diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 5bcddb21994f28d46495d87cbb29010750632b6f..11f9b655dee85e3e3f957876ef644075df688161 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,16 @@ +2011-01-30 Kenichi Ishibashi + + Reviewed by Kent Tamura. + + Dangling form associated elements should not be registered on the document + https://bugs.webkit.org/show_bug.cgi?id=53223 + + Adds a test that ensures dangling form associated elements are not + registered on the document. + + * fast/forms/dangling-form-element-crash-expected.txt: Added. + * fast/forms/dangling-form-element-crash.html: Added. + 2011-01-30 Simon Fraser Reviewed by Sam Weinig. diff --git a/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt b/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..45001df473d9b0616c3464dbe5269f579b617d33 --- /dev/null +++ b/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt @@ -0,0 +1,3 @@ +Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded. + +PASS diff --git a/LayoutTests/fast/forms/dangling-form-element-crash.html b/LayoutTests/fast/forms/dangling-form-element-crash.html new file mode 100644 index 0000000000000000000000000000000000000000..f5d097ebeb72a24ede99b9ef0e6131ad3677c87f --- /dev/null +++ b/LayoutTests/fast/forms/dangling-form-element-crash.html @@ -0,0 +1,36 @@ + + + +

Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded.

+ + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 90111f878c714d5b03de59775e529c45ab2edb6d..5cf4c84812a283f30398722303b2c120a51f4346 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,34 @@ +2011-01-30 Kenichi Ishibashi + + Reviewed by Kent Tamura. + + Dangling form associated elements should not be registered on the document + https://bugs.webkit.org/show_bug.cgi?id=53223 + + Adds insertedIntoDocument() and remvoedFromDocument() to + FormAssociatedElement class to register the element on the document + if and only if it actually inserted into (removed from) the document. + + Test: fast/forms/dangling-form-element-crash.html + + * html/FormAssociatedElement.cpp: + (WebCore::FormAssociatedElement::insertedIntoDocument): Added. + (WebCore::FormAssociatedElement::removedFromDocument): Ditto. + (WebCore::FormAssociatedElement::insertedIntoTree): Don't register + the element to a document. + (WebCore::FormAssociatedElement::removedFromTree): Don't unregister + the element from a document. + * html/FormAssociatedElement.h: + * html/HTMLFormControlElement.cpp: + (WebCore::HTMLFormControlElement::insertedIntoDocument): Added. + (WebCore::HTMLFormControlElement::removedFromDocument): Ditto. + * html/HTMLFormControlElement.h: + * html/HTMLObjectElement.cpp: + (WebCore::HTMLObjectElement::insertedIntoDocument): Calls + FormAssociatedElement::insertedIntoDocument(). + (WebCore::HTMLObjectElement::removedFromDocument): Calls + FormAssociatedElement::removedFromDocument(). + 2011-01-30 Csaba Osztrogon√°c Unreviewed, rolling out r77098, r77099, r77100, r77109, and diff --git a/Source/WebCore/html/FormAssociatedElement.cpp b/Source/WebCore/html/FormAssociatedElement.cpp index 574dfe5d0a310d98e1cefe62d820171c18dbae67..35717444a434e08717d8609df911edf92610bdf6 100644 --- a/Source/WebCore/html/FormAssociatedElement.cpp +++ b/Source/WebCore/html/FormAssociatedElement.cpp @@ -59,11 +59,24 @@ void FormAssociatedElement::willMoveToNewOwnerDocument() element->document()->unregisterFormElementWithFormAttribute(this); } +void FormAssociatedElement::insertedIntoDocument() +{ + HTMLElement* element = toHTMLElement(this); + if (element->fastHasAttribute(formAttr)) + element->document()->registerFormElementWithFormAttribute(this); +} + +void FormAssociatedElement::removedFromDocument() +{ + HTMLElement* element = toHTMLElement(this); + if (element->fastHasAttribute(formAttr)) + element->document()->unregisterFormElementWithFormAttribute(this); +} + void FormAssociatedElement::insertedIntoTree() { HTMLElement* element = toHTMLElement(this); if (element->fastHasAttribute(formAttr)) { - element->document()->registerFormElementWithFormAttribute(this); Element* formElement = element->document()->getElementById(element->fastGetAttribute(formAttr)); if (formElement && formElement->hasTagName(formTag)) { if (m_form) @@ -94,8 +107,6 @@ static inline Node* findRoot(Node* n) void FormAssociatedElement::removedFromTree() { HTMLElement* element = toHTMLElement(this); - if (element->fastHasAttribute(formAttr)) - element->document()->unregisterFormElementWithFormAttribute(this); // If the form and element are both in the same tree, preserve the connection to the form. // Otherwise, null out our form and remove ourselves from the form's list of elements. diff --git a/Source/WebCore/html/FormAssociatedElement.h b/Source/WebCore/html/FormAssociatedElement.h index ebefdc6029d0b5addf78f6e07f539422fdf932ea..aa5abd9a546af69149eee2dbd252964d1f744895 100644 --- a/Source/WebCore/html/FormAssociatedElement.h +++ b/Source/WebCore/html/FormAssociatedElement.h @@ -63,7 +63,8 @@ protected: void insertedIntoTree(); void removedFromTree(); - + void insertedIntoDocument(); + void removedFromDocument(); void willMoveToNewOwnerDocument(); void setForm(HTMLFormElement* form) { m_form = form; } diff --git a/Source/WebCore/html/HTMLFormControlElement.cpp b/Source/WebCore/html/HTMLFormControlElement.cpp index 18cc94238adf3d5cf35cdd4542cc16d8aa899180..0daa521711f01a49cc4b5b425ea43b940d11fc85 100644 --- a/Source/WebCore/html/HTMLFormControlElement.cpp +++ b/Source/WebCore/html/HTMLFormControlElement.cpp @@ -165,6 +165,18 @@ void HTMLFormControlElement::removedFromTree(bool deep) HTMLElement::removedFromTree(deep); } +void HTMLFormControlElement::insertedIntoDocument() +{ + HTMLElement::insertedIntoDocument(); + FormAssociatedElement::insertedIntoDocument(); +} + +void HTMLFormControlElement::removedFromDocument() +{ + HTMLElement::removedFromDocument(); + FormAssociatedElement::removedFromDocument(); +} + const AtomicString& HTMLFormControlElement::formControlName() const { const AtomicString& name = fastGetAttribute(nameAttr); diff --git a/Source/WebCore/html/HTMLFormControlElement.h b/Source/WebCore/html/HTMLFormControlElement.h index e0be3f0dca742bb5ece73a4e5e64563801d1c3c7..368dcfad7f4d68503864e8aacdeffa4d85dc9b1e 100644 --- a/Source/WebCore/html/HTMLFormControlElement.h +++ b/Source/WebCore/html/HTMLFormControlElement.h @@ -111,6 +111,8 @@ protected: virtual void attach(); virtual void insertedIntoTree(bool deep); virtual void removedFromTree(bool deep); + virtual void insertedIntoDocument(); + virtual void removedFromDocument(); virtual void willMoveToNewOwnerDocument(); virtual bool isKeyboardFocusable(KeyboardEvent*) const; diff --git a/Source/WebCore/html/HTMLObjectElement.cpp b/Source/WebCore/html/HTMLObjectElement.cpp index 7e8cd419864837b487240ac2c73afbac7bc44571