[whatwg/dom] TreeWalker's nextNode() method can result in an infinite loop because the value of node never changes if it doesn't have a child (#667) from Trevor Rowbotham on 2018-07-16 (public-webapps-github@w3.org from July 2018)

From: Trevor Rowbotham <notifications@github.com>
Date: Mon, 16 Jul 2018 15:26:55 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/667@github.com>

Given the following:
```html
<doctype html>
<html>
  <head></head>
  <body></body>
</html>
```
```javascript
const treeWalker = document.createTreeWalker(document, NodeFilter.SHOW_ELEMENT, null);
treeWalker.nextNode();
```

A walk through:

Step 1) *node* is set to `document`
Step 3.1) *result* is `FILTER_ACCEPT` and *node* has a child so we enter the loop
Step 3.1.1) *node* is set to `document`'s `doctype`
Step 3.1.2) *result* is set to `FILTER_SKIP` so we continue on
Step 4.2) *sibling* is set to *temporary's* next sibling, which is the `<html>` tag
Step 4.3) *sibling* is non-null, so we break out of the loop
Step 5) *result* is set to `FILTER_SKIP`
Step 6) since *result* is not `FILTER_ACCEPT`, we return to Step 3

Since a `doctype` doesn't have children, we never enter the while loop at Step 3.1 again, which is the only place where *node* changes, leaving *node* permanently set to `document`'s `doctype`, and thus an infinite loop is born.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/667

Received on Monday, 16 July 2018 22:27:19 UTC