Bug 268217

Summary: HTML entity parsing hits SegmentedString::pushBack() assert through document.write()
Product: WebKit Reporter: Anne van Kesteren <annevk>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, cdumez, mike, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Anne van Kesteren
Reported 2024-01-27 02:41:48 PST
Testcase to reproduce: <script> function f() { for (x of "&abc") { document.write(x); } } onload = f </script> data:text/html,<script>%0Afunction%20f()%20{%0A%20%20for%20(x%20of%20"&abc")%20{%0A%20%20%20%20document.write(x);%0A%20%20}%0A}%0Aonload%20=%20f%0A</script> This relates to these failures in TestExpectations: [ Debug ] imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_entities01.html?run_type=write_single [ Skip ] [ Debug ] imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_html5test-com.html?run_type=write_single [ Skip ] [ Debug ] imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_plain-text-unsafe.html?run_type=write_single [ Skip ] [ Debug ] imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_tests2.html?run_type=write_single [ Skip ] [ Debug ] imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_tests24.html?run_type=write_single [ Skip ] Based on bug 39935 my suspicion is that this has to do with the use of prepend.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-02-03 02:42:15 PST
<rdar://problem/122229666>
Vitaly Dyackhov
Comment 2 2024-09-10 04:13:48 PDT
Pull request: https://github.com/WebKit/WebKit/pull/33391
EWS
Comment 3 2024-09-12 00:13:56 PDT
Committed 283540@main (818118e729fb): <https://commits.webkit.org/283540@main> Reviewed commits have been landed. Closing PR #33391 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.