RESOLVED FIXED 112462
[v8] Disable binding integrity check for WebCore::Text 
https://bugs.webkit.org/show_bug.cgi?id=112462
Summary [v8] Disable binding integrity check for WebCore::Text
Thomas Sepez
Reported 2013-03-15 13:23:19 PDT
See https://code.google.com/p/chromium/issues/detail?id=196672 CDataSection inherits from Text, but has its own IDL, so it should theoretically always be wrapped as itself. The current Text bindings code isn't sophisticated enough to do an inquiry as to whether "is CDATASection" (if such a primitive even existed), so the workaround is to disable the check.
Attachments
Patch. (2.42 KB, patch)
2013-03-15 15:53 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2013-03-15 14:07:47 PDT
CF testcase (.xml file): <html xmlns="http://www.w3.org/1999/xhtml">><![CDATA[ > }]]><script><![CDATA[ if (window.layoutTestController) layoutTestController.waitUntilDone(); { try { tCF47 = document.createCDATASection(""); } catch(e) {} setTimeout("CFcrash()", 282); } document.addEventListener("DOMContentLoaded", false); function addPropToArr(obj) { arr = []; try { } catch(e) {} for (prop in obj) { if (arr.indexOf(prop) -1) arr.push(prop); } return arr; } function addObjProps(obj, objType, arr, l) { if (l > 3) return; if (typeof(arr) == "undefined") { arr = []; s = "ZY"; l = 1; } var props = addPropToArr(obj); for (i in props) { var prop = props[i]; if (prop in document.documentElement) continue; try { objProp = obj[prop] } catch(e) { continue; } var ps = s + "['" + prop + "']"; var tObj = typeof(objProp); if ((tObj != "function" && tObj != "object") || (tObj == "function" && tObj == objProp.constructor.name.toLowerCase())) { if (tObj == objType) { arr.push(ps); } continue; } var isnumarr = false; try { if (eval(ps + '["length"]') != undefined && eval(ps + '["item"]') != undefined) isnumarr = true; } catch(e) {} if (!isnumarr) { try { addObjProps(eval(ps), l + 1); } catch(e) {} } else { try { for (var j = 0; j != eval(ps + '["length"]'); j++) { var pswithindex = ps + "[" + j + "]"; try { addObjProps(eval(pswithindex), l + 1); } catch(e) {} } } catch(e) {} }} if (l == 1) return arr; } function callFunctions(obj, arrPick, functionArgument) { var ZY = obj; var arr = addObjProps(obj, "function"); for (i in arrPick) { try { eval(arr[arrPick[i] % arr.length] + "(" + functionArgument + ")"); } catch(e) {}}} function editFuzz() { } function CFcrash() { try { callFunctions(tCF47, [32917, 42945, 94851], '"! E$42%f+dFJ u;nh C%RG[~V`Zu~od RRt%KT Fie1V6AIx!9Ju~$7&vk?dKeTk.+ _#eJO 5y!(6Nvhi:8= 3|Nq2@PK^K/", "Tuwg/H%: 53rGS.]9F*31]H p;a ]{?wX :IkLQaX$IUG1MyZ# }- N pEcuMt!0qr ,C", false'); } catch(e) {} }]]></script>>
Thomas Sepez
Comment 2 2013-03-15 15:16:07 PDT
Minimized testcase: <html xmlns="http://www.w3.org/1999/xhtml"> <script><![CDATA[document.createCDATASection("").splitText(0);]]></script>
Thomas Sepez
Comment 3 2013-03-15 15:53:35 PDT
Created attachment 193389 [details] Patch.
Kentaro Hara
Comment 4 2013-03-16 09:46:07 PDT
Comment on attachment 193389 [details] Patch. Looks reasonable.
WebKit Review Bot
Comment 5 2013-03-16 10:10:23 PDT
Comment on attachment 193389 [details] Patch. Clearing flags on attachment: 193389 Committed r145994: <http://trac.webkit.org/changeset/145994>
WebKit Review Bot
Comment 6 2013-03-16 10:10:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.