LayoutTests:

        Reviewed by Adam.  Patch by Mitz.

        - test for http://bugs.webkit.org/show_bug.cgi?id=12264
          REGRESSION (r18843): Webkit crashes on 43Folders.com home page

        * fast/tokenizer/ignore-tags-in-iframe-expected.txt: Added.
        * fast/tokenizer/ignore-tags-in-iframe.html: Added.

WebCore:

        Reviewed by Adam.  Patch by Mitz.

        - fix http://bugs.webkit.org/show_bug.cgi?id=12264
          REGRESSION (r18843): Webkit crashes on 43Folders.com home page

        Test: fast/tokenizer/ignore-tags-in-iframe.html

        * html/HTMLParser.cpp:
        (WebCore::HTMLParser::reset): Removed unused inSelect member variable.
        (WebCore::HTMLParser::selectCreateErrorCheck): Ditto.
        (WebCore::HTMLParser::processCloseTag): Ditto.
        * html/HTMLParser.h: Ditto.
        * html/HTMLTokenizer.cpp:
        (WebCore::HTMLTokenizer::parseTag): Changed not to process <pre>, <listing>,
        <script>, <style>, <title>, <textarea> and <xmp> if the parser is in skip mode
        (waiting for a close tag of an element whose contents are not parsed,
        such as iframe).
        * html/HTMLTokenizer.h:
        (WebCore::HTMLTokenizer::State::setInStyle): Removed unused bit.
        (WebCore::HTMLTokenizer::State::): Ditto.



git-svn-id: svn://svn.chromium.org/blink/trunk@18848 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/ChangeLog

+2007-01-14  Mitz Pettel  <mitz@webkit.org>
+
+        Reviewed by Adam.
+
+        - test for http://bugs.webkit.org/show_bug.cgi?id=12264
+          REGRESSION (r18843): Webkit crashes on 43Folders.com home page
+
+        * fast/tokenizer/ignore-tags-in-iframe-expected.txt: Added.
+        * fast/tokenizer/ignore-tags-in-iframe.html: Added.
+
 2007-01-14  Alexey Proskuryakov  <ap@webkit.org>
 
         Reviewed by Mitz.

third_party/WebKit/LayoutTests/fast/tokenizer/ignore-tags-in-iframe-expected.txt

+Test for http://bugs.webkit.org/show_bug.cgi?id=12264 REGRESSION (r18843): Webkit crashes on 43Folders.com home page.
+
+All tags below should report “PASS”
+
+<script>: PASS 
+<style>: PASS 
+<textarea>: PASS 
+<title>: PASS 
+<xmp>: PASS

third_party/WebKit/LayoutTests/fast/tokenizer/ignore-tags-in-iframe.html

+<html>
+<head>
+    <title></title>
+    <script>
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+    </script>
+    <style>
+        iframe { display: none; }
+    </style>
+</head>
+<body>
+    <p>
+        Test for <i><a href="http://bugs.webkit.org/show_bug.cgi?id=12264">http://bugs.webkit.org/show_bug.cgi?id=12264</a>
+        REGRESSION (r18843): Webkit crashes on 43Folders.com home page</i>.
+    </p>
+    <p>
+        All tags below should report &ldquo;PASS&rdquo;
+    </p>
+    &lt;script>: <iframe><script></iframe>PASS</script></iframe>
+    <br>
+    &lt;style>: <iframe><style></iframe>PASS</style></iframe>
+    <br>
+    &lt;textarea>: <iframe><textarea></iframe>PASS</textarea></iframe>
+    <br>
+    &lt;title>: <iframe><title></iframe>PASS</title></iframe>
+    <br>
+    &lt;xmp>: <iframe><xmp></iframe>PASS</xmp></iframe>
+</body>
+</html>

third_party/WebKit/WebCore/ChangeLog

+2007-01-14  Mitz Pettel  <mitz@webkit.org>
+
+        Reviewed by Adam.
+
+        - fix http://bugs.webkit.org/show_bug.cgi?id=12264
+          REGRESSION (r18843): Webkit crashes on 43Folders.com home page
+
+        Test: fast/tokenizer/ignore-tags-in-iframe.html
+
+        * html/HTMLParser.cpp:
+        (WebCore::HTMLParser::reset): Removed unused inSelect member variable.
+        (WebCore::HTMLParser::selectCreateErrorCheck): Ditto.
+        (WebCore::HTMLParser::processCloseTag): Ditto.
+        * html/HTMLParser.h: Ditto.
+        * html/HTMLTokenizer.cpp:
+        (WebCore::HTMLTokenizer::parseTag): Changed not to process <pre>, <listing>,
+        <script>, <style>, <title>, <textarea> and <xmp> if the parser is in skip mode
+        (waiting for a close tag of an element whose contents are not parsed,
+        such as iframe).
+        * html/HTMLTokenizer.h:
+        (WebCore::HTMLTokenizer::State::setInStyle): Removed unused bit.
+        (WebCore::HTMLTokenizer::State::): Ditto.
+
 2007-01-14  Alexey Proskuryakov  <ap@webkit.org>
 
