Commit 9300d592 authored by darin's avatar darin

LayoutTests:

        Reviewed by Darin.

        - test for http://bugzilla.opendarwin.org/show_bug.cgi?id=9317
          REGRESSION: crash in HTML tokenizer at Japanese Apple support page

        * fast/tokenizer/write-unclosed-script-expected.txt: Added.
        * fast/tokenizer/write-unclosed-script.html: Added.

WebCore:

        Reviewed by Maciej and Darin.

        - fix http://bugzilla.opendarwin.org/show_bug.cgi?id=9317
          REGRESSION: crash in HTML tokenizer at Japanese Apple support page

        Test: fast/tokenizer/write-unclosed-script.html

        * html/HTMLTokenizer.cpp:
        (WebCore::HTMLTokenizer::scriptHandler): Changed to reset the inScript flag
        and scriptCodeSize before possible script execution, but not afterwards.
        This way, if script execution write()s a <script> tag without closing it,
        the tokenizer is left in inScript state. Added code to set the requestingScript
        flag around the request for the cached script, to let notifiyFinished() know
        that it's being called under scriptHandler().
        (WebCore::HTMLTokenizer::scriptExecution): Removed code that saved and restored
        the inScript flag. This function is always entered now with inScript being false.
        (WebCore::HTMLTokenizer::notifyFinished): Changed to use the new requestingScript
        state flag instead of the inScript flag, which is always false now when entering
        this function.
        * html/HTMLTokenizer.h:
        Added the requestingScript state bit, used to tell notifyFinished() that it
        is being called under scriptHandler() (which happens when the script is already
        in cache).



