WebKit Bugzilla
Attachment 356451 Details for
Bug 192347
: Crash in HTMLCollection::updateNamedElementCache
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Fixes the bug
bug-192347-20181203195046.patch (text/plain), 4.41 KB, created by
Ryosuke Niwa
on 2018-12-03 19:50:47 PST
(
hide
)
Description:
Fixes the bug
Filename:
MIME Type:
Creator:
Ryosuke Niwa
Created:
2018-12-03 19:50:47 PST
Size:
4.41 KB
patch
obsolete
>Index: Source/WebCore/ChangeLog >=================================================================== >--- Source/WebCore/ChangeLog (revision 238814) >+++ Source/WebCore/ChangeLog (working copy) >@@ -1,3 +1,22 @@ >+2018-12-03 Ryosuke Niwa <rniwa@webkit.org> >+ >+ Crash in HTMLCollection::updateNamedElementCache >+ https://bugs.webkit.org/show_bug.cgi?id=192347 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ The bug was caused by CollectionIndexCache's nodeAt caching the length of 1 >+ when there are no matching elements in the subtree when the index is non-zero. >+ >+ A related bug was fixed in r182125 but we were not considering the possibility >+ that the index given to this function might be non-zero even when there were >+ no matching elements. >+ >+ Test: fast/dom/options-collection-zero-length-crash.html >+ >+ * dom/CollectionIndexCache.h: >+ (WebCore::CollectionIndexCache<Collection, Iterator>::nodeAt): >+ > 2018-12-03 Ryosuke Niwa <rniwa@webkit.org> > > title attribute on style & link elements should be ignored inside a shadow tree >Index: Source/WebCore/dom/CollectionIndexCache.h >=================================================================== >--- Source/WebCore/dom/CollectionIndexCache.h (revision 238814) >+++ Source/WebCore/dom/CollectionIndexCache.h (working copy) >@@ -203,13 +203,14 @@ inline typename CollectionIndexCache<Col > > m_current = collection.collectionBegin(); > m_currentIndex = 0; >- if (index && m_current != end) { >+ bool startIsEnd = m_current == end; >+ if (index && !startIsEnd) { > collection.collectionTraverseForward(m_current, index, m_currentIndex); > ASSERT(m_current != end || m_currentIndex < index); > } > if (m_current == end) { > // Failed to find the index but at least we now know the size. >- m_nodeCount = index ? m_currentIndex + 1 : 0; >+ m_nodeCount = startIsEnd ? 0 : m_currentIndex + 1; > m_nodeCountValid = true; > return nullptr; > } >Index: LayoutTests/ChangeLog >=================================================================== >--- LayoutTests/ChangeLog (revision 238814) >+++ LayoutTests/ChangeLog (working copy) >@@ -1,3 +1,17 @@ >+2018-12-03 Ryosuke Niwa <rniwa@webkit.org> >+ >+ Crash in HTMLCollection::updateNamedElementCache >+ https://bugs.webkit.org/show_bug.cgi?id=192347 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Added a regression test. We can't simply call select.options.item >+ to catch this crash because the generated bidning code first call length() >+ to check if the index is within the valid range. >+ >+ * fast/dom/options-collection-zero-length-crash-expected.txt: Added. >+ * fast/dom/options-collection-zero-length-crash.html: Added. >+ > 2018-12-03 Daniel Bates <dabates@apple.com> > > [iOS] Do not handle key events that are key commands >Index: LayoutTests/fast/dom/options-collection-zero-length-crash-expected.txt >=================================================================== >--- LayoutTests/fast/dom/options-collection-zero-length-crash-expected.txt (nonexistent) >+++ LayoutTests/fast/dom/options-collection-zero-length-crash-expected.txt (working copy) >@@ -0,0 +1,11 @@ >+This tests accessing the length after accessing a particular index in HTMLOptionsCollections via HTMLSelectElement's item. WebKit should not crash. >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS select.item(500) is null >+PASS select.options.length is 0 >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >Index: LayoutTests/fast/dom/options-collection-zero-length-crash.html >=================================================================== >--- LayoutTests/fast/dom/options-collection-zero-length-crash.html (nonexistent) >+++ LayoutTests/fast/dom/options-collection-zero-length-crash.html (working copy) >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<script src="../../resources/js-test.js"></script> >+<script> >+ >+description('This tests accessing the length after accessing a particular index in HTMLOptionsCollections via HTMLSelectElement\'s item. WebKit should not crash.'); >+ >+const select = document.createElement('select'); >+ >+// Need to keep HTMLOptionsCollection alive during the call to item() and until the length getter is called. >+const optionsCollection = select.options; >+ >+shouldBe('select.item(500)', 'null'); >+shouldBe('select.options.length', '0'); >+ >+</script> >+</body> >+</html>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356451">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
darin
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192347
: 356451