         Reviewed by Darin.

third_party/WebKit/WebCore/html/HTMLParser.cpp

@@ -148,7 +148,6 @@ void HTMLParser::reset()
     inBody = false;
     haveFrameSet = false;
     haveContent = false;
-    inSelect = false;
     inStrayTableContent = 0;
     
     form = 0;
@@ -691,7 +690,6 @@ bool HTMLParser::isindexCreateErrorCheck(Token* t, RefPtr<Node>& result)
 
 bool HTMLParser::selectCreateErrorCheck(Token* t, RefPtr<Node>& result)
 {
-    inSelect = true;
     return true;
 }
 
@@ -848,8 +846,6 @@ void HTMLParser::processCloseTag(Token *t)
         form = 0;
     else if (t->tagName == mapTag)
         map = 0;
-    else if (t->tagName == selectTag)
-        inSelect = false;
         
     HTMLStackElem* oldElem = blockStack;
     popBlock(t->tagName);

third_party/WebKit/WebCore/html/HTMLParser.h

@@ -70,7 +70,6 @@ public:
 
     bool skipMode() const { return !discard_until.isNull(); }
     bool noSpaces() const { return !inBody; }
-    bool selectMode() const { return inSelect; }
 
     HTMLDocument *doc() const { return static_cast<HTMLDocument *>(document); }
 
@@ -171,7 +170,6 @@ private:
     bool haveContent;
     bool haveFrameSet;
     bool end;
-    bool inSelect;
 
     /*
      * tells the parser to discard all tags, until it reaches the one specified

third_party/WebKit/WebCore/html/HTMLTokenizer.cpp

@@ -1145,7 +1145,7 @@ HTMLTokenizer::State HTMLTokenizer::parseTag(SegmentedString &src, State state)
             // compatibility.
             bool isSelfClosingScript = currToken.flat && currToken.beginTag && currToken.tagName == scriptTag;
             bool beginTag = !currToken.flat && currToken.beginTag;
-            if (currToken.beginTag && currToken.tagName == scriptTag) {
+            if (currToken.beginTag && currToken.tagName == scriptTag && !parser->skipMode()) {
                 Attribute* a = 0;
                 scriptSrc = String();
                 scriptSrcCharset = String();
@@ -1160,69 +1160,69 @@ HTMLTokenizer::State HTMLTokenizer::parseTag(SegmentedString &src, State state)
             }
 