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@15075 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 74ecc801
2006-06-27 Mitz Pettel <opendarwin.org@mitzpettel.com>
Reviewed by Darin.
- test for http://bugzilla.opendarwin.org/show_bug.cgi?id=9317
REGRESSION: crash in HTML tokenizer at Japanese Apple support page
* fast/tokenizer/write-unclosed-script-expected.txt: Added.
* fast/tokenizer/write-unclosed-script.html: Added.
2006-06-27 Justin Garcia <justin.garcia@apple.com>
Reviewed by levi
This is a test for http://bugzilla.opendarwin.org/show_bug.cgi?id=9317 REGRESSION: crash in HTML tokenizer at Japanese Apple support page.
Test result: PASS
<html>
<head>
<script type="text/javascript">
if (window.layoutTestController)
layoutTestController.dumpAsText();
var str = "";
function writeResult()
{
var res = document.getElementById("result");
if (str == "foobar")
res.innerText = "PASS";
else
res.innerText = "FAIL ("+str+")";
}
</script>
</head>
<body onload="writeResult();">
<script type="text/javascript">
<!--
document.write('<script type="text/javascript">');
document.write('str += "foo"');
//-->
</script>
str += "bar";
</script>
<p>
This is a test for <i><a href="http://bugzilla.opendarwin.org/show_bug.cgi?id=9317">http://bugzilla.opendarwin.org/show_bug.cgi?id=9317</a>
REGRESSION: crash in HTML tokenizer at Japanese Apple support page</i>.
</p>
<hr>
<p>
Test result: <span id="result">FAIL (did not complete)</span>
</p>
</body>
</html>
2006-06-27 Mitz Pettel <opendarwin.org@mitzpettel.com>
Reviewed by Maciej and Darin.
- fix http://bugzilla.opendarwin.org/show_bug.cgi?id=9317
REGRESSION: crash in HTML tokenizer at Japanese Apple support page
Test: fast/tokenizer/write-unclosed-script.html
* html/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::scriptHandler): Changed to reset the inScript flag
and scriptCodeSize before possible script execution, but not afterwards.
This way, if script execution write()s a <script> tag without closing it,
the tokenizer is left in inScript state. Added code to set the requestingScript
flag around the request for the cached script, to let notifiyFinished() know
that it's being called under scriptHandler().
(WebCore::HTMLTokenizer::scriptExecution): Removed code that saved and restored
the inScript flag. This function is always entered now with inScript being false.
(WebCore::HTMLTokenizer::notifyFinished): Changed to use the new requestingScript
state flag instead of the inScript flag, which is always false now when entering
this function.
* html/HTMLTokenizer.h:
Added the requestingScript state bit, used to tell notifyFinished() that it
is being called under scriptHandler() (which happens when the script is already
in cache).
2006-06-27 Justin Garcia <justin.garcia@apple.com>
Reviewed by levi
......
......@@ -390,6 +390,9 @@ HTMLTokenizer::State HTMLTokenizer::scriptHandler(State state)
SegmentedString *savedPrependingSrc = currentPrependingSrc;
SegmentedString prependingSrc;
currentPrependingSrc = &prependingSrc;
state.setInScript(false);
scriptCodeSize = scriptCodeResync = 0;
if (!parser->skipMode() && !followingFrameset) {
if (cs) {
if (savedPrependingSrc)
......@@ -397,13 +400,14 @@ HTMLTokenizer::State HTMLTokenizer::scriptHandler(State state)
else
pendingSrc.prepend(src);
setSrc(SegmentedString());
scriptCodeSize = scriptCodeResync = 0;
// the ref() call below may call notifyFinished if the script is already in cache,
// and that mucks with the state directly, so we must write it back to the object.
state.setRequestingScript(true);
m_state = state;
cs->ref(this);
state = m_state;
state.setRequestingScript(false);
// will be 0 if script was already loaded and ref() executed it
if (!pendingScripts.isEmpty())
state.setLoadingExtScript(true);
......@@ -414,14 +418,10 @@ HTMLTokenizer::State HTMLTokenizer::scriptHandler(State state)
else
prependingSrc = src;
setSrc(SegmentedString());
scriptCodeSize = scriptCodeResync = 0;
state = scriptExecution(exScript, state, DeprecatedString::null, scriptStartLineno);
}
}
state.setInScript(false);
scriptCodeSize = scriptCodeResync = 0;
if (!m_executingScript && !state.loadingExtScript()) {
src.append(pendingSrc);
pendingSrc.clear();
......@@ -455,9 +455,7 @@ HTMLTokenizer::State HTMLTokenizer::scriptExecution(const DeprecatedString& str,
{
if (m_fragment || !m_doc->frame())
return state;
bool oldscript = state.inScript();
m_executingScript++;
state.setInScript(false);
DeprecatedString url = scriptURL.isNull() ? m_doc->frame()->document()->URL() : scriptURL;
SegmentedString *savedPrependingSrc = currentPrependingSrc;
......@@ -481,7 +479,6 @@ HTMLTokenizer::State HTMLTokenizer::scriptExecution(const DeprecatedString& str,
#endif
m_executingScript--;
state.setInScript(oldscript);
if (!m_executingScript && !state.loadingExtScript()) {
src.append(pendingSrc);
......@@ -1702,10 +1699,10 @@ void HTMLTokenizer::notifyFinished(CachedObject*)
#endif
}
// 'inScript' is true when we are called synchronously from
// parseScript(). In that case parseScript() will take care
// of 'scriptOutput'.
if (!m_state.inScript()) {
// 'requestingScript' is true when we are called synchronously from
// scriptHandler(). In that case scriptHandler() will take care
// of pendingSrc.
if (!m_state.requestingScript()) {
SegmentedString rest = pendingSrc;
pendingSrc.clear();
write(rest, false);
......
......@@ -221,6 +221,8 @@ private:
void setLoadingExtScript(bool v) { setBit(LoadingExtScript, v); }
bool forceSynchronous() const { return testBit(ForceSynchronous); }
void setForceSynchronous(bool v) { setBit(ForceSynchronous, v); }
bool requestingScript() const { return testBit(RequestingScript); }
void setRequestingScript(bool v) { setBit(RequestingScript, v); }
bool inAnySpecial() const { return m_bits & (InScript | InStyle | InXmp | InTextArea | InTitle); }
bool hasTagState() const { return m_bits & TagMask; }
......@@ -250,6 +252,7 @@ private:
AllowYield = 1 << 21,
LoadingExtScript = 1 << 22,
ForceSynchronous = 1 << 23,
RequestingScript = 1 << 24,
};
void setBit(StateBits bit, bool value)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment