RESOLVED FIXED 26402
Accessing attributes of an object created with "document.implementation.createDocumentType" causes NULL pointers 
https://bugs.webkit.org/show_bug.cgi?id=26402
Summary Accessing attributes of an object created with "document.implementation.creat...
Berend-Jan Wever
Reported 2009-06-15 03:56:39 PDT
Accessing properties/calling methods of an object created with "document.implementation.createDocumentType" causes NULL pointer exceptions. Repro: <SCRIPT> o = document.implementation.createDocumentType('x'); for (i in o) { try { o[i]; } catch (e) {} try { o[i](); } catch (e) {} } </SCRIPT>
Attachments
proposed fix (6.56 KB, patch)
2009-09-03 17:23 PDT, Alexey Proskuryakov 		eric: review+
eric: commit-queue-
DetailsFormatted DiffDiff
Fix detached doctype crashes, v1. (1.66 KB, patch)
2009-09-17 10:27 PDT, Dimitri Glazkov (Google) 		eric: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2009-06-15 03:59:37 PDT
Added lin to repro
Berend-Jan Wever
Comment 2 2009-06-15 04:01:31 PDT
Chromium bug: http://code.google.com/p/chromium/issues/detail?id=14091
Alexey Proskuryakov
Comment 3 2009-06-17 01:56:39 PDT
I'm sure there are more issues with DOM code not expecting that Node::document() can return NULL, because it's so rare.
Olivier
Comment 4 2009-08-12 11:14:04 PDT
If I understand well http://www.w3.org/TR/2000/REC-DOM-Level-2-Core-20001113/core.html there is only two cases where Node::document() would be null: * with a document * with a not yet attached documentType If the former, nothing you can access in javascript do crash. If the latter, the following will crash: * Node::childNodes (because of document()->addNodeListCache()) * Node::addEventListener (because of !document->attached()) * Node::removeEventListener And nothing else. Hope that helps...
Eric Seidel (no email)
Comment 5 2009-08-12 11:17:12 PDT
I feel like I've seen a dupe of this... possibly even worked on a dupe of this.
Alexey Proskuryakov
Comment 6 2009-08-12 11:20:16 PDT
<rdar://problem/7137337>
Alexey Proskuryakov
Comment 7 2009-09-03 17:23:04 PDT
Created attachment 39021 [details] proposed fix (In reply to comment #4) > Hope that helps... Thanks, it definitely helped!
Eric Seidel (no email)
Comment 8 2009-09-04 00:35:51 PDT
Comment on attachment 39021 [details] proposed fix Seems this could caus trouble: 59 Name: svn:eol-style 610 + native
Eric Seidel (no email)
Comment 9 2009-09-04 00:37:27 PDT
Comment on attachment 39021 [details] proposed fix Otherwise this looks fine. V8 changes will likely be needed eventually, but someone else can figure those out.
Alexey Proskuryakov
Comment 10 2009-09-04 09:35:35 PDT
Committed <http://trac.webkit.org/changeset/48055>. (In reply to comment #8) > Seems this could caus trouble: > 59 Name: svn:eol-style > 610 + native Will it? Almost all of my patches in the recent years had this.
Eric Seidel (no email)
Comment 11 2009-09-05 01:30:15 PDT
Is run-webkit-tests/DumpRenderTree smart enough to handle expected results with non-unix line endings?
Alexey Proskuryakov
Comment 12 2009-09-05 23:06:12 PDT
No idea, I don't have any setup that would use non-Unix line endings. I think the right question is - did this (*-expected.txt file line ending style) ever cause problems before?
Dimitri Glazkov (Google)
Comment 13 2009-09-17 10:26:30 PDT
V8 bindings fix coming up.
Dimitri Glazkov (Google)
Comment 14 2009-09-17 10:27:51 PDT
Created attachment 39704 [details] Fix detached doctype crashes, v1. WebCore/ChangeLog | 14 ++++++++++++++ WebCore/bindings/v8/V8DOMWrapper.cpp | 6 +++++- 2 files changed, 19 insertions(+), 1 deletions(-)
Eric Seidel (no email)
Comment 15 2009-09-17 11:57:10 PDT
Comment on attachment 39704 [details] Fix detached doctype crashes, v1. LGTM. We probably should have used a separate bug for this. :)
Dimitri Glazkov (Google)
Comment 16 2009-09-17 12:06:35 PDT
Landed as http://trac.webkit.org/changeset/48480.
Dimitri Glazkov (Google)
Comment 17 2009-09-17 12:20:51 PDT
Landed as http://trac.webkit.org/changeset/48480.
Lucas Forschler
Comment 18 2019-02-06 09:03:24 PST
Mass moving XML DOM bugs to the "DOM" Component.
Note You need to log in before you can comment on or make changes to this bug.