2010-07-21 Adam Barth <abarth@webkit.org>

Adam Barth · Adam Barth · commit c0f674cf0d0a · 2010-07-21T20:23:37.000Z
Reviewed by Eric Seidel. Fix the last tree HTML5 tree builder crashes https://bugs.webkit.org/show_bug.cgi?id=42773 This patch changes the internal representation of a bookmark to handle the case where one of the adjecent entries in the list of active formatting elements is actually a marker. After this patch, the bookmarking mechanism isn't as general, but it works for the cases we need in the adoption agency. Also, after this patch, there aren't any more known crashers in the HTML5 tree builder. :) * html/HTMLFormattingElementList.cpp: (WebCore::HTMLFormattingElementList::bookmarkFor): (WebCore::HTMLFormattingElementList::swapTo): * html/HTMLFormattingElementList.h: (WebCore::HTMLFormattingElementList::Bookmark::Bookmark): (WebCore::HTMLFormattingElementList::Bookmark::moveToAfter): (WebCore::HTMLFormattingElementList::Bookmark::hasBeenMoved): (WebCore::HTMLFormattingElementList::Bookmark::mark): (WebCore::HTMLFormattingElementList::first): * html/HTMLTreeBuilder.cpp: (WebCore::HTMLTreeBuilder::callTheAdoptionAgency): Canonical link: https://commits.webkit.org/54688@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@63851 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
@@ -1,3 +1,32 @@
+2010-07-21  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Fix the last tree HTML5 tree builder crashes
+        https://bugs.webkit.org/show_bug.cgi?id=42773
+
+        This patch changes the internal representation of a bookmark to handle
+        the case where one of the adjecent entries in the list of active
+        formatting elements is actually a marker.
+
+        After this patch, the bookmarking mechanism isn't as general, but it
+        works for the cases we need in the adoption agency.
+
+        Also, after this patch, there aren't any more known crashers in the
+        HTML5 tree builder.  :)
+
+        * html/HTMLFormattingElementList.cpp:
+        (WebCore::HTMLFormattingElementList::bookmarkFor):
+        (WebCore::HTMLFormattingElementList::swapTo):
+        * html/HTMLFormattingElementList.h:
+        (WebCore::HTMLFormattingElementList::Bookmark::Bookmark):
+        (WebCore::HTMLFormattingElementList::Bookmark::moveToAfter):
+        (WebCore::HTMLFormattingElementList::Bookmark::hasBeenMoved):
+        (WebCore::HTMLFormattingElementList::Bookmark::mark):
+        (WebCore::HTMLFormattingElementList::first):
+        * html/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
+
 2010-07-21  Tony Gentilcore  <tonyg@chromium.org>
 
         Unreviewed build fix.
diff --git a/WebCore/html/HTMLFormattingElementList.cpp b/WebCore/html/HTMLFormattingElementList.cpp
@@ -70,36 +70,22 @@ HTMLFormattingElementList::Bookmark HTMLFormattingElementList::bookmarkFor(Eleme
 {
     size_t index = m_entries.reverseFind(element);
     ASSERT(index != notFound);
-    Element* elementBefore = (index > 1) ? m_entries[index - 1].element() : 0;
-    Element* elementAfter = (index < m_entries.size() - 1) ? m_entries[index + 1].element() : 0;
-    return Bookmark(elementBefore, elementAfter);
+    return Bookmark(&at(index));
 }
 
