From bc3fe11bbda680afba766d4676ebc10300c92143 Mon Sep 17 00:00:00 2001
From: "rniwa@webkit.org"
 <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri, 22 Jan 2016 03:47:37 +0000
Subject: [PATCH] createElementFromSavedToken shouldn't have the code to create
 a non-HTML element https://bugs.webkit.org/show_bug.cgi?id=153327

Reviewed by Chris Dumez.

Since HTMLConstructionSite::createElementFromSavedToken is only used to instantiate a formatting element,
there is no need for it to support creating a non-HTML elements. Remove the branch and assert that this
is indeed the case.

createElementFromSavedToken is called in HTMLTreeBuilder::callTheAdoptionAgency and HTMLConstructionSite's
reconstructTheActiveFormattingElements. In both cases, the stack item passed to createElementFromSavedToken
is guaranteed to be in the list of active formatting elements, which only contains formatting elements.

No new tests since there is no behavioral change.

* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::insertHTMLHeadElement):
(WebCore::HTMLConstructionSite::insertHTMLHtmlStartTagBeforeHTML):
(WebCore::HTMLConstructionSite::insertFormattingElement):
(WebCore::HTMLConstructionSite::createElement): Returns Ref<Element> instead of PassRefPtr<Element>.
(WebCore::HTMLConstructionSite::createHTMLElement): Ditto.
(WebCore::HTMLConstructionSite::createElementFromSavedToken): Ditto. Removed the code to instantiate
a non-HTML element. Also assert that an element created by this function is a formatting tag.
* html/parser/HTMLConstructionSite.h:
* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLConstructionSite::isFormattingTag): Put into HTMLConstructionSite to add an assertion.
(WebCore::HTMLTreeBuilder::processEndTagForInBody):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@195438 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 Source/WebCore/ChangeLog                           | 30 +++++++++++++++
 .../WebCore/html/parser/HTMLConstructionSite.cpp   | 44 +++++++++++-----------
 Source/WebCore/html/parser/HTMLConstructionSite.h  |  8 ++--
 Source/WebCore/html/parser/HTMLTreeBuilder.cpp     |  4 +-
 4 files changed, 58 insertions(+), 28 deletions(-)

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 47ffdb1..bdf5341a 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,33 @@
+2016-01-21  Ryosuke Niwa  <rniwa@webkit.org>
+
+        createElementFromSavedToken shouldn't have the code to create a non-HTML element
+        https://bugs.webkit.org/show_bug.cgi?id=153327
+
+        Reviewed by Chris Dumez.
+
+        Since HTMLConstructionSite::createElementFromSavedToken is only used to instantiate a formatting element,
+        there is no need for it to support creating a non-HTML elements. Remove the branch and assert that this
+        is indeed the case.
+
+        createElementFromSavedToken is called in HTMLTreeBuilder::callTheAdoptionAgency and HTMLConstructionSite's
+        reconstructTheActiveFormattingElements. In both cases, the stack item passed to createElementFromSavedToken
+        is guaranteed to be in the list of active formatting elements, which only contains formatting elements.
+
+        No new tests since there is no behavioral change.
+
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::HTMLConstructionSite::insertHTMLHeadElement):
+        (WebCore::HTMLConstructionSite::insertHTMLHtmlStartTagBeforeHTML):
+        (WebCore::HTMLConstructionSite::insertFormattingElement):
+        (WebCore::HTMLConstructionSite::createElement): Returns Ref<Element> instead of PassRefPtr<Element>.
+        (WebCore::HTMLConstructionSite::createHTMLElement): Ditto.
+        (WebCore::HTMLConstructionSite::createElementFromSavedToken): Ditto. Removed the code to instantiate
+        a non-HTML element. Also assert that an element created by this function is a formatting tag.
+        * html/parser/HTMLConstructionSite.h:
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLConstructionSite::isFormattingTag): Put into HTMLConstructionSite to add an assertion.
+        (WebCore::HTMLTreeBuilder::processEndTagForInBody):
+
 2016-01-21  Andreas Kling  <akling@apple.com>
 
         CGImageSource sometimes retains temporary SharedBuffer data indefinitely, doubling memory cost.
diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.cpp b/Source/WebCore/html/parser/HTMLConstructionSite.cpp
index 6c24eea..12e4108 100644
--- a/Source/WebCore/html/parser/HTMLConstructionSite.cpp
+++ b/Source/WebCore/html/parser/HTMLConstructionSite.cpp
@@ -51,11 +51,11 @@ namespace WebCore {
 
 using namespace HTMLNames;
 
