Reviewed by Eric.
authorap <ap@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 21 Aug 2006 16:55:02 +0000 (16:55 +0000)
committerap <ap@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 21 Aug 2006 16:55:02 +0000 (16:55 +0000)
        - http://bugzilla.opendarwin.org/show_bug.cgi?id=10429
          XSLTProcessor.transformToFragment crashes if the owner document is empty

        Test: fast/js/xslt-fragment-in-empty-doc.html

        * dom/XMLTokenizer.cpp:
        (WebCore::XMLTokenizer::XMLTokenizer): Don't iterate over the element stack if it's empty.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@15951 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/js/resources/xslt-fragment-in-empty-doc.js [new file with mode: 0644]
LayoutTests/fast/js/xslt-fragment-in-empty-doc-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/xslt-fragment-in-empty-doc.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/XMLTokenizer.cpp

index fd45d33..6f29d24 100644 (file)
@@ -1,3 +1,14 @@
+2006-08-21  Alexey Proskuryakov  <ap@nypop.com>
+
+        Reviewed by Eric.
+
+        - test for http://bugzilla.opendarwin.org/show_bug.cgi?id=10429
+          XSLTProcessor.transformToFragment crashes if the owner document is empty
+
+        * fast/js/resources/xslt-fragment-in-empty-doc.js: Added.
+        * fast/js/xslt-fragment-in-empty-doc-expected.txt: Added.
+        * fast/js/xslt-fragment-in-empty-doc.html: Added.
+
 2006-08-16  Justin Garcia  <justin.garcia@apple.com>
 
         Reviewed by thatcher
diff --git a/LayoutTests/fast/js/resources/xslt-fragment-in-empty-doc.js b/LayoutTests/fast/js/resources/xslt-fragment-in-empty-doc.js
new file mode 100644 (file)
index 0000000..504faca
--- /dev/null
@@ -0,0 +1,23 @@
+description(
+"This test checks whether XSLTProcessor.transformToFragment() does not crash when the target document does not have a root node."
+);
+
+var xml = (new DOMParser()).parseFromString('<doc/>', 'application/xml');
+var xsl = (new DOMParser()).parseFromString(
+    '<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">' +
+    '<xsl:output method="xml" omit-xml-declaration="yes"/>' +
+    ' <xsl:template match="doc">SUCCESS</xsl:template>' +
+    '</xsl:stylesheet>', 
+    'application/xml');
+
+var p = new XSLTProcessor;
+p.importStylesheet(xsl);
+var ownerDocument = document.implementation.createDocument("", "", null);
+var f = p.transformToFragment(xml, ownerDocument);
+
+// Firefox throws an exception here, while WebKit doesn't:
+// "An attempt was made to create or change an object in a way which is incorrect with regard to namespaces."
+ownerDocument = document.implementation.createDocument("", null, null);
+f = p.transformToFragment(xml, ownerDocument);
+
+var successfullyParsed = true;
diff --git a/LayoutTests/fast/js/xslt-fragment-in-empty-doc-expected.txt b/LayoutTests/fast/js/xslt-fragment-in-empty-doc-expected.txt
new file mode 100644 (file)
index 0000000..f043f9c
--- /dev/null
@@ -0,0 +1,9 @@
+This test checks whether XSLTProcessor.transformToFragment() does not crash when the target document does not have a root node.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/xslt-fragment-in-empty-doc.html b/LayoutTests/fast/js/xslt-fragment-in-empty-doc.html
new file mode 100644 (file)
index 0000000..3aa0078
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/xslt-fragment-in-empty-doc.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
index ade7d08..513646d 100644 (file)
@@ -1,3 +1,15 @@
+2006-08-21  Alexey Proskuryakov  <ap@nypop.com>
+
+        Reviewed by Eric.
+
+        - http://bugzilla.opendarwin.org/show_bug.cgi?id=10429
+          XSLTProcessor.transformToFragment crashes if the owner document is empty
+
+        Test: fast/js/xslt-fragment-in-empty-doc.html
+
+        * dom/XMLTokenizer.cpp:
+        (WebCore::XMLTokenizer::XMLTokenizer): Don't iterate over the element stack if it's empty.
+
 2006-08-21  Brady Eidson  <beidson@apple.com>
 
         Reviewed by Anders
index dc49e38..f4a583a 100644 (file)
@@ -578,6 +578,10 @@ XMLTokenizer::XMLTokenizer(DocumentFragment *fragment, Element *parentElement)
             break;
         parentElement = static_cast<Element *>(n);
     }
+    
+    if (elemStack.isEmpty())
+        return;
+    
     for (Element *element = elemStack.last(); !elemStack.isEmpty(); elemStack.removeLast()) {
         if (NamedAttrMap *attrs = element->attributes()) {
             for (unsigned i = 0; i < attrs->length(); i++) {