we were not considering the possibility
that the index given to this function might be non-zero even when there were
no matching elements.

Test: fast/dom/options-collection-zero-length-crash.html

* dom/CollectionIndexCache.h:
(WebCore::CollectionIndexCache<Collection, Iterator>::nodeAt):

LayoutTests:

Added a regression test. We can't simply call select.options.item
to catch this crash because the generated bidning code first call length()
to check if the index is within the valid range.

* fast/dom/options-collection-zero-length-crash-expected.txt: Added.
* fast/dom/options-collection-zero-length-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238880 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/options-collection-zero-length-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/options-collection-zero-length-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/CollectionIndexCache.h