[Webkit-unassigned] [Bug 42365] New: HTML5 Parser: document.write in a asynchronous script which is specified to load before page finish blows away document

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 15 06:39:58 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=42365

           Summary: HTML5 Parser: document.write in a asynchronous script
                    which is specified to load before page finish blows
                    away document
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://www.tianya.cn/publicforum/articleslist/0/funinf
                    o.shtml
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jnd at chromium.org
                CC: eric at webkit.org, abarth at webkit.org, tonyg at chromium.org


How to reproduce this issue
1. Visit http://www.tianya.cn/publicforum/articleslist/0/funinfo.shtml
2. The normal content shows up for a split second
3. The normal content disappears, and a ads shows up instead

The code path of ads displayed in the page is: document.getElementById("googleAdsense").src = "http://pagead2.googlesyndication.com/pagead/show_ads.js".
The external script "show_ads.js" called document.write to write ads in the page. But since the external script was added before page finish, the author of web page expected that the document.write should be called before page finish, and that document.write should not below away the document.

Here I use a test case to reproduce this bug. there are two files (test_doc_write.html & test_doc_write.js) in this test case.

test_doc_write.html:
<body>
hello
<script id="tester"></script>
<script>
document.getElementById("tester").src = "test_doc_write.js";
</script>
<script>
document.write("<div>write sth later</div>");
</script>
</body>

test_doc_write.js:
document.write("<div>write sth</div>")

Run the test case in IE8, result is:
hello 
write sth
write sth later

Run the test case in FF, result is:
hello
write sth later
write sth

Run the test case in WebKit result is:
write sth

In WebCore, when script's src is changed, it put the script in a queue(in ScriptElementData::notifyFinished) and executes the script in asynchronously (in Document::executeScriptSoonTimerFired).
In this case, when executing the script, the parser was already finished and shut down, so function Document::write blew away the original doc, opened a new doc.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list