REGRESSION: Crash in XMLDocumentParser::startElementNs
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 15 Oct 2013 21:13:31 +0000 (21:13 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 15 Oct 2013 21:13:31 +0000 (21:13 +0000)
https://bugs.webkit.org/show_bug.cgi?id=122817

Reviewed by Darin Adler.

Source/WebCore:

Exit early in startElementNs when listeners and handlers of synchronous events such as load event
removes the inserted node inside parserAppendChild.

Test: fast/parser/xhtml-synchronous-detach-crash.html

* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::startElementNs):

LayoutTests:

Add a regression test from https://chromium.googlesource.com/chromium/blink/+/57afab5d21cccd89f032b9a3e62f3a61c6a0e9c2

* fast/parser/resources/remove-parent.xhtml: Added.
* fast/parser/xhtml-synchronous-detach-crash-expected.txt: Added.
* fast/parser/xhtml-synchronous-detach-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@157470 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/parser/resources/remove-parent.xhtml [new file with mode: 0644]
LayoutTests/fast/parser/xhtml-synchronous-detach-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/parser/xhtml-synchronous-detach-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

index f3a9f2a..92d7fc0 100644 (file)
@@ -1,3 +1,16 @@
+2013-10-14  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION: Crash in XMLDocumentParser::startElementNs
+        https://bugs.webkit.org/show_bug.cgi?id=122817
+
+        Reviewed by Darin Adler.
+
+        Add a regression test from https://chromium.googlesource.com/chromium/blink/+/57afab5d21cccd89f032b9a3e62f3a61c6a0e9c2
+
+        * fast/parser/resources/remove-parent.xhtml: Added.
+        * fast/parser/xhtml-synchronous-detach-crash-expected.txt: Added.
+        * fast/parser/xhtml-synchronous-detach-crash.html: Added.
+
 2013-10-15  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r157460.
diff --git a/LayoutTests/fast/parser/resources/remove-parent.xhtml b/LayoutTests/fast/parser/resources/remove-parent.xhtml
new file mode 100644 (file)
index 0000000..12caaa5
--- /dev/null
@@ -0,0 +1,5 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<body>
+<iframe src="about:blank" onload="parent.document.getElementsByTagName('iframe')[0].remove();"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/fast/parser/xhtml-synchronous-detach-crash-expected.txt b/LayoutTests/fast/parser/xhtml-synchronous-detach-crash-expected.txt
new file mode 100644 (file)
index 0000000..654ddf7
--- /dev/null
@@ -0,0 +1 @@
+This test passes if it does not crash.
diff --git a/LayoutTests/fast/parser/xhtml-synchronous-detach-crash.html b/LayoutTests/fast/parser/xhtml-synchronous-detach-crash.html
new file mode 100644 (file)
index 0000000..afc2e80
--- /dev/null
@@ -0,0 +1,14 @@
+<body>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+window.onload = function() {
+    setTimeout(function() {
+        testRunner.dumpAsText();
+        testRunner.notifyDone();
+    }, 0);
+}
+</script>
+<iframe src='resources/remove-parent.xhtml'></iframe>
+This test passes if it does not crash.
index e002935..1bd9279 100644 (file)
@@ -1,3 +1,18 @@
+2013-10-14  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION: Crash in XMLDocumentParser::startElementNs
+        https://bugs.webkit.org/show_bug.cgi?id=122817
+
+        Reviewed by Darin Adler.
+
+        Exit early in startElementNs when listeners and handlers of synchronous events such as load event
+        removes the inserted node inside parserAppendChild.
+
+        Test: fast/parser/xhtml-synchronous-detach-crash.html
+
+        * xml/parser/XMLDocumentParserLibxml2.cpp:
+        (WebCore::XMLDocumentParser::startElementNs):
+
 2013-10-15  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Remove old frontend localizedStrings.js
index 45de718..c2ac67a 100644 (file)
@@ -849,6 +849,8 @@ void XMLDocumentParser::startElementNs(const xmlChar* xmlLocalName, const xmlCha
         m_scriptStartPosition = textPosition();
 
     m_currentNode->parserAppendChild(newElement.get());
+    if (!m_currentNode) // Synchronous DOM events may have removed the current node.
+        return;
 
     const ContainerNode* currentNode = m_currentNode;
 #if ENABLE(TEMPLATE_ELEMENT)