-static inline void setAttributes(Element* element, AtomicHTMLToken* token, ParserContentPolicy parserContentPolicy)
+static inline void setAttributes(Element& element, AtomicHTMLToken* token, ParserContentPolicy parserContentPolicy)
 {
     if (!scriptingContentIsAllowed(parserContentPolicy))
-        element->stripScriptingAttributes(token->attributes());
-    element->parserSetAttributes(token->attributes());
+        element.stripScriptingAttributes(token->attributes());
+    element.parserSetAttributes(token->attributes());
 }
 
 static bool hasImpliedEndTag(const HTMLStackItem& item)
@@ -262,7 +262,7 @@ void HTMLConstructionSite::dispatchDocumentElementAvailableIfNeeded()
 void HTMLConstructionSite::insertHTMLHtmlStartTagBeforeHTML(AtomicHTMLToken* token)
 {
     Ref<HTMLHtmlElement> element = HTMLHtmlElement::create(*m_document);
-    setAttributes(element.ptr(), token, m_parserContentPolicy);
+    setAttributes(element.get(), token, m_parserContentPolicy);
     attachLater(m_attachmentRoot, element.ptr());
     m_openElements.pushHTMLHtmlElement(HTMLStackItem::create(element.copyRef(), *token));
 
@@ -452,7 +452,7 @@ void HTMLConstructionSite::insertCommentOnHTMLHtmlElement(AtomicHTMLToken* token
 void HTMLConstructionSite::insertHTMLHeadElement(AtomicHTMLToken* token)
 {
     ASSERT(!shouldFosterParent());
-    m_head = HTMLStackItem::create(*createHTMLElement(token), *token);
+    m_head = HTMLStackItem::create(createHTMLElement(token), *token);
     attachLater(&currentNode(), &m_head->element());
     m_openElements.pushHTMLHeadElement(m_head);
 }
@@ -498,6 +498,7 @@ void HTMLConstructionSite::insertFormattingElement(AtomicHTMLToken* token)
     // http://www.whatwg.org/specs/web-apps/current-work/multipage/parsing.html#the-stack-of-open-elements
     // Possible active formatting elements include:
     // a, b, big, code, em, font, i, nobr, s, small, strike, strong, tt, and u.
+    ASSERT(isFormattingTag(token->name()));
     insertHTMLElement(token);
     m_activeFormattingElements.append(&currentStackItem());
 }
@@ -511,11 +512,11 @@ void HTMLConstructionSite::insertScriptElement(AtomicHTMLToken* token)
     // those flags or effects thereof.
     const bool parserInserted = m_parserContentPolicy != AllowScriptingContentAndDoNotMarkAlreadyStarted;
     const bool alreadyStarted = m_isParsingFragment && parserInserted;
-    RefPtr<HTMLScriptElement> element = HTMLScriptElement::create(scriptTag, ownerDocumentForCurrentNode(), parserInserted, alreadyStarted);
+    Ref<HTMLScriptElement> element = HTMLScriptElement::create(scriptTag, ownerDocumentForCurrentNode(), parserInserted, alreadyStarted);
     setAttributes(element.get(), token, m_parserContentPolicy);
     if (scriptingContentIsAllowed(m_parserContentPolicy))
-        attachLater(&currentNode(), element);
-    m_openElements.push(HTMLStackItem::create(element.releaseNonNull(), *token));
+        attachLater(&currentNode(), element.ptr());
+    m_openElements.push(HTMLStackItem::create(WTFMove(element), *token));
 }
 
 void HTMLConstructionSite::insertForeignElement(AtomicHTMLToken* token, const AtomicString& namespaceURI)
@@ -615,12 +616,12 @@ void HTMLConstructionSite::takeAllChildren(HTMLStackItem& newParent, HTMLElement
     m_taskQueue.append(task);
 }
 
-PassRefPtr<Element> HTMLConstructionSite::createElement(AtomicHTMLToken* token, const AtomicString& namespaceURI)
+Ref<Element> HTMLConstructionSite::createElement(AtomicHTMLToken* token, const AtomicString& namespaceURI)
 {
     QualifiedName tagName(nullAtom, token->name(), namespaceURI);
-    RefPtr<Element> element = ownerDocumentForCurrentNode().createElement(tagName, true);
+    Ref<Element> element = ownerDocumentForCurrentNode().createElement(tagName, true);
     setAttributes(element.get(), token, m_parserContentPolicy);
-    return element.release();
+    return element;
 }
 
 inline Document& HTMLConstructionSite::ownerDocumentForCurrentNode()
@@ -632,7 +633,7 @@ inline Document& HTMLConstructionSite::ownerDocumentForCurrentNode()
     return currentNode().document();
 }
 
-PassRefPtr<Element> HTMLConstructionSite::createHTMLElement(AtomicHTMLToken* token)
+Ref<Element> HTMLConstructionSite::createHTMLElement(AtomicHTMLToken* token)
 {
     QualifiedName tagName(nullAtom, token->name(), xhtmlNamespaceURI);
     // FIXME: This can't use HTMLConstructionSite::createElement because we
@@ -641,29 +642,26 @@ PassRefPtr<Element> HTMLConstructionSite::createHTMLElement(AtomicHTMLToken* tok
     // http://www.whatwg.org/specs/web-apps/current-work/multipage/tree-construction.html#create-an-element-for-the-token
     Document& ownerDocument = ownerDocumentForCurrentNode();
     bool insideTemplateElement = !ownerDocument.frame();
-    RefPtr<Element> element = HTMLElementFactory::createElement(tagName, ownerDocument, insideTemplateElement ? nullptr : form(), true);
+    Ref<Element> element = HTMLElementFactory::createElement(tagName, ownerDocument, insideTemplateElement ? nullptr : form(), true);
     
     // FIXME: This is a hack to connect images to pictures before the image has
     // been inserted into the document. It can be removed once asynchronous image
     // loading is working.
-    if (is<HTMLPictureElement>(currentNode()) && is<HTMLImageElement>(*element.get()))
-        downcast<HTMLImageElement>(*element.get()).setPictureElement(&downcast<HTMLPictureElement>(currentNode()));
+    if (is<HTMLPictureElement>(currentNode()) && is<HTMLImageElement>(element))
+        downcast<HTMLImageElement>(element.get()).setPictureElement(&downcast<HTMLPictureElement>(currentNode()));
 
     setAttributes(element.get(), token, m_parserContentPolicy);
     ASSERT(element->isHTMLElement());
-    return element.release();
+    return element;
 }
 
-PassRefPtr<HTMLStackItem> HTMLConstructionSite::createElementFromSavedToken(HTMLStackItem* item)
+Ref<HTMLStackItem> HTMLConstructionSite::createElementFromSavedToken(HTMLStackItem* item)
 {
-    RefPtr<Element> element;
     // NOTE: Moving from item -> token -> item copies the Attribute vector twice!
     AtomicHTMLToken fakeToken(HTMLToken::StartTag, item->localName(), Vector<Attribute>(item->attributes()));
-    if (item->namespaceURI() == HTMLNames::xhtmlNamespaceURI)
-        element = createHTMLElement(&fakeToken);
-    else
-        element = createElement(&fakeToken, item->namespaceURI());
-    return HTMLStackItem::create(element.releaseNonNull(), fakeToken, item->namespaceURI());
+    ASSERT(item->namespaceURI() == HTMLNames::xhtmlNamespaceURI);
+    ASSERT(isFormattingTag(item->localName()));
+    return HTMLStackItem::create(createHTMLElement(&fakeToken), fakeToken, item->namespaceURI());
 }
 
 bool HTMLConstructionSite::indexOfFirstUnopenFormattingElement(unsigned& firstUnopenElementIndex) const
diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.h b/Source/WebCore/html/parser/HTMLConstructionSite.h
index af73bec..8e07d90 100644
--- a/Source/WebCore/html/parser/HTMLConstructionSite.h
+++ b/Source/WebCore/html/parser/HTMLConstructionSite.h
@@ -124,7 +124,7 @@ public:
     void insertAlreadyParsedChild(HTMLStackItem& newParent, HTMLElementStack::ElementRecord& child);
     void takeAllChildren(HTMLStackItem& newParent, HTMLElementStack::ElementRecord& oldParent);
 
-    PassRefPtr<HTMLStackItem> createElementFromSavedToken(HTMLStackItem*);
+    Ref<HTMLStackItem> createElementFromSavedToken(HTMLStackItem*);
 
     bool shouldFosterParent() const;
     void fosterParent(PassRefPtr<Node>);
@@ -180,6 +180,8 @@ public:
         bool m_wasRedirectingBefore;
     };
 
+    static bool isFormattingTag(const AtomicString&);
+
 private:
     // In the common case, this queue will have only one task because most
     // tokens produce only one DOM mutation.
@@ -192,8 +194,8 @@ private:
 
     void findFosterSite(HTMLConstructionSiteTask&);
 
-    PassRefPtr<Element> createHTMLElement(AtomicHTMLToken*);
-    PassRefPtr<Element> createElement(AtomicHTMLToken*, const AtomicString& namespaceURI);
+    Ref<Element> createHTMLElement(AtomicHTMLToken*);
+    Ref<Element> createElement(AtomicHTMLToken*, const AtomicString& namespaceURI);
 
     void mergeAttributesFromTokenIntoElement(AtomicHTMLToken*, Element*);
     void dispatchDocumentElementAvailableIfNeeded();
diff --git a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
index ef29b4b..db817a8 100644
--- a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
+++ b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
@@ -121,7 +121,7 @@ static bool isNonAnchorFormattingTag(const AtomicString& tagName)
 }
 
 // https://html.spec.whatwg.org/multipage/syntax.html#formatting
-static bool isFormattingTag(const AtomicString& tagName)
+bool HTMLConstructionSite::isFormattingTag(const AtomicString& tagName)
 {
     return tagName == aTag || isNonAnchorFormattingTag(tagName);
 }
@@ -1883,7 +1883,7 @@ void HTMLTreeBuilder::processEndTagForInBody(AtomicHTMLToken& token)
         m_tree.openElements().popUntilNumberedHeaderElementPopped();
         return;
     }
-    if (isFormattingTag(token.name())) {
+    if (HTMLConstructionSite::isFormattingTag(token.name())) {
         callTheAdoptionAgency(token);
         return;
     }
-- 
1.8.3.1