From def03597297829d79cdd413b54149f6789771b22 Mon Sep 17 00:00:00 2001 From: "rniwa@webkit.org" Date: Mon, 13 Feb 2017 02:01:26 +0000 Subject: [PATCH] REGRESSION (r179497): Crash inside setAttributeNode https://bugs.webkit.org/show_bug.cgi?id=168161 Reviewed by Andreas Kling. Source/WebCore: The bug was caused by setAttributeNode calling setAttributeInternal with the same element data as the one used to call removeAttributeInternal despite of the fact removeAttributeInternal could have invoked arbitrary scripts and mutated element's m_elementData. Fixed the bug by calling with setAttributeInternal with the result of new invocation of ensureUniqueElementData(). Test: fast/dom/Attr/make-unique-element-data-while-replacing-attr.html * dom/Element.cpp: (WebCore::Element::setAttributeNode): LayoutTests: Added a regression test. * fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt: Added. * fast/dom/Attr/make-unique-element-data-while-replacing-attr.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@212214 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 13 +++++++++++ ...-element-data-while-replacing-attr-expected.txt | 10 +++++++++ ...e-unique-element-data-while-replacing-attr.html | 26 ++++++++++++++++++++++ Source/WebCore/ChangeLog | 19 ++++++++++++++++ Source/WebCore/dom/Element.cpp | 2 +- 5 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt create mode 100644 LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 27d294f..ee95bdf 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,16 @@ +2017-02-12 Ryosuke Niwa + + REGRESSION (r179497): Crash inside setAttributeNode + https://bugs.webkit.org/show_bug.cgi?id=168161 + + + Reviewed by Andreas Kling. + + Added a regression test. + + * fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt: Added. + * fast/dom/Attr/make-unique-element-data-while-replacing-attr.html: Added. + 2017-02-12 Carlos Garcia Campos [GTK] Handle caps lock indicator in event modifiers diff --git a/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt b/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt new file mode 100644 index 0000000..3618123 --- /dev/null +++ b/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt @@ -0,0 +1,10 @@ +Test making the element data unique while replacing an Attr node. + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS element.getAttribute("width") is "b" +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html b/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html new file mode 100644 index 0000000..868109b --- /dev/null +++ b/LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html @@ -0,0 +1,26 @@ + + + + + + + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 5d3b358..5cba6ee 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,5 +1,24 @@ 2017-02-12 Ryosuke Niwa + REGRESSION (r179497): Crash inside setAttributeNode + https://bugs.webkit.org/show_bug.cgi?id=168161 + + + Reviewed by Andreas Kling. + + The bug was caused by setAttributeNode calling setAttributeInternal with the same element data as the one used + to call removeAttributeInternal despite of the fact removeAttributeInternal could have invoked arbitrary scripts + and mutated element's m_elementData. + + Fixed the bug by calling with setAttributeInternal with the result of new invocation of ensureUniqueElementData(). + + Test: fast/dom/Attr/make-unique-element-data-while-replacing-attr.html + + * dom/Element.cpp: + (WebCore::Element::setAttributeNode): + +2017-02-12 Ryosuke Niwa + Rebaseline bindings tests after r212207. * bindings/scripts/test/JS/JSTestObj.cpp: diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp index 9c3a726..0db2a1e 100644 --- a/Source/WebCore/dom/Element.cpp +++ b/Source/WebCore/dom/Element.cpp @@ -2149,7 +2149,7 @@ ExceptionOr> Element::setAttributeNode(Attr& attrNode) setAttributeInternal(existingAttributeIndex, attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute); else { removeAttributeInternal(existingAttributeIndex, NotInSynchronizationOfLazyAttribute); - setAttributeInternal(elementData.findAttributeIndexByName(attrNode.qualifiedName()), attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute); + setAttributeInternal(ensureUniqueElementData().findAttributeIndexByName(attrNode.qualifiedName()), attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute); } } if (attrNode.ownerElement() != this) { -- 1.8.3.1