The XMLTokenizer.cpp has a constructor that takes a document fragment and parses XML into this fragment (which is used at least for handling innerHtml, maybe other places as well).
While parsing this fragment, the parser calls lots of methods on the document, amongst others finishedParsing(), which can lead to memory corruption when innerHtml is used form within the onload handler.
Created attachment 16617 [details]
Protects some of the calls into the document
This patch fixes the memory corruption seen with LayoutTests/fast/innerHTML/innerHTML-script-tag-crash.xhtml. It does however not clean up all issues, and is untested for builds that use the libxml based parser.
The main issues remaining are things related to XSLT support (see XMLTokenizer.cpp around line 1210).
This is a reproducible memory smasher as demonstrated by the valgrind output:
*** Bug 15455 has been marked as a duplicate of this bug. ***
Created attachment 16624 [details]
Test case for QXML
After extensive investigation, I have decided that this bug does not affect the libxml based parser. These changes are not harmful to the libxml based parser, but they are not necessary. libxml doesn't set any of the touched methods as handlers during the parseXMLDocumentFragment codepath.
Has this been landed?
(In reply to comment #5)
> Has this been landed?
Apparently it landed in r26356.
I don't see any indication of a review in the ChangeLog, however. Perhaps the review was given via IRC?
This can be closed.