From d8d9f12f93dc69d6b48d3b881cd79ffc2dbec5bf Mon Sep 17 00:00:00 2001
From: Ryosuke Niwa <rniwa@webkit.org>
Date: Sun, 10 Apr 2016 07:49:54 +0000
Subject: [PATCH] Merge r165044 - REGRESSION(r164856): Use after free in
 WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
 https://bugs.webkit.org/show_bug.cgi?id=129550

Reviewed by Andreas Kling.

Source/WebCore:

We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.

Test: fast/dom/uniquing-attributes-via-setAttribute.html

* dom/Element.cpp:
(WebCore::Element::setAttributeInternal):

LayoutTests:

Added a regression test.

* fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
* fast/dom/uniquing-attributes-via-setAttribute.html: Added.
---
 LayoutTests/ChangeLog                         | 12 ++++++++++
 ...g-attributes-via-setAttribute-expected.txt |  3 +++
 .../uniquing-attributes-via-setAttribute.html | 24 +++++++++++++++++++
 Source/WebCore/ChangeLog                      | 14 +++++++++++
 Source/WebCore/dom/Element.cpp                |  2 +-
 5 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt
 create mode 100644 LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c3fce2a5df7a..8b06b2ae04c2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2014-03-04  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        Added a regression test.
+
+        * fast/dom/uniquing-attributes-via-setAttribute-expected.txt: Added.
+        * fast/dom/uniquing-attributes-via-setAttribute.html: Added.
+
 2015-02-06  Zalan Bujtas  <zalan@apple.com>
 
         ASSERT repaintContainer->hasLayer() in WebCore::RenderObject::repaintUsingContainer
diff --git a/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt b/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt
new file mode 100644
index 000000000000..a7f42aff25d8
--- /dev/null
+++ b/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt
@@ -0,0 +1,3 @@
+Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.
+
+PASS. WebKit didn't crash.
diff --git a/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html b/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html
new file mode 100644
index 000000000000..a8064c5487aa
--- /dev/null
+++ b/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.</p>
+<div></div>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var div = document.querySelector('div');
+div.setAttribute('name', 'a');
+
+var divClone = div.cloneNode(true);
+document.body.appendChild(divClone);
+
+div.setAttribute('name', 'b');
+divClone.setAttribute('name', 'b');
+
+document.write("PASS. WebKit didn't crash.");
+
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index a07c24769997..c4ac42c063e7 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2014-03-04  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
+
+        Test: fast/dom/uniquing-attributes-via-setAttribute.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::setAttributeInternal):
+
 2014-03-25  Gabor Rapcsanyi  <rgabor@webkit.org>
 
         [ARM64] GNU assembler fails in TransformationMatrix::multiply
diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp
index 6911f913b1f2..46ee2e83f05d 100644
--- a/Source/WebCore/dom/Element.cpp
+++ b/Source/WebCore/dom/Element.cpp
@@ -1056,7 +1056,7 @@ inline void Element::setAttributeInternal(unsigned index, const QualifiedName& n
     const Attribute& attribute = attributeAt(index);
     AtomicString oldValue = attribute.value();
     bool valueChanged = newValue != oldValue;
-    const QualifiedName& attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
+    QualifiedName attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
 
     if (!inSynchronizationOfLazyAttribute)
         willModifyAttribute(attributeName, oldValue, newValue);