112462 2013-03-15 13:23:19 -0700 [v8] Disable binding integrity check for WebCore::Text 2013-03-16 10:10:26 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 tsepez tsepez abarth esprehn+autocc haraken inferno ojan.autocc webkit.review.bot oldest_to_newest 856236 0 tsepez 2013-03-15 13:23:19 -0700 See https://code.google.com/p/chromium/issues/detail?id=196672 CDataSection inherits from Text, but has its own IDL, so it should theoretically always be wrapped as itself. The current Text bindings code isn't sophisticated enough to do an inquiry as to whether "is CDATASection" (if such a primitive even existed), so the workaround is to disable the check. 856271 1 tsepez 2013-03-15 14:07:47 -0700 CF testcase (.xml file): <html xmlns="http://www.w3.org/1999/xhtml">><![CDATA[ > }]]><script><![CDATA[ if (window.layoutTestController) layoutTestController.waitUntilDone(); { try { tCF47 = document.createCDATASection(""); } catch(e) {} setTimeout("CFcrash()", 282); } document.addEventListener("DOMContentLoaded", false); function addPropToArr(obj) { arr = []; try { } catch(e) {} for (prop in obj) { if (arr.indexOf(prop) -1) arr.push(prop); } return arr; } function addObjProps(obj, objType, arr, l) { if (l > 3) return; if (typeof(arr) == "undefined") { arr = []; s = "ZY"; l = 1; } var props = addPropToArr(obj); for (i in props) { var prop = props[i]; if (prop in document.documentElement) continue; try { objProp = obj[prop] } catch(e) { continue; } var ps = s + "['" + prop + "']"; var tObj = typeof(objProp); if ((tObj != "function" && tObj != "object") || (tObj == "function" && tObj == objProp.constructor.name.toLowerCase())) { if (tObj == objType) { arr.push(ps); } continue; } var isnumarr = false; try { if (eval(ps + '["length"]') != undefined && eval(ps + '["item"]') != undefined) isnumarr = true; } catch(e) {} if (!isnumarr) { try { addObjProps(eval(ps), l + 1); } catch(e) {} } else { try { for (var j = 0; j != eval(ps + '["length"]'); j++) { var pswithindex = ps + "[" + j + "]"; try { addObjProps(eval(pswithindex), l + 1); } catch(e) {} } } catch(e) {} }} if (l == 1) return arr; } function callFunctions(obj, arrPick, functionArgument) { var ZY = obj; var arr = addObjProps(obj, "function"); for (i in arrPick) { try { eval(arr[arrPick[i] % arr.length] + "(" + functionArgument + ")"); } catch(e) {}}} function editFuzz() { } function CFcrash() { try { callFunctions(tCF47, [32917, 42945, 94851], '"! E$42%f+dFJ u;nh C%RG[~V`Zu~od RRt%KT Fie1V6AIx!9Ju~$7&vk?dKeTk.+ _#eJO 5y!(6Nvhi:8= 3|Nq2@PK^K/", "Tuwg/H%: 53rGS.]9F*31]H p;a ]{?wX :IkLQaX$IUG1MyZ# }- N pEcuMt!0qr ,C", false'); } catch(e) {} }]]></script>> 856331 2 tsepez 2013-03-15 15:16:07 -0700 Minimized testcase: <html xmlns="http://www.w3.org/1999/xhtml"> <script><![CDATA[document.createCDATASection("").splitText(0);]]></script> 856360 3 193389 tsepez 2013-03-15 15:53:35 -0700 Created attachment 193389 Patch. 856575 4 193389 haraken 2013-03-16 09:46:07 -0700 Comment on attachment 193389 Patch. Looks reasonable. 