2006-04-25 Eric Seidel <eseidel@apple.com>

author eseidel <eseidel@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Tue, 25 Apr 2006 08:51:32 +0000 (08:51 +0000)

committer eseidel <eseidel@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Tue, 25 Apr 2006 08:51:32 +0000 (08:51 +0000)
author eseidel <eseidel@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2006 08:51:32 +0000 (08:51 +0000)
committer eseidel <eseidel@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2006 08:51:32 +0000 (08:51 +0000)
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog

index ec6f5252f0daebf8c14b4411f43fcfebf09963ac..a339c2e9d6017a1cf81d99646eff938c34b37e14 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2006-04-25  Eric Seidel  <eseidel@apple.com>
+
+        Reviewed by mjs.
+
+        Fix reproducible crasher in HTML parsing code.
+        http://bugzilla.opendarwin.org/show_bug.cgi?id=7137
+
+        * fast/parser/remove-current-node-parent-expected.txt: Added.
+        * fast/parser/remove-current-node-parent.html: Added.
+
  2006-04-24  Eric Seidel  <eseidel@apple.com>
  
          Reviewed by ggaren.
diff --git a/LayoutTests/fast/parser/remove-current-node-parent-expected.txt b/LayoutTests/fast/parser/remove-current-node-parent-expected.txt

new file mode 100644 (file)

index 0000000..e98ebbb
--- /dev/null
+++ b/LayoutTests/fast/parser/remove-current-node-parent-expected.txt
@@ -0,0 +1 @@
+SUCCESS (no crash!)
diff --git a/LayoutTests/fast/parser/remove-current-node-parent.html b/LayoutTests/fast/parser/remove-current-node-parent.html

new file mode 100644 (file)

index 0000000..b797aa9
--- /dev/null
+++ b/LayoutTests/fast/parser/remove-current-node-parent.html
@@ -0,0 +1,12 @@
+<table>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+var x = document.getElementsByTagName('table')[0];
+x.parentNode.removeChild(x);
+</script>
+<span>At the time of writing, our current behavior ignores content in subtrees removed during parsing.
+   However, HTML5 suggests it should not be ignored.
+   See: http://www.hixie.ch/tests/adhoc/html/parsing/error-handling/034.html
+   and: http://bugzilla.opendarwin.org/show_bug.cgi?id=7137</span>
+</table><span>SUCCESS (no crash!)</span>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog

index 1309fbb6b79ea3d7d1dc4c2cfa0f060ca1cde12b..9faa41d8e19fe34c9196afebc221bdffdecc2032 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2006-04-25  Eric Seidel  <eseidel@apple.com>
+
+        Reviewed by mjs.
+
+        Fix reproducible crash in html parser code.
+        http://bugzilla.opendarwin.org/show_bug.cgi?id=7137
+
+        Test: fast/parser/remove-current-node-parent.html
+
+        * html/HTMLParser.cpp:
+        (WebCore::HTMLParser::handleError):
+
  2006-04-25  Maciej Stachowiak  <mjs@apple.com>
  
          Reviewed by Eric.
diff --git a/WebCore/html/HTMLParser.cpp b/WebCore/html/HTMLParser.cpp

index b0aaab58a591b48005b7053c18f4329c91c306e2..b2344f053242a27c213048fa6e57a44fed1140e5 100644 (file)
--- a/WebCore/html/HTMLParser.cpp
+++ b/WebCore/html/HTMLParser.cpp
@@ -487,7 +487,13 @@ bool HTMLParser::handleError(Node* n, bool flat, const AtomicString& localName,
                  if (possiblyMoveStrayContent) {
                      Node *node = current;
                      Node *parent = node->parentNode();
+                    // It is allowed for nodes on the node stack to have been removed from the tree, thus we have to check (parentNode() == NULL) first
+                    // http://bugzilla.opendarwin.org/show_bug.cgi?id=7137
+                    if (!parent)
+                        return false;
                      Node *grandparent = parent->parentNode();
+                    if (!grandparent)
+                        return false;
  
                      if (n->isTextNode() ||
                          (h->hasLocalName(trTag) &&
@@ -498,6 +504,8 @@ bool HTMLParser::handleError(Node* n, bool flat, const AtomicString& localName,
                          node = (node->hasTagName(tableTag)) ? node :
                                  ((node->hasTagName(trTag)) ? grandparent : parent);
                          Node *parent = node->parentNode();
+                        if (!parent)
+                            return false;
                          parent->insertBefore(n, node, ec);
                          if (!ec) {
                              if (n->isHTMLElement() && tagPriority > 0 &&
author	eseidel <eseidel@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 25 Apr 2006 08:51:32 +0000 (08:51 +0000)
committer	eseidel <eseidel@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 25 Apr 2006 08:51:32 +0000 (08:51 +0000)
LayoutTests/ChangeLog		patch \| blob \| history
LayoutTests/fast/parser/remove-current-node-parent-expected.txt	[new file with mode: 0644]	patch \| blob
LayoutTests/fast/parser/remove-current-node-parent.html	[new file with mode: 0644]	patch \| blob
WebCore/ChangeLog		patch \| blob \| history
WebCore/html/HTMLParser.cpp		patch \| blob \| history