Issue 1117973003: parserInsertBefore and parserRemoveChild should check newChild for a parent.

Issue 1117973003: parserInsertBefore and parserRemoveChild should check newChild for a parent. (Closed)

Created:
5 years, 7 months ago by esprehn

Modified:
5 years, 7 months ago

Reviewers:
adamk, inferno

CC:
blink-reviews, blink-reviews-dom_chromium.org, blink-reviews-html_chromium.org, dglazkov+blink, eae+blinkwatch, rwlbuis, sof

Base URL:
svn://svn.chromium.org/blink/trunk

Target Ref:
refs/heads/master

Project:
blink

Visibility:
Public.

More Reviews

Description

parserInsertBefore and parserRemoveChild should check newChild for a parent. parserRemoveChild can run script in obscure cases involving the adoption agency changing the children of a script element, this script can then move the element the parser is trying to insert back into the page so that parserInsertBefore would then insert the newChild in the tree again. This means the child ends up being inserted twice which can result in a use after free if one is removed and a GC happens. To fix this we run the removal in a loop inside the insert methods until the child really is removed. We probably want to file a spec bug about this too. BUG=478745 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=194835

Patch Set 1 #

Patch Set 2 : Remove assert. #

Total comments: 3

Patch Set 3 : Update comment. #

Created: 5 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+40 lines, -11 lines)			Patch
A	LayoutTests/fast/parser/execute-script-during-adoption-agency-removal.html	View	1	1 chunk	+27 lines, -0 lines	0 comments	Download
A +	LayoutTests/fast/parser/execute-script-during-adoption-agency-removal-expected.txt	View		0 chunks	+-1 lines, --1 lines	0 comments	Download
M	Source/core/dom/ContainerNode.h	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
M	Source/core/dom/ContainerNode.cpp	View	1	3 chunks	+13 lines, -5 lines	0 comments	Download
M	Source/core/html/parser/HTMLConstructionSite.cpp	View		2 chunks	+0 lines, -6 lines	0 comments	Download

Messages

Total messages: 18 (8 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1117973003/1

5 years, 7 months ago (2015-05-01 01:33:51 UTC) #5

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1117973003/20001

5 years, 7 months ago (2015-05-01 03:24:07 UTC) #9

commit-bot: I haz the power

Dry run: This issue passed the CQ dry run.

5 years, 7 months ago (2015-05-01 05:33:43 UTC) #11

esprehn

https://codereview.chromium.org/1117973003/diff/20001/Source/core/dom/ContainerNode.cpp File Source/core/dom/ContainerNode.cpp (left): https://codereview.chromium.org/1117973003/diff/20001/Source/core/dom/ContainerNode.cpp#oldcode755 Source/core/dom/ContainerNode.cpp:755: ASSERT(!newChild->parentNode()); // Use appendChild if you need to handle ...

5 years, 7 months ago (2015-05-01 05:36:58 UTC) #12

inferno

On 2015/05/01 05:36:58, esprehn wrote: > https://codereview.chromium.org/1117973003/diff/20001/Source/core/dom/ContainerNode.cpp > File Source/core/dom/ContainerNode.cpp (left): > > https://codereview.chromium.org/1117973003/diff/20001/Source/core/dom/ContainerNode.cpp#oldcode755 > ...

5 years, 7 months ago (2015-05-01 05:46:55 UTC) #13

adamk

5 years, 7 months ago (2015-05-01 16:46:54 UTC) #14

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1117973003/40001

5 years, 7 months ago (2015-05-01 18:05:26 UTC) #17

commit-bot: I haz the power

5 years, 7 months ago (2015-05-02 01:30:15 UTC) #18

Message was sent while issue was closed.

Committed patchset #3 (id:40001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=194835

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages