From 4ed4303dd11f61123a93faf8e9c6cbe69f2349c9 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sat, 4 May 2019 18:42:29 -0400 Subject: backport m-c 1510114: Fix Use-After-Free in the HTML5 Parser Fixes #1076 --- parser/html/nsHtml5TreeOpExecutor.cpp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'parser') diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index 468449698..5c3f32d6f 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop() nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu! RefPtr parserKungFuDeathGrip(mParser); + RefPtr streamParserGrip; + if (mParser) { + streamParserGrip = GetParser()->GetStreamParser(); + } + mozilla::Unused + << streamParserGrip; // Intentionally not used within function // Remember the entry time (void) nsContentSink::WillParseImpl(); @@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop() mOpQueue.Clear(); // clear in order to be able to assert in destructor return; } - // Not sure if this grip is still needed, but previously, the code - // gripped before calling ParseUntilBlocked(); - RefPtr streamKungFuDeathGrip = - GetParser()->GetStreamParser(); - mozilla::Unused << streamKungFuDeathGrip; // Not used within function // Now parse content left in the document.write() buffer queue if any. // This may generate tree ops on its own or dequeue a speculation. nsresult rv = GetParser()->ParseUntilBlocked(); @@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite() RefPtr kungFuDeathGrip(this); RefPtr parserKungFuDeathGrip(mParser); mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function + RefPtr streamParserGrip; + if (mParser) { + streamParserGrip = GetParser()->GetStreamParser(); + } + mozilla::Unused + << streamParserGrip; // Intentionally not used within function NS_ASSERTION(!mReadingFromStage, "Got doc write flush when reading from stage"); -- cgit v1.2.3 From a371a69a73ebcd542ceb42927ce2859b0d326c98 Mon Sep 17 00:00:00 2001 From: win7-7 Date: Fri, 24 May 2019 14:05:09 +0300 Subject: make HTML parser to use faster atomization in main thread --- parser/html/nsHtml5TreeOperation.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'parser') diff --git a/parser/html/nsHtml5TreeOperation.h b/parser/html/nsHtml5TreeOperation.h index 0b2970738..a93f44c46 100644 --- a/parser/html/nsHtml5TreeOperation.h +++ b/parser/html/nsHtml5TreeOperation.h @@ -108,7 +108,7 @@ class nsHtml5TreeOperation { } nsAutoString str; aAtom->ToString(str); - return NS_Atomize(str); + return NS_AtomizeMainThread(str); } static nsresult AppendTextToTextNode(const char16_t* aBuffer, -- cgit v1.2.3 From bf1e5431f05532e457306c0944b3812ab6ea39f2 Mon Sep 17 00:00:00 2001 From: win7-7 Date: Sat, 25 May 2019 18:04:02 +0300 Subject: use memcmp for nsIAtom Equals to improve performance parser/html issue MoonchildProductions#1113 Use memcmp and not slower string Equals in nsHtml5Portability::localEqualsBuffer --- parser/html/nsHtml5Portability.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'parser') diff --git a/parser/html/nsHtml5Portability.cpp b/parser/html/nsHtml5Portability.cpp index 36c7e758a..0a7c6f845 100644 --- a/parser/html/nsHtml5Portability.cpp +++ b/parser/html/nsHtml5Portability.cpp @@ -91,7 +91,7 @@ nsHtml5Portability::releaseString(nsString* str) bool nsHtml5Portability::localEqualsBuffer(nsIAtom* local, char16_t* buf, int32_t offset, int32_t length) { - return local->Equals(nsDependentSubstring(buf + offset, buf + offset + length)); + return local->Equals(buf + offset, length); } bool -- cgit v1.2.3