commit cac5ab133b00dcf192fa1a2a278c41c6a195f565
author rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Apr 02 05:22:48 2020 +0000
committer rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Apr 02 05:22:48 2020 +0000
tree 7870489d0b9ebba21320cbcb2510b1251ba527f5
parent f9c026eb3bd70a7a9902b62b8f131be35b49e896

Crash in WebCore::HTMLDocumentParser::insert
https://bugs.webkit.org/show_bug.cgi?id=209892

Reviewed by Darin Adler.

Speculative fix to check that the parser hasn't been detached before running preload scanner.

No new tests since there is no reproduction and I couldn't come up with one.

* html/parser/HTMLDocumentParser.cpp:
(WebCore::HTMLDocumentParser::pumpTokenizer):
(WebCore::HTMLDocumentParser::insert):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@259378 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 8e208ee..573982f 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2020-04-01  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in WebCore::HTMLDocumentParser::insert
+        https://bugs.webkit.org/show_bug.cgi?id=209892
+
+        Reviewed by Darin Adler.
+
+        Speculative fix to check that the parser hasn't been detached before running preload scanner.
+
+        No new tests since there is no reproduction and I couldn't come up with one.
+
+        * html/parser/HTMLDocumentParser.cpp:
+        (WebCore::HTMLDocumentParser::pumpTokenizer):
+        (WebCore::HTMLDocumentParser::insert):
+
 2020-04-01  Jack Lee  <shihchieh_lee@apple.com>
 
         Remove the unnecessary null check for document

Source/WebCore/html/parser/HTMLDocumentParser.cpp

diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
index cce9eda..567c9dd 100644
--- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp
+++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
@@ -333,7 +333,7 @@
     if (shouldResume)
         m_parserScheduler->scheduleForResume();
 
-    if (isWaitingForScripts()) {
+    if (isWaitingForScripts() && !isDetached()) {
         ASSERT(m_tokenizer.isInDataState());
         if (!m_preloadScanner) {
             m_preloadScanner = makeUnique<HTMLPreloadScanner>(m_options, document()->url(), document()->deviceScaleFactor());
@@ -391,7 +391,7 @@
     m_input.insertAtCurrentInsertionPoint(WTFMove(source));
     pumpTokenizerIfPossible(ForceSynchronous);
 
-    if (isWaitingForScripts()) {
+    if (isWaitingForScripts() && !isDetached()) {
         // Check the document.write() output with a separate preload scanner as
         // the main scanner can't deal with insertions.
         if (!m_insertionPreloadScanner)