Bug 111248 - constructTreeFromCompactHTMLToken should call clearExternalCharacters
Summary: constructTreeFromCompactHTMLToken should call clearExternalCharacters
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Eric Seidel (no email)
URL:
Keywords:
Depends on:
Blocks: 106127
  Show dependency treegraph
 
Reported: 2013-03-02 02:22 PST by Eric Seidel (no email)
Modified: 2013-03-02 10:11 PST (History)
5 users (show)

See Also:


Attachments
Patch (1.65 KB, patch)
2013-03-02 02:23 PST, Eric Seidel (no email)
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel (no email) 2013-03-02 02:22:43 PST
constructTreeFromCompactHTMLToken should call clearExternalCharacters
Comment 1 Eric Seidel (no email) 2013-03-02 02:23:25 PST
Created attachment 191102 [details]
Patch
Comment 2 Eric Seidel (no email) 2013-03-02 02:25:21 PST
I don't believe this causes any behavior change, but it's possible this is why we were passing that inspector view-source test better with the threaded parser.

In order to have this be a problem, we would have to push a token onto the TreeBuilder's item-stack, and then end the chuck, and then somehow cause item()->token()->characters() to be accessed while parsing the next chunk.
Comment 3 Eric Seidel (no email) 2013-03-02 02:27:18 PST
This whole design is wrong for HTMLCompactToken.  We shouldn't need a heap allocated AtomicHTMLToken anyway.  We should replace it with a stack-allocated object which knows how to hang onto the necessary data when copied into an HTMLStackItem.
Comment 4 Adam Barth 2013-03-02 10:00:57 PST
Comment on attachment 191102 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=191102&action=review

> Source/WebCore/ChangeLog:10
> +        I don't know how to write a test for this.  It's possible characters()
> +        is never accessed from HTMLStackItem::token(), but it's better to be
> +        safe than sorry here.

Yeah, there isn't any behavior change from this patch, but it's worth doing anyway.

> Source/WebCore/html/parser/HTMLDocumentParser.cpp:573
> +    token->clearExternalCharacters(); // The compact token could be destroyed any time after this method returns.

Yeah, we do the same thing in HTMLDocumentParser::constructTreeFromHTMLToken
Comment 5 WebKit Review Bot 2013-03-02 10:11:53 PST
Comment on attachment 191102 [details]
Patch

Clearing flags on attachment: 191102

Committed r144543: <http://trac.webkit.org/changeset/144543>
Comment 6 WebKit Review Bot 2013-03-02 10:11:56 PST
All reviewed patches have been landed.  Closing bug.