<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[199844] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/199844">199844</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2016-04-21 16:28:48 -0700 (Thu, 21 Apr 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Element::idForStyleResolution() is a foot-gun
https://bugs.webkit.org/show_bug.cgi?id=156852
Reviewed by Darin Adler.
Element::idForStyleResolution() is a foot-gun. It requires the caller to check
Element::hasID() first or it may end up crashing when dereferencing elementData()
(e.g. see Bug 156806).
This patch updates Element::idForStyleResolution() to return nullAtom is the
Element does not have an ID. I did not see a performance impact on Speedometer,
Dromaeo DOM Core, Dromaeo CSS Selectors and our local performanceTests/.
* css/ElementRuleCollector.cpp:
(WebCore::ElementRuleCollector::collectMatchingRules):
* css/SelectorChecker.cpp:
(WebCore::SelectorChecker::checkOne):
* css/SelectorFilter.cpp:
(WebCore::collectElementIdentifierHashes):
* dom/Element.h:
(WebCore::Element::idForStyleResolution):
* rendering/RenderBlockFlow.cpp:
(WebCore::needsAppleMailPaginationQuirk):
* rendering/RenderTreeAsText.cpp:
(WebCore::writeRenderRegionList):
* style/StyleSharingResolver.cpp:
(WebCore::Style::SharingResolver::canShareStyleWithElement):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorecssElementRuleCollectorcpp">trunk/Source/WebCore/css/ElementRuleCollector.cpp</a></li>
<li><a href="#trunkSourceWebCorecssRuleSeth">trunk/Source/WebCore/css/RuleSet.h</a></li>
<li><a href="#trunkSourceWebCorecssSelectorCheckercpp">trunk/Source/WebCore/css/SelectorChecker.cpp</a></li>
<li><a href="#trunkSourceWebCorecssSelectorFiltercpp">trunk/Source/WebCore/css/SelectorFilter.cpp</a></li>
<li><a href="#trunkSourceWebCoredomElementh">trunk/Source/WebCore/dom/Element.h</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderBlockFlowcpp">trunk/Source/WebCore/rendering/RenderBlockFlow.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderTreeAsTextcpp">trunk/Source/WebCore/rendering/RenderTreeAsText.cpp</a></li>
<li><a href="#trunkSourceWebCorestyleStyleSharingResolvercpp">trunk/Source/WebCore/style/StyleSharingResolver.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/ChangeLog 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2016-04-21 Chris Dumez <cdumez@apple.com>
+
+ Element::idForStyleResolution() is a foot-gun
+ https://bugs.webkit.org/show_bug.cgi?id=156852
+
+ Reviewed by Darin Adler.
+
+ Element::idForStyleResolution() is a foot-gun. It requires the caller to check
+ Element::hasID() first or it may end up crashing when dereferencing elementData()
+ (e.g. see Bug 156806).
+
+ This patch updates Element::idForStyleResolution() to return nullAtom is the
+ Element does not have an ID. I did not see a performance impact on Speedometer,
+ Dromaeo DOM Core, Dromaeo CSS Selectors and our local performanceTests/.
+
+ * css/ElementRuleCollector.cpp:
+ (WebCore::ElementRuleCollector::collectMatchingRules):
+ * css/SelectorChecker.cpp:
+ (WebCore::SelectorChecker::checkOne):
+ * css/SelectorFilter.cpp:
+ (WebCore::collectElementIdentifierHashes):
+ * dom/Element.h:
+ (WebCore::Element::idForStyleResolution):
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::needsAppleMailPaginationQuirk):
+ * rendering/RenderTreeAsText.cpp:
+ (WebCore::writeRenderRegionList):
+ * style/StyleSharingResolver.cpp:
+ (WebCore::Style::SharingResolver::canShareStyleWithElement):
+
</ins><span class="cx"> 2016-04-21 Brady Eidson <beidson@apple.com>
</span><span class="cx">
</span><span class="cx"> Modern IDB (Workers): Move IDBConnectionProxy into IDBRequest and IDBDatabase.
</span></span></pre></div>
<a id="trunkSourceWebCorecssElementRuleCollectorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/ElementRuleCollector.cpp (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/ElementRuleCollector.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/ElementRuleCollector.cpp 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -153,8 +153,9 @@
</span><span class="cx">
</span><span class="cx"> // We need to collect the rules for id, class, tag, and everything else into a buffer and
</span><span class="cx"> // then sort the buffer.