-void HTMLFormattingElementList::insertAt(Element* element, const Bookmark& bookmark)
+void HTMLFormattingElementList::swapTo(Element* oldElement, Element* newElement, const Bookmark& bookmark)
 {
-    size_t beforeIndex = notFound;
-    if (bookmark.elementBefore()) {
-        beforeIndex = m_entries.reverseFind(bookmark.elementBefore());
-        ASSERT(beforeIndex != notFound);
-    }
-    size_t afterIndex = notFound;
-    if (bookmark.elementAfter()) {
-        afterIndex = m_entries.reverseFind(bookmark.elementAfter());
-        ASSERT(afterIndex != notFound);
-    }
-
-    if (!bookmark.elementBefore()) {
-        if (bookmark.elementAfter())
-            ASSERT(!afterIndex);
-        m_entries.prepend(element);
-    } else {
-        if (bookmark.elementAfter()) {
-            // Bookmarks are not general purpose.  They're only for the Adoption
-            // Agency. Assume the bookmarked element was already removed.
-            ASSERT(beforeIndex + 1 == afterIndex);
-        }
-        m_entries.insert(beforeIndex + 1, element);
+    ASSERT(contains(oldElement));
+    ASSERT(!contains(newElement));
+    if (!bookmark.hasBeenMoved()) {
+        ASSERT(bookmark.mark()->element() == oldElement);
+        bookmark.mark()->replaceElement(newElement);
+        return;
     }
+    size_t index = bookmark.mark() - first();
+    ASSERT(index < size());
+    m_entries.insert(index + 1, newElement);
+    remove(oldElement);
 }
 
 void HTMLFormattingElementList::append(Element* element)
diff --git a/WebCore/html/HTMLFormattingElementList.h b/WebCore/html/HTMLFormattingElementList.h
@@ -80,24 +80,24 @@ class HTMLFormattingElementList : public Noncopyable {
 
     class Bookmark {
     public:
-        Bookmark(Element* before, Element* after)
-            : m_before(before)
-            , m_after(after)
+        Bookmark(Entry* entry)
+            : m_hasBeenMoved(false)
+            , m_mark(entry)
         {
         }
 
-        void moveToAfter(Element* before)
+        void moveToAfter(Entry* before)
         {
-            m_before = before;
-            m_after = 0;
+            m_hasBeenMoved = true;
+            m_mark = before;
         }
 
-        Element* elementBefore() const { return m_before; }
-        Element* elementAfter() const { return m_after; }
+        bool hasBeenMoved() const { return m_hasBeenMoved; }
+        Entry* mark() const { return m_mark; }
 
     private:
-        Element* m_before;
-        Element* m_after;
+        bool m_hasBeenMoved;
+        Entry* m_mark;
     };
 
     bool isEmpty() const { return !size(); }
@@ -111,7 +111,7 @@ class HTMLFormattingElementList : public Noncopyable {
     void remove(Element*);
 
     Bookmark bookmarkFor(Element*);
-    void insertAt(Element*, const Bookmark&);
+    void swapTo(Element* oldElement, Element* newElement, const Bookmark&);
 
     void appendMarker();
     // clearToLastMarker also clears the marker (per the HTML5 spec).
@@ -125,6 +125,8 @@ class HTMLFormattingElementList : public Noncopyable {
 #endif
 
 private:
+    Entry* first() { return &at(0); }
+
     Vector<Entry> m_entries;
 };
 
diff --git a/WebCore/html/HTMLTreeBuilder.cpp b/WebCore/html/HTMLTreeBuilder.cpp
@@ -1688,7 +1688,7 @@ void HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken& token)
             // was replaced in 6.5.
             // http://www.w3.org/Bugs/Public/show_bug.cgi?id=10096
             if (lastNode == furthestBlock)
-                bookmark.moveToAfter(node->element());
+                bookmark.moveToAfter(nodeEntry);
             // 6.6
             // Use appendChild instead of parserAddChild to handle possible reparenting.
             ExceptionCode ec;
@@ -1725,8 +1725,7 @@ void HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken& token)
             newElement->attach();
         }
         // 11
-        m_tree.activeFormattingElements()->remove(formattingElement);
-        m_tree.activeFormattingElements()->insertAt(newElement.get(), bookmark);
+        m_tree.activeFormattingElements()->swapTo(formattingElement, newElement.get(), bookmark);
         // 12
         m_tree.openElements()->remove(formattingElement);
         m_tree.openElements()->insertAbove(newElement, furthestBlock);