             RefPtr<Node> n = processToken();
-
-            if ((tagName == preTag || tagName == listingTag) && !inViewSourceMode()) {
-                if (beginTag)
-                    state.setDiscardLF(true); // Discard the first LF after we open a pre.
-            } else if (tagName == scriptTag) {
-                ASSERT(!scriptNode);
-                scriptNode = n;
-                if (beginTag) {
-                    searchStopper = scriptEnd;
-                    searchStopperLen = 8;
-                    state.setInScript(true);
-                    state = parseSpecial(src, state);
-                } else if (isSelfClosingScript) { // Handle <script src="foo"/>
-                    state.setInScript(true);
-                    state = scriptHandler(state);
-                }
-            } else if (tagName == styleTag) {
-                if (beginTag) {
-                    searchStopper = styleEnd;
-                    searchStopperLen = 7;
-                    state.setInStyle(true);
-                    state = parseSpecial(src, state);
-                }
-            } else if (tagName == textareaTag) {
-                if (beginTag) {
-                    searchStopper = textareaEnd;
-                    searchStopperLen = 10;
-                    state.setInTextArea(true);
-                    state = parseSpecial(src, state);
-                }
-            } else if (tagName == titleTag) {
-                if (beginTag) {
-                    searchStopper = titleEnd;
-                    searchStopperLen = 7;
-                    State savedState = state;
-                    SegmentedString savedSrc = src;
-                    long savedLineno = lineno;
-                    state.setInTitle(true);
-                    state = parseSpecial(src, state);
-                    if (state.inTitle() && src.isEmpty()) {
-                        // We just ate the rest of the document as the title #text node!
-                        // Reset the state then retokenize without special title handling.
-                        // Let the parser clean up the missing </title> tag.
-                        // FIXME: This is incorrect, because src.isEmpty() doesn't mean we're
-                        // at the end of the document unless noMoreData is also true. We need
-                        // to detect this case elsewhere, and save the state somewhere other
-                        // than a local variable.
-                        state = savedState;
-                        src = savedSrc;
-                        lineno = savedLineno;
-                        scriptCodeSize = 0;
+            if (n) {
+                if ((tagName == preTag || tagName == listingTag) && !inViewSourceMode()) {
+                    if (beginTag)
+                        state.setDiscardLF(true); // Discard the first LF after we open a pre.
+                } else if (tagName == scriptTag && n) {
+                    ASSERT(!scriptNode);
+                    scriptNode = n;
+                    if (beginTag) {
+                        searchStopper = scriptEnd;
+                        searchStopperLen = 8;
+                        state.setInScript(true);
+                        state = parseSpecial(src, state);
+                    } else if (isSelfClosingScript) { // Handle <script src="foo"/>
+                        state.setInScript(true);
+                        state = scriptHandler(state);
+                    }
+                } else if (tagName == styleTag) {
+                    if (beginTag) {
+                        searchStopper = styleEnd;
+                        searchStopperLen = 7;
+                        state.setInStyle(true);
+                        state = parseSpecial(src, state);
+                    }
+                } else if (tagName == textareaTag) {
+                    if (beginTag) {
+                        searchStopper = textareaEnd;
+                        searchStopperLen = 10;
+                        state.setInTextArea(true);
+                        state = parseSpecial(src, state);
+                    }
+                } else if (tagName == titleTag) {
+                    if (beginTag) {
+                        searchStopper = titleEnd;
+                        searchStopperLen = 7;
+                        State savedState = state;
+                        SegmentedString savedSrc = src;
+                        long savedLineno = lineno;
+                        state.setInTitle(true);
+                        state = parseSpecial(src, state);
+                        if (state.inTitle() && src.isEmpty()) {
+                            // We just ate the rest of the document as the title #text node!
+                            // Reset the state then retokenize without special title handling.
+                            // Let the parser clean up the missing </title> tag.
+                            // FIXME: This is incorrect, because src.isEmpty() doesn't mean we're
+                            // at the end of the document unless noMoreData is also true. We need
+                            // to detect this case elsewhere, and save the state somewhere other
+                            // than a local variable.
+                            state = savedState;
+                            src = savedSrc;
+                            lineno = savedLineno;
+                            scriptCodeSize = 0;
+                        }
+                    }
+                } else if (tagName == xmpTag) {
+                    if (beginTag) {
+                        searchStopper = xmpEnd;
+                        searchStopperLen = 5;
+                        state.setInXmp(true);
+                        state = parseSpecial(src, state);
                     }
                 }
-            } else if (tagName == xmpTag) {
-                if (beginTag) {
-                    searchStopper = xmpEnd;
-                    searchStopperLen = 5;
-                    state.setInXmp(true);
-                    state = parseSpecial(src, state);
-                }
-            } else if (tagName == selectTag)
-                state.setInSelect(beginTag);
-            else if (tagName == plaintextTag)
+            }
+            if (tagName == plaintextTag)
                 state.setInPlainText(beginTag);
             m_cBufferPos = cBufferPos;
             return state; // Finished parsing tag!

third_party/WebKit/WebCore/html/HTMLTokenizer.h

@@ -193,8 +193,6 @@ private:
         void setInScript(bool v) { setBit(InScript, v); }
         bool inStyle() const { return testBit(InStyle); }
         void setInStyle(bool v) { setBit(InStyle, v); }
-        bool inSelect() const { return testBit(InSelect); }
-        void setInSelect(bool v) { setBit(InSelect, v); }
         bool inXmp() const { return testBit(InXmp); }
         void setInXmp(bool v) { setBit(InXmp, v); }
         bool inTitle() const { return testBit(InTitle); }
@@ -237,7 +235,7 @@ private:
             EntityMask = (1 << 7) - (1 << 4),
             InScript = 1 << 7,
             InStyle = 1 << 8,
-            InSelect = 1 << 9,
+            // Bit 9 unused
             InXmp = 1 << 10,
             InTitle = 1 << 11,
             InPlainText = 1 << 12,