</span><del>- if (m_element.hasID())
- collectMatchingRulesForList(matchRequest.ruleSet->idRules(m_element.idForStyleResolution().impl()), matchRequest, ruleRange);
</del><ins>+ auto& id = m_element.idForStyleResolution();
+ if (!id.isNull())
+ collectMatchingRulesForList(matchRequest.ruleSet->idRules(*id.impl()), matchRequest, ruleRange);
</ins><span class="cx"> if (m_element.hasClass()) {
</span><span class="cx"> for (size_t i = 0; i < m_element.classNames().size(); ++i)
</span><span class="cx"> collectMatchingRulesForList(matchRequest.ruleSet->classRules(m_element.classNames()[i].impl()), matchRequest, ruleRange);
</span></span></pre></div>
<a id="trunkSourceWebCorecssRuleSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/RuleSet.h (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/RuleSet.h 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/RuleSet.h 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -174,7 +174,7 @@
</span><span class="cx">
</span><span class="cx"> const RuleFeatureSet& features() const { return m_features; }
</span><span class="cx">
</span><del>- const RuleDataVector* idRules(AtomicStringImpl* key) const { return m_idRules.get(key); }
</del><ins>+ const RuleDataVector* idRules(AtomicStringImpl& key) const { return m_idRules.get(&key); }
</ins><span class="cx"> const RuleDataVector* classRules(AtomicStringImpl* key) const { return m_classRules.get(key); }
</span><span class="cx"> const RuleDataVector* tagRules(AtomicStringImpl* key, bool isHTMLName) const;
</span><span class="cx"> const RuleDataVector* shadowPseudoElementRules(AtomicStringImpl* key) const { return m_shadowPseudoElementRules.get(key); }
</span></span></pre></div>
<a id="trunkSourceWebCorecssSelectorCheckercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/SelectorChecker.cpp (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/SelectorChecker.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/SelectorChecker.cpp 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -652,8 +652,10 @@
</span><span class="cx"> if (selector.match() == CSSSelector::Class)
</span><span class="cx"> return element.hasClass() && element.classNames().contains(selector.value());
</span><span class="cx">
</span><del>- if (selector.match() == CSSSelector::Id)
- return element.hasID() && element.idForStyleResolution() == selector.value();
</del><ins>+ if (selector.match() == CSSSelector::Id) {
+ ASSERT(!selector.value().isNull());
+ return element.idForStyleResolution() == selector.value();
+ }
</ins><span class="cx">
</span><span class="cx"> if (selector.isAttributeSelector()) {
</span><span class="cx"> if (!element.hasAttributes())
</span></span></pre></div>
<a id="trunkSourceWebCorecssSelectorFiltercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/SelectorFilter.cpp (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/SelectorFilter.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/css/SelectorFilter.cpp 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -43,8 +43,9 @@
</span><span class="cx"> AtomicString tagLowercaseLocalName = element->localName().convertToASCIILowercase();
</span><span class="cx"> identifierHashes.append(tagLowercaseLocalName.impl()->existingHash() * TagNameSalt);
</span><span class="cx">
</span><del>- if (element->hasID())
- identifierHashes.append(element->idForStyleResolution().impl()->existingHash() * IdAttributeSalt);
</del><ins>+ auto& id = element->idForStyleResolution();
+ if (!id.isNull())
+ identifierHashes.append(id.impl()->existingHash() * IdAttributeSalt);
</ins><span class="cx"> const StyledElement* styledElement = element->isStyledElement() ? static_cast<const StyledElement*>(element) : 0;
</span><span class="cx"> if (styledElement && styledElement->hasClass()) {
</span><span class="cx"> const SpaceSplitString& classNames = styledElement->classNames();
</span></span></pre></div>
<a id="trunkSourceWebCoredomElementh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Element.h (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Element.h 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/dom/Element.h 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -664,8 +664,7 @@
</span><span class="cx">
</span><span class="cx"> inline const AtomicString& Element::idForStyleResolution() const
</span><span class="cx"> {
</span><del>- ASSERT(hasID());
- return elementData()->idForStyleResolution();
</del><ins>+ return hasID() ? elementData()->idForStyleResolution() : nullAtom;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> inline const AtomicString& Element::getIdAttribute() const
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderBlockFlowcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -1643,7 +1643,7 @@
</span><span class="cx"> if (!renderer.document().settings()->appleMailPaginationQuirkEnabled())
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- if (renderer.element() && renderer.element()->hasID() && renderer.element()->idForStyleResolution() == "messageContentContainer")
</del><ins>+ if (renderer.element() && renderer.element()->idForStyleResolution() == "messageContentContainer")
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderTreeAsTextcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderTreeAsText.cpp (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderTreeAsText.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/rendering/RenderTreeAsText.cpp 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -690,8 +690,9 @@
</span><span class="cx">
</span><span class="cx"> ts << " {" << tagName.toString() << "}";
</span><span class="cx">
</span><del>- if (generatingElement->hasID())
- ts << " #" << generatingElement->idForStyleResolution();
</del><ins>+ auto& generatingElementId = generatingElement->idForStyleResolution();
+ if (!generatingElementId.isNull())
+ ts << " #" << generatingElementId;
</ins><span class="cx">
</span><span class="cx"> if (isRenderNamedFlowFragment)
</span><span class="cx"> ts << ")";
</span></span></pre></div>
<a id="trunkSourceWebCorestyleStyleSharingResolvercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/style/StyleSharingResolver.cpp (199843 => 199844)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/style/StyleSharingResolver.cpp 2016-04-21 23:25:10 UTC (rev 199843)
+++ trunk/Source/WebCore/style/StyleSharingResolver.cpp 2016-04-21 23:28:48 UTC (rev 199844)
</span><span class="lines">@@ -88,7 +88,8 @@
</span><span class="cx"> if (element.isSVGElement() && downcast<SVGElement>(element).animatedSMILStyleProperties())
</span><span class="cx"> return nullptr;
</span><span class="cx"> // Ids stop style sharing if they show up in the stylesheets.
</span><del>- if (element.hasID() && m_ruleSets.features().idsInRules.contains(element.idForStyleResolution().impl()))
</del><ins>+ auto& id = element.idForStyleResolution();
+ if (!id.isNull() && m_ruleSets.features().idsInRules.contains(id.impl()))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> if (parentElementPreventsSharing(parentElement))
</span><span class="cx"> return nullptr;
</span><span class="lines">@@ -237,7 +238,8 @@
</span><span class="cx"> if (candidateElement.affectsNextSiblingElementStyle() || candidateElement.styleIsAffectedByPreviousSibling())
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- if (candidateElement.hasID() && m_ruleSets.features().idsInRules.contains(candidateElement.idForStyleResolution().impl()))
</del><ins>+ auto& candidateElementId = candidateElement.idForStyleResolution();
+ if (!candidateElementId.isNull() && m_ruleSets.features().idsInRules.contains(candidateElementId.impl()))
</ins><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> bool isControl = is<HTMLFormControlElement>(candidateElement);
</span></span></pre>
</div>
</div>
</body>
</html>