Bug 111248

Summary: constructTreeFromCompactHTMLToken should call clearExternalCharacters
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: New BugsAssignee: Eric Seidel (no email) <eric>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, esprehn+autocc, inferno, ojan.autocc, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 106127    
Attachments:
Description Flags
Patch none

Eric Seidel (no email)
Reported 2013-03-02 02:22:43 PST
constructTreeFromCompactHTMLToken should call clearExternalCharacters
Attachments
Patch (1.65 KB, patch)
2013-03-02 02:23 PST, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2013-03-02 02:23:25 PST
Created attachment 191102 [details] Patch
Eric Seidel (no email)
Comment 2 2013-03-02 02:25:21 PST
I don't believe this causes any behavior change, but it's possible this is why we were passing that inspector view-source test better with the threaded parser. In order to have this be a problem, we would have to push a token onto the TreeBuilder's item-stack, and then end the chuck, and then somehow cause item()->token()->characters() to be accessed while parsing the next chunk.
Eric Seidel (no email)
Comment 3 2013-03-02 02:27:18 PST
This whole design is wrong for HTMLCompactToken. We shouldn't need a heap allocated AtomicHTMLToken anyway. We should replace it with a stack-allocated object which knows how to hang onto the necessary data when copied into an HTMLStackItem.
Adam Barth
Comment 4 2013-03-02 10:00:57 PST
Comment on attachment 191102 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=191102&action=review > Source/WebCore/ChangeLog:10 > + I don't know how to write a test for this. It's possible characters() > + is never accessed from HTMLStackItem::token(), but it's better to be > + safe than sorry here. Yeah, there isn't any behavior change from this patch, but it's worth doing anyway. > Source/WebCore/html/parser/HTMLDocumentParser.cpp:573 > + token->clearExternalCharacters(); // The compact token could be destroyed any time after this method returns. Yeah, we do the same thing in HTMLDocumentParser::constructTreeFromHTMLToken
WebKit Review Bot
Comment 5 2013-03-02 10:11:53 PST
Comment on attachment 191102 [details] Patch Clearing flags on attachment: 191102 Committed r144543: <http://trac.webkit.org/changeset/144543>
WebKit Review Bot
Comment 6 2013-03-02 10:11:56 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.