Merge r165044 - REGRESSION(r164856): Use after free in WebCore::Quali…

…fiedName::operator== / WebCore::StyledElement::attributeChanged https://bugs.webkit.org/show_bug.cgi?id=129550 Reviewed by Andreas Kling. Source/WebCore: We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute. Test: fast/dom/uniquing-attributes-via-setAttribute.html * dom/Element.cpp: (WebCore::Element::setAttributeInternal): LayoutTests: Added a regression test. * fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added. * fast/dom/uniquing-attributes-via-setAttribute.html: Added.
WebKit · Apr 10, 2016 · d8d9f12 · d8d9f12
1 parent fa240d4
commit d8d9f12
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 1 deletion.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2014-03-04  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        Added a regression test.
+
+        * fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
+        * fast/dom/uniquing-attributes-via-setAttribute.html: Added.
+
 2015-02-06  Zalan Bujtas  <zalan@apple.com>
 
         ASSERT repaintContainer->hasLayer() in WebCore::RenderObject::repaintUsingContainer

diff --git a/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt b/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt
@@ -0,0 +1,3 @@
+Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.
+
+PASS. WebKit didn't crash.
diff --git a/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html b/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.</p>
+<div></div>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var div = document.querySelector('div');
+div.setAttribute('name', 'a');
+
+var divClone = div.cloneNode(true);
+document.body.appendChild(divClone);
+
+div.setAttribute('name', 'b');
+divClone.setAttribute('name', 'b');
+
+document.write("PASS. WebKit didn't crash.");
+
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2014-03-04  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
+
+        Test: fast/dom/uniquing-attributes-via-setAttribute.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::setAttributeInternal):
+
 2014-03-25  Gabor Rapcsanyi  <rgabor@webkit.org>
 
         [ARM64] GNU assembler fails in TransformationMatrix::multiply

diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp
@@ -1056,7 +1056,7 @@ inline void Element::setAttributeInternal(unsigned index, const QualifiedName& n
     const Attribute& attribute = attributeAt(index);
     AtomicString oldValue = attribute.value();
     bool valueChanged = newValue != oldValue;
-    const QualifiedName& attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
+    QualifiedName attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
 
     if (!inSynchronizationOfLazyAttribute)
         willModifyAttribute(attributeName, oldValue, newValue);