Google Git
Sign in
webkit / WebKit / b7b2b52090bc6672faa87c6187315f4ceab19f3f
commitb7b2b52090bc6672faa87c6187315f4ceab19f3f[log] [tgz]
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Feb 02 00:22:52 2011 +0000
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Feb 02 00:22:52 2011 +0000
treec3ec141a7c56f4f40390b5f590d441682f568a33
parent0c2fdd1faf01170a06532789cb96e7f896c7f23d [diff]
2011-02-01  chris reiss  <christopher.reiss@nokia.com>

        Reviewed by Adam Barth.

        Self-replicating code makes Safari hang and eventually crash
        https://bugs.webkit.org/show_bug.cgi?id=15123

        * fast/dom/Document/document-close-iframe-load-expected.txt: Added.
        * fast/dom/Document/document-close-iframe-load.html: Added.
        * fast/dom/Document/document-close-nested-iframe-load-expected.txt: Added.
        * fast/dom/Document/document-close-nested-iframe-load.html: Added.
        * fast/dom/Document/document-write-recursion-expected.txt: Added.
        * fast/dom/Document/document-write-recursion.html: Added.
2011-02-01  chris reiss  <christopher.reiss@nokia.com>

        Reviewed by Adam Barth.

        Self-replicating code makes Safari hang and eventually crash
        https://bugs.webkit.org/show_bug.cgi?id=15123

        Here we are replicating the Firefox safeguard against
        recursive document.write( ) 's.

        See  https://bug197052.bugzilla.mozilla.org/attachment.cgi?id=293907 in bug
        https://bugzilla.mozilla.org/show_bug.cgi?id=197052 .   Firefox does two things -
            a) imposes a recursion limit of 20 on document.write( ) and
            b) once that limit is passed, panics all the way the call stack (rather than just returning one level.)
        To see why this is necessary, consider the script :

        <script>
           var t = document.body.innerHTML;
           document.write(t);
        </script>

        This will create a tree both broad and deep as the script keeps appending itself to the text.   If
        we just return one level after the recursion limit is reached, we still allow millions of copies to
        duplicate (and execute).

        The recursion is fortunately depth-first, so as soon as we cross this limit, we panic up the callstack
        to prevent this situation.    (IE apparently does the same thing, with a lower recursion limit.)

        Test: fast/dom/Document/document-write-recursion.html
        Test: fast/dom/Document/document-close-iframe-load.html
        Test: fast/dom/Document/document-close-nested-iframe-load.html

        * dom/Document.cpp:
        (WebCore::Document::Document):
        (WebCore::Document::write):
        * dom/Document.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77333 268f45cc-cd09-0410-ab3c-d52691b4dbfc
10 files changed
tree: c3ec141a7c56f4f40390b5f590d441682f568a33
  1. Examples/
  2. LayoutTests/
  3. PerformanceTests/
  4. Source/
  5. Tools/
  6. WebKitLibraries/
  7. Websites/
  8. .gitattributes
  9. .gitignore
  10. Android.mk
  11. autogen.sh
  12. ChangeLog
  13. configure.ac
  14. GNUmakefile.am
  15. Makefile
  16. Makefile.shared
  17. wscript