The following commit has been merged in the debian/experimental branch:
commit ed647d7fd3a51ec2a06edb88bbad13d8444b1b7c
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Aug 5 01:10:07 2010 +0000
2010-08-04 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
fast/parser/residual-style-hang.html hangs
https://bugs.webkit.org/show_bug.cgi?id=42950
Add a dump-as-markup test that shows what DOM we actually create in
this case.
Note: these results are for the existing parser.
* fast/parser/residual-style-dom-expected.txt: Added.
* fast/parser/residual-style-dom.html: Added.
2010-08-04 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
fast/parser/residual-style-hang.html hangs
https://bugs.webkit.org/show_bug.cgi?id=42950
We need to cap the iteration of the adoption agency algorithm to
prevent this hang. The legacy tree builder does this as well.
* html/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64702 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index d056130..4ee88d5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2010-08-04 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ fast/parser/residual-style-hang.html hangs
+ https://bugs.webkit.org/show_bug.cgi?id=42950
+
+ Add a dump-as-markup test that shows what DOM we actually create in
+ this case.
+
+ Note: these results are for the existing parser.
+
+ * fast/parser/residual-style-dom-expected.txt: Added.
+ * fast/parser/residual-style-dom.html: Added.
+
2010-08-04 Andrew Wilson <atwilson at chromium.org>
Unreviewed fix for chromium test expectations.
diff --git a/LayoutTests/fast/parser/residual-style-dom-expected.txt b/LayoutTests/fast/parser/residual-style-dom-expected.txt
new file mode 100644
index 0000000..7c8111d
--- /dev/null
+++ b/LayoutTests/fast/parser/residual-style-dom-expected.txt
@@ -0,0 +1,777 @@
+| <html>
+| <head>
+| <script>
+| src="../../resources/dump-as-markup.js"
+| "
+"
+| <script>
+| "
+var kDepth = 100;
+
+for (var i=0; i < kDepth; ++i) {
+ document.write("<b><div>");
+}
+"
+| <body>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <div>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <div>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| "
+This test creates a nutty dom by abusing the residual style algorithm. It's
+unclear exactly what DOM we should create here, but we shouldn't hang.
+"
+| <script>
+| "
+for (var i=0; i < kDepth; ++i) {
+ document.write("</b>");
+}
+"
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| <b>
+| "
+"
diff --git a/LayoutTests/fast/parser/residual-style-dom.html b/LayoutTests/fast/parser/residual-style-dom.html
new file mode 100644
index 0000000..ed6a61d
--- /dev/null
+++ b/LayoutTests/fast/parser/residual-style-dom.html
@@ -0,0 +1,15 @@
+<script src="../../resources/dump-as-markup.js"></script>
+<script>
+var kDepth = 100;
+
+for (var i=0; i < kDepth; ++i) {
+ document.write("<b><div>");
+}
+</script>
+This test creates a nutty dom by abusing the residual style algorithm. It's
+unclear exactly what DOM we should create here, but we shouldn't hang.
+<script>
+for (var i=0; i < kDepth; ++i) {
+ document.write("</b>");
+}
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4126586..1eb3738 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -2,6 +2,19 @@
Reviewed by Eric Seidel.
+ fast/parser/residual-style-hang.html hangs
+ https://bugs.webkit.org/show_bug.cgi?id=42950
+
+ We need to cap the iteration of the adoption agency algorithm to
+ prevent this hang. The legacy tree builder does this as well.
+
+ * html/HTMLTreeBuilder.cpp:
+ (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
+
+2010-08-04 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
Pick up spec change w.r.t. figcaption and summary
https://bugs.webkit.org/show_bug.cgi?id=43075
diff --git a/WebCore/html/HTMLTreeBuilder.cpp b/WebCore/html/HTMLTreeBuilder.cpp
index 93de07e..2bd37af 100644
--- a/WebCore/html/HTMLTreeBuilder.cpp
+++ b/WebCore/html/HTMLTreeBuilder.cpp
@@ -1647,7 +1647,12 @@ void HTMLTreeBuilder::reparentChildren(Element* oldParent, Element* newParent)
// http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#parsing-main-inbody
void HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken& token)
{
- while (1) {
+ // The adoption agency algorithm is N^2. We limit the number of iterations
+ // to stop from hanging the whole browser. This limit is copied from the
+ // legacy tree builder and might need to be tweaked in the future.
+ static const int adoptionAgencyIterationLimit = 10;
+
+ for (int i = 0; i < adoptionAgencyIterationLimit; ++i) {
// 1.
Element* formattingElement = m_tree.activeFormattingElements()->closestElementInScopeWithName(token.name());
if (!formattingElement || ((m_tree.openElements()->contains(formattingElement)) && !m_tree.openElements()->inScope(formattingElement))) {
@@ -1680,7 +1685,7 @@ void HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken& token)
HTMLElementStack::ElementRecord* node = furthestBlock;
HTMLElementStack::ElementRecord* nextNode = node->next();
HTMLElementStack::ElementRecord* lastNode = furthestBlock;
- while (1) {
+ for (int i = 0; i < adoptionAgencyIterationLimit; ++i) {
// 6.1
node = nextNode;
ASSERT(node);
--
WebKit Debian packaging