WebKit Bugzilla
Attachment 373313 Details for
Bug 199400
: Crash when adding inline stylesheet to shadow tree in document with null base URL
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
inline-stylesheet-shadow-crash.patch (text/plain), 3.64 KB, created by
Antti Koivisto
on 2019-07-02 04:31:20 PDT
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Antti Koivisto
Created:
2019-07-02 04:31:20 PDT
Size:
3.64 KB
patch
obsolete
>Index: Source/WebCore/ChangeLog >=================================================================== >--- Source/WebCore/ChangeLog (revision 247046) >+++ Source/WebCore/ChangeLog (working copy) >@@ -1,3 +1,20 @@ >+2019-07-02 Antti Koivisto <antti@apple.com> >+ >+ Crash when adding inline stylesheet to shadow tree in document with null base URL >+ https://bugs.webkit.org/show_bug.cgi?id=199400 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ We compute CSSParserContextHash for the inline stylesheet cache but that hits a nullptr crash >+ if the document happens to have null base URL (which is uncommon but possible). >+ >+ Test: fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash.html >+ >+ * css/parser/CSSParserContext.h: >+ (WebCore::CSSParserContextHash::hash): >+ >+ Null check the base URL (like other strings), it is a valid case. >+ > 2019-07-02 Devin Rousso <drousso@apple.com> > > Web Inspector: Debug: "Reset Web Inspector" should also clear the saved window size and attachment side >Index: Source/WebCore/css/parser/CSSParserContext.h >=================================================================== >--- Source/WebCore/css/parser/CSSParserContext.h (revision 247042) >+++ Source/WebCore/css/parser/CSSParserContext.h (working copy) >@@ -89,7 +89,9 @@ WEBCORE_EXPORT const CSSParserContext& s > struct CSSParserContextHash { > static unsigned hash(const CSSParserContext& key) > { >- auto hash = WTF::URLHash::hash(key.baseURL); >+ unsigned hash = 0; >+ if (!key.baseURL.isNull()) >+ hash ^= WTF::URLHash::hash(key.baseURL); > if (!key.charset.isEmpty()) > hash ^= StringHash::hash(key.charset); > unsigned bits = key.isHTMLDocument << 0 >Index: LayoutTests/ChangeLog >=================================================================== >--- LayoutTests/ChangeLog (revision 247042) >+++ LayoutTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2019-07-02 Antti Koivisto <antti@apple.com> >+ >+ Crash when adding inline stylesheet to shadow tree in document with null base URL >+ https://bugs.webkit.org/show_bug.cgi?id=199400 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash-expected.txt: Added. >+ * fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash.html: Added. >+ > 2019-07-01 Justin Michaud <justin_michaud@apple.com> > > [Wasm-References] Disable references by default >Index: LayoutTests/fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash-expected.txt >=================================================================== >--- LayoutTests/fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash-expected.txt (nonexistent) >+++ LayoutTests/fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash-expected.txt (working copy) >@@ -0,0 +1 @@ >+This test passes it doesn't crash. >Index: LayoutTests/fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash.html >=================================================================== >--- LayoutTests/fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash.html (nonexistent) >+++ LayoutTests/fast/shadow-dom/stylesheet-in-shadow-without-base-url-crash.html (working copy) >@@ -0,0 +1,13 @@ >+<script> >+if (window.testRunner) >+ testRunner.dumpAsText(); >+ >+const doc = new Document(); >+const style = doc.createElementNS("http://www.w3.org/1999/xhtml", "style"); >+style.textContent = "div { color: blue }"; >+const div = doc.createElementNS("http://www.w3.org/1999/xhtml", "div"); >+const shadow = div.attachShadow({mode: 'open'}); >+shadow.appendChild(style); >+doc.appendChild(div); >+</script> >+This test passes it doesn't crash.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=373313">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 199400
: 373313