Bug 111248

Summary: constructTreeFromCompactHTMLToken should call clearExternalCharacters
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: New BugsAssignee: Eric Seidel (no email) <eric>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, esprehn+autocc, inferno, ojan.autocc, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 106127    
Attachments:
Description Flags
Patch none

Description Eric Seidel (no email) 2013-03-02 02:22:43 PST
constructTreeFromCompactHTMLToken should call clearExternalCharacters
Comment 1 Eric Seidel (no email) 2013-03-02 02:23:25 PST
Created attachment 191102 [details]
Patch
Comment 2 Eric Seidel (no email) 2013-03-02 02:25:21 PST
I don't believe this causes any behavior change, but it's possible this is why we were passing that inspector view-source test better with the threaded parser.

In order to have this be a problem, we would have to push a token onto the TreeBuilder's item-stack, and then end the chuck, and then somehow cause item()->token()->characters() to be accessed while parsing the next chunk.
Comment 3 Eric Seidel (no email) 2013-03-02 02:27:18 PST
This whole design is wrong for HTMLCompactToken.  We shouldn't need a heap allocated AtomicHTMLToken anyway.  We should replace it with a stack-allocated object which knows how to hang onto the necessary data when copied into an HTMLStackItem.
Comment 4 Adam Barth 2013-03-02 10:00:57 PST
Comment on attachment 191102 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=191102&action=review

> Source/WebCore/ChangeLog:10
> +        I don't know how to write a test for this.  It's possible characters()
> +        is never accessed from HTMLStackItem::token(), but it's better to be
> +        safe than sorry here.

Yeah, there isn't any behavior change from this patch, but it's worth doing anyway.

> Source/WebCore/html/parser/HTMLDocumentParser.cpp:573
> +    token->clearExternalCharacters(); // The compact token could be destroyed any time after this method returns.

Yeah, we do the same thing in HTMLDocumentParser::constructTreeFromHTMLToken
Comment 5 WebKit Review Bot 2013-03-02 10:11:53 PST
Comment on attachment 191102 [details]
Patch

Clearing flags on attachment: 191102

Committed r144543: <http://trac.webkit.org/changeset/144543>
Comment 6 WebKit Review Bot 2013-03-02 10:11:56 PST
All reviewed patches have been landed.  Closing bug.