LayoutTests:
authorantti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 Aug 2007 17:37:24 +0000 (17:37 +0000)
committerantti <antti@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 Aug 2007 17:37:24 +0000 (17:37 +0000)
        Reviewed by Darin.

        Test for <rdar://problem/5391576>
        Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)

        * fast/table/incomplete-table-in-fragment-2-expected.txt: Added.
        * fast/table/incomplete-table-in-fragment-2.html: Added.

WebCore:

        Reviewed by Darin.

        Fix for <rdar://problem/5391576>
        Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)

        Add null checks to protect against

        e.innerHTML = "<tr>text</tr>";

        type cases. Normal assumptions about document tree structure don't hold when parsing
        fragments. Results don't match Firefox in all cases. It seems to have some sort of
        anything-goes fragment parsing mode.

        * html/HTMLParser.cpp:
        (WebCore::HTMLParser::handleError):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@24936 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/table/incomplete-table-in-fragment-2-expected.txt [new file with mode: 0644]
LayoutTests/fast/table/incomplete-table-in-fragment-2.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/HTMLParser.cpp

index 88654fa882f0309b775af36cedb4ffb9f33726db..e84f39bcd62e69fbc67be9f250218e980b290309 100644 (file)
@@ -1,3 +1,13 @@
+2007-08-08  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Darin.
+        
+        Test for <rdar://problem/5391576>
+        Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)
+
+        * fast/table/incomplete-table-in-fragment-2-expected.txt: Added.
+        * fast/table/incomplete-table-in-fragment-2.html: Added.
+
 2007-08-07  Kevin McCullough  <kmccullough@apple.com>
 
         Reviewed by Maciej and Hyatt.
diff --git a/LayoutTests/fast/table/incomplete-table-in-fragment-2-expected.txt b/LayoutTests/fast/table/incomplete-table-in-fragment-2-expected.txt
new file mode 100644 (file)
index 0000000..a4403a4
--- /dev/null
@@ -0,0 +1,28 @@
+Test error handling for incomplete tables inside a document fragment. These should not crash or hang. 
+
+<tbody></tbody>
+<thead></thead>
+<tfoot></tfoot>
+<tr></tr>
+<td>text</td>
+<th>text</th>
+<tbody></tbody>
+<tbody><tr></tr></tbody>
+<tbody><tr><td>text</td></tr></tbody>
+<tbody><tr><th>text</th></tr></tbody>
+<tr><td>text</td></tr>
+<th>text</th>
+<td>text</td>
+<tbody><tr><td><div></div></td></tr></tbody>
+<thead><tr><td><div></div></td></tr></thead>
+<tfoot><tr><td><div></div></td></tr></tfoot>
+<tr><td><div></div></td></tr>
+<td><div></div></td>
+<th><div></div></th>
+<tbody><tr><td><div></div></td></tr></tbody>
+<tbody><tr><td><div></div></td></tr></tbody>
+<tbody><tr><td><div></div></td></tr></tbody>
+<tbody><tr><th><div></div></th></tr></tbody>
+<tr><td><div></div></td></tr>
+<th><div></div></th>
+<td><div></div></td>
diff --git a/LayoutTests/fast/table/incomplete-table-in-fragment-2.html b/LayoutTests/fast/table/incomplete-table-in-fragment-2.html
new file mode 100644 (file)
index 0000000..82a0ab0
--- /dev/null
@@ -0,0 +1,75 @@
+<body>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<table id=inner></table>
+Test error handling for incomplete tables inside a document fragment. These should not crash or hang.
+<br><br>
+<div id=console></div>
+<script>
+
+var inner = document.getElementById('inner');
+var console = document.getElementById('console');
+
+function log(t)
+{
+    var line = document.createElement('div');
+    line.innerText = t;
+    console.appendChild(line);
+}
+
+inner.innerHTML = "<tbody>text";
+log(inner.innerHTML);
+inner.innerHTML = "<thead>text";
+log(inner.innerHTML);
+inner.innerHTML = "<tfoot>text";
+log(inner.innerHTML);
+inner.innerHTML = "<tr>text";
+log(inner.innerHTML);
+inner.innerHTML = "<td>text";
+log(inner.innerHTML);
+inner.innerHTML = "<th>text";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody>text";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody><tr>text";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody><td>text";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody><th>text";
+log(inner.innerHTML);
+inner.innerHTML = "<tr><tbody>text";
+log(inner.innerHTML);
+inner.innerHTML = "<th><tbody>text";
+log(inner.innerHTML);
+inner.innerHTML = "<td><tbody>text";
+log(inner.innerHTML);
+
+inner.innerHTML = "<tbody><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<thead><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<tfoot><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<tr><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<td><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<th><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody><tr><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody><td><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<tbody><th><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<tr><tbody><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<th><tbody><div>";
+log(inner.innerHTML);
+inner.innerHTML = "<td><tbody><div>";
+log(inner.innerHTML);
+</script>
index 369b705bcbd6a18f472f6f2a51f618b0e13032a3..6d757cb137f097e8c3ca817bd821f6675b5a7929 100644 (file)
@@ -1,3 +1,21 @@
+2007-08-08  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Darin.
+        
+        Fix for <rdar://problem/5391576>
+        Malformed table innerHTML causes Safari to crash in HTMLParser::handleError (14894)
+        
+        Add null checks to protect against 
+        
+        e.innerHTML = "<tr>text</tr>";
+        
+        type cases. Normal assumptions about document tree structure don't hold when parsing 
+        fragments. Results don't match Firefox in all cases. It seems to have some sort of 
+        anything-goes fragment parsing mode.
+        
+        * html/HTMLParser.cpp:
+        (WebCore::HTMLParser::handleError):
+
 2007-08-07  Kevin McCullough  <kmccullough@apple.com>
 
         Reviewed by Maciej and Hyatt.
index 520fdc0a3365535068be6f74f22c71eaabfd7491..1bb60971f2a02f047c1f3af21766a24d3d101ff5 100644 (file)
@@ -528,12 +528,15 @@ bool HTMLParser::handleError(Node* n, bool flat, const AtomicString& localName,
 
                 if (n->isTextNode() ||
                     (h->hasLocalName(trTag) &&
-                     isTableSection(parent) && grandparent->hasTagName(tableTag)) ||
+                     isTableSection(parent) && grandparent && grandparent->hasTagName(tableTag)) ||
                      ((!n->hasTagName(tdTag) && !n->hasTagName(thTag) &&
                        !n->hasTagName(formTag) && !n->hasTagName(scriptTag)) && isTableSection(node) &&
                      parent->hasTagName(tableTag))) {
                     node = (node->hasTagName(tableTag)) ? node :
                             ((node->hasTagName(trTag)) ? grandparent : parent);
+                    // This can happen with fragments
+                    if (!node)
+                        return false;
                     Node* parent = node->parentNode();
                     if (!parent)
                         return false;