Chromium Code Reviews Chromium Code Reviews
Issue
398653003:
Fix possible crash in Element::normalizeAttributes() (Closed)
DescriptionFix possible crash in Element::normalizeAttributes()
Fix possible crash in Element::normalizeAttributes() caused by the ElementData
becoming unique while we are iterating over the Element's attributes.
A call to Attr::normalize() can cause an attribute's value to be updated, thus
causing the Element's ElementData to become unique if it was previously
shareable. The issue is that we were iterating over the Element's attributes,
which relies on the internal representation of the ElementData. When the
ShareableElementData gets replaced by a UniqueElementData, the internal
representation goes away and what we are iterating on no longer exists.
The solution adoped in this CL is to iterate of the Element's attrNodeList()
Vector instead, since what we are really interested in are Attr Nodes and not
Attribute objects. The attrNodeList() method returns a pointer to a Vector
stored in ElementRareData, and thus never shared between Elements. We anyway
make a copy of that vector before iterating because attributes can potentially
be added / removed by JS listeners while we are iterating (see
fast/dom/normalize-attributes-mutation-event-crash.html layout test).
BUG=394026
TEST=fast/dom/Element/normalize-crash2.html
R=esprehn@chromium.org, tkent@chromium.org
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=178235
Patch Set 1 #Patch Set 2 : Clean up #Patch Set 3 : Fix fast/dom/normalize-attributes-mutation-event-crash.html failure #
Messages
Total messages: 4 (0 generated)
|
|||||||||||||||||||||||||||||||||||||