856576 5 193389 webkit.review.bot 2013-03-16 10:10:23 -0700 Comment on attachment 193389 Patch. Clearing flags on attachment: 193389 Committed r145994: <http://trac.webkit.org/changeset/145994> 856577 6 webkit.review.bot 2013-03-16 10:10:26 -0700 All reviewed patches have been landed. Closing bug. 193389 2013-03-15 15:53:35 -0700 2013-03-16 10:10:23 -0700 Patch. patch_112462.txt text/plain 2480 tsepez SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE0NTk1NCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBACisyMDEzLTAzLTE1ICBUb20gU2Vw ZXogIDx0c2VwZXpAY2hyb21pdW0ub3JnPgorCisgICAgICAgIFt2OF0gRGlzYWJsZSBiaW5kaW5n IGludGVncml0eSBjaGVjayBmb3IgV2ViQ29yZTo6VGV4dAorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTEyNDYyCisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGVzdDogZmFzdC9kb20vc3BsaXQtY2RhdGEueG1s CisKKyAgICAgICAgKiBkb20vVGV4dC5pZGw6CisKIDIwMTMtMDMtMTUgIEF1cmltYXMgTGl1dGlr YXMgIDxhdXJpbWFzQGNocm9taXVtLm9yZz4KIAogICAgICAgICBUZXh0SXRlcmF0b3IgZW1pdHMg TEYgZm9yIGEgYnIgZWxlbWVudCBpbnNpZGUgYW4gZW1wdHkgaW5wdXQgZWxlbWVudApJbmRleDog U291cmNlL1dlYkNvcmUvZG9tL1RleHQuaWRsCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3Jl L2RvbS9UZXh0LmlkbAkocmV2aXNpb24gMTQ1OTMyKQorKysgU291cmNlL1dlYkNvcmUvZG9tL1Rl eHQuaWRsCSh3b3JraW5nIGNvcHkpCkBAIC0xNiw4ICsxNiw5IEBACiAgKiB0aGUgRnJlZSBTb2Z0 d2FyZSBGb3VuZGF0aW9uLCBJbmMuLCA1MSBGcmFua2xpbiBTdHJlZXQsIEZpZnRoIEZsb29yLAog ICogQm9zdG9uLCBNQSAwMjExMC0xMzAxLCBVU0EuCiAgKi8KLQotaW50ZXJmYWNlIFRleHQgOiBD aGFyYWN0ZXJEYXRhIHsKK1sgCisgICAgVjhTa2lwVlRhYmxlVmFsaWRhdGlvbiwKK10gaW50ZXJm YWNlIFRleHQgOiBDaGFyYWN0ZXJEYXRhIHsKIAogICAgIC8vIERPTSBMZXZlbCAxCiAKSW5kZXg6 IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VM b2cJKHJldmlzaW9uIDE0NTk1NCkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2luZyBj b3B5KQpAQCAtMSwzICsxLDEzIEBACisyMDEzLTAzLTE1ICBUb20gU2VwZXogIDx0c2VwZXpAY2hy b21pdW0ub3JnPgorCisgICAgICAgIFt2OF0gRGlzYWJsZSBiaW5kaW5nIGludGVncml0eSBjaGVj ayBmb3IgV2ViQ29yZTo6VGV4dAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9MTEyNDYyCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgKiBmYXN0L2RvbS9zcGxpdC1jZGF0YS1leHBlY3RlZC50eHQ6IEFkZGVkLgor ICAgICAgICAqIGZhc3QvZG9tL3NwbGl0LWNkYXRhLnhtbDogQWRkZWQuCisKIDIwMTMtMDMtMTUg IEF1cmltYXMgTGl1dGlrYXMgIDxhdXJpbWFzQGNocm9taXVtLm9yZz4KIAogICAgICAgICBUZXh0 SXRlcmF0b3IgZW1pdHMgTEYgZm9yIGEgYnIgZWxlbWVudCBpbnNpZGUgYW4gZW1wdHkgaW5wdXQg ZWxlbWVudApJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9kb20vc3BsaXQtY2RhdGEtZXhwZWN0ZWQu dHh0Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2Zhc3QvZG9tL3NwbGl0LWNkYXRhLWV4cGVj dGVkLnR4dAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3QvZG9tL3NwbGl0LWNkYXRh LWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSBAQAorVGVzdCBwYXNzZXMgaWYg aXQgZG9lcyBub3QgY3Jhc2guCkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2RvbS9zcGxpdC1jZGF0 YS54bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9kb20vc3BsaXQtY2RhdGEueG1s CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9kb20vc3BsaXQtY2RhdGEueG1sCShy ZXZpc2lvbiAwKQpAQCAtMCwwICsxLDggQEAKKzxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9y Zy8xOTk5L3hodG1sIj4KKzxwPlRlc3QgcGFzc2VzIGlmIGl0IGRvZXMgbm90IGNyYXNoLjwvcD4K KzxzY3JpcHQ+PCFbQ0RBVEFbCitpZiAod2luZG93LnRlc3RSdW5uZXIpCisgICAgdGVzdFJ1bm5l ci5kdW1wQXNUZXh0KCk7Citkb2N1bWVudC5jcmVhdGVDREFUQVNlY3Rpb24oIiIpLnNwbGl0VGV4 dCgwKTsKK11dPjwvc2NyaXB0PgorPC9odG1sPgo=