Fix a crash when getElementsByClassName() is called twice with the same...

Fix a crash when getElementsByClassName() is called twice with the same argument including capital letters. This fixes a regression by crrev.com/474217, which deleted a protector AtomicString accidentally. This CL removes a tricky StringImpl* hash key in NodeListsNodeData. BUG=725929 R=yosin@chromium.org Review-Url: https://codereview.chromium.org/2903373002 . Cr-Commit-Position: refs/heads/master@{#474870}

Fix a crash when getElementsByClassName() is called twice with the same...
Fix a crash when getElementsByClassName() is called twice with the same argument including capital letters. This fixes a regression by crrev.com/474217, which deleted a protector AtomicString accidentally. This CL removes a tricky StringImpl* hash key in NodeListsNodeData. BUG=725929 R=yosin@chromium.org Review-Url: https://codereview.chromium.org/2903373002 . Cr-Commit-Position: refs/heads/master@{#474870}
9cf04000 · Kent Tamura · bdacc133 · 9cf04000 · 9cf04000
Commit 9cf04000 authored May 26, 2017 by Kent Tamura
2 changed files
--- a/third_party/WebKit/Source/core/dom/ElementTest.cpp
+++ b/third_party/WebKit/Source/core/dom/ElementTest.cpp
@@ -239,4 +239,12 @@ TEST_F(ElementTest, StickySubtreesAreTrackedCorrectly) {
  EXPECT_TRUE(great_grandchild->StyleRef().SubtreeIsSticky());
 }

+TEST_F(ElementTest, GetElementsByClassNameCrash) {
+  // Test for a crash in NodeListsNodeData::AddCache().
+  ASSERT_TRUE(GetDocument().InQuirksMode());
+  GetDocument().body()->getElementsByClassName("ABC DEF");
+  GetDocument().body()->getElementsByClassName("ABC DEF");
+  // The test passes if no crash happens.
+}
+
 }  // namespace blink
--- a/third_party/WebKit/Source/core/dom/NodeListsNodeData.h
+++ b/third_party/WebKit/Source/core/dom/NodeListsNodeData.h
@@ -65,21 +65,21 @@ class NodeListsNodeData final : public GarbageCollected<NodeListsNodeData> {
  struct NodeListAtomicCacheMapEntryHash {
    STATIC_ONLY(NodeListAtomicCacheMapEntryHash);
    static unsigned GetHash(
-        const std::pair<unsigned char, StringImpl*>& entry) {
-      return DefaultHash<StringImpl*>::Hash::GetHash(entry.second) +
+        const std::pair<unsigned char, AtomicString>& entry) {
+      return DefaultHash<AtomicString>::Hash::GetHash(entry.second) +
             entry.first;
    }
-    static bool Equal(const std::pair<unsigned char, StringImpl*>& a,
-                      const std::pair<unsigned char, StringImpl*>& b) {
+    static bool Equal(const std::pair<unsigned char, AtomicString>& a,
+                      const std::pair<unsigned char, AtomicString>& b) {
      return a == b;
    }
    static const bool safe_to_compare_to_empty_or_deleted =
-        DefaultHash<StringImpl*>::Hash::safe_to_compare_to_empty_or_deleted;
+        DefaultHash<AtomicString>::Hash::safe_to_compare_to_empty_or_deleted;
  };

  // Oilpan: keep a weak reference to the collection objects.
  // Object unregistration is handled by GC's weak processing.
-  typedef HeapHashMap<std::pair<unsigned char, StringImpl*>,
+  typedef HeapHashMap<std::pair<unsigned char, AtomicString>,
                      WeakMember<LiveNodeListBase>,
                      NodeListAtomicCacheMapEntryHash>
      NodeListAtomicNameCacheMap;
@@ -181,13 +181,10 @@ class NodeListsNodeData final : public GarbageCollected<NodeListsNodeData> {
 private:
  NodeListsNodeData() : child_node_list_(nullptr) {}

-  std::pair<unsigned char, StringImpl*> NamedNodeListKey(
+  std::pair<unsigned char, AtomicString> NamedNodeListKey(
      CollectionType type,
      const AtomicString& name) {
-    // Holding the raw StringImpl is safe because |name| is retained by the
-    // NodeList and the NodeList is reponsible for removing itself from the
-    // cache on deletion.
-    return std::pair<unsigned char, StringImpl*>(type, name.Impl());
+    return std::pair<unsigned char, AtomicString>(type, name);
  }

  // Can be a ChildNodeList or an EmptyNodeList.