2011-06-08 Adam Barth <abarth@webkit.org>
authorAdam Barth <abarth@webkit.org>
Thu, 9 Jun 2011 00:34:13 +0000 (00:34 +0000)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Thu, 9 Jun 2011 18:06:21 +0000 (15:06 -0300)
commitbccfdf06ab40960f3f4828aacd3512ab3a131e10
treea4e71e5959d2ee573f9dd94cf7c098700b7df2db
parent8c2f6866976d1ecdc15577cdf8d3c5bbb11afd94
2011-06-08  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Use after free in WebCore::ContainerNode::parserAddChild
        https://bugs.webkit.org/show_bug.cgi?id=62160

        Test that we don't trigger asserts when re-entering the parser from
        tree construction.

        * fast/parser/document-write-onload-nesting-expected.txt: Added.
        * fast/parser/document-write-onload-nesting.html: Added.
        * fast/parser/document-write-onload-ordering-expected.txt: Added.
        * fast/parser/document-write-onload-ordering.html: Added.
            - The exact ordering of the script execution here differs a bit
              between browsers.  For example, Firefox executes the scripts in a
              slightly different order because Firefox runs the parser on a
              separate thread (and therefore cannot be re-entered from tree
              construction). If/when we move the parser off the main thread,
              we're likely to change the ordering here a bit, which should be
              ok.
2011-06-08  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        constructTreeFromToken can re-enter parser, causing ASSERTs
        https://bugs.webkit.org/show_bug.cgi?id=62160

        This patch clears the HTMLToken before constructing the tree from the
        token, putting the HTMLDocumentParser in a good state to be re-entered.

        Tests: fast/parser/document-write-onload-nesting.html
               fast/parser/document-write-onload-ordering.html

        * html/parser/HTMLDocumentParser.cpp:
        (WebCore::HTMLDocumentParser::pumpTokenizer):
        * html/parser/HTMLToken.h:
        (WebCore::HTMLToken::isUninitialized):
        * html/parser/HTMLTreeBuilder.cpp:
        (WebCore::HTMLTreeBuilder::constructTreeFromToken):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@88411 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/parser/document-write-onload-nesting-expected.txt [new file with mode: 0644]
LayoutTests/fast/parser/document-write-onload-nesting.html [new file with mode: 0644]
LayoutTests/fast/parser/document-write-onload-ordering-expected.txt [new file with mode: 0644]
LayoutTests/fast/parser/document-write-onload-ordering.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLDocumentParser.cpp
Source/WebCore/html/parser/HTMLToken.h
Source/WebCore/html/parser/HTMLTreeBuilder.cpp