RESOLVED FIXED 92056
Clear the external characters pointer of an AtomicHTMLToken before the raw token is cleared. 
https://bugs.webkit.org/show_bug.cgi?id=92056
Summary Clear the external characters pointer of an AtomicHTMLToken before the raw to...
Kwang Yul Seo
Reported 2012-07-23 19:27:34 PDT
AtomicHTMLToken keeps a pointer to the HTMLToken's buffer instead of copying the characters for performance. Clear the external characters pointer before the raw token is cleared to make sure that we won't have a dangling pointer.
Attachments
Patch (2.73 KB, patch)
2012-07-23 19:30 PDT, Kwang Yul Seo 		abarth: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kwang Yul Seo
Comment 1 2012-07-23 19:30:33 PDT
Created attachment 153938 [details] Patch
Kwang Yul Seo
Comment 2 2012-07-23 19:31:41 PDT
Adam, this is the follow-up patch you requested in Bug 91981.
Adam Barth
Comment 3 2012-07-24 10:07:17 PDT
Comment on attachment 153938 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=153938&action=review > Source/WebCore/html/parser/HTMLTreeBuilder.cpp:459 > + if (token->type() == HTMLTokenTypes::Character) > + token->clearExternalCharacters(); I would just do this unconditionally. There isn't any harm in overwriting m_externalCharacters with 0 for other token types and it saves us this branch.
Adam Barth
Comment 4 2012-07-24 10:10:51 PDT
Thanks for writing this patch. :)
Kwang Yul Seo
Comment 5 2012-07-24 14:57:01 PDT
(In reply to comment #3) > > Source/WebCore/html/parser/HTMLTreeBuilder.cpp:459 > > + if (token->type() == HTMLTokenTypes::Character) > > + token->clearExternalCharacters(); > > I would just do this unconditionally. There isn't any harm in overwriting m_externalCharacters with 0 for other token types and it saves us this branch. Thanks for the review! I will change it before I land the patch.
Kwang Yul Seo
Comment 6 2012-07-24 15:13:15 PDT
Committed r123536: <http://trac.webkit.org/changeset/123536>
Adam Barth
Comment 7 2012-07-24 15:27:38 PDT
This assert is wrong now that we're calling the function unconditionally. ASSERT(m_type == Token::Type::Character);
Kwang Yul Seo
Comment 8 2012-07-24 15:29:00 PDT
(In reply to comment #7) > This assert is wrong now that we're calling the function unconditionally. > > ASSERT(m_type == Token::Type::Character); Oops, sorry. I will fix it.
Kwang Yul Seo
Comment 9 2012-07-24 15:35:37 PDT
(In reply to comment #8) > (In reply to comment #7) > > This assert is wrong now that we're calling the function unconditionally. > > > > ASSERT(m_type == Token::Type::Character); > > Oops, sorry. I will fix it. Done. http://trac.webkit.org/changeset/123542
Note You need to log in before you can comment on or make changes to this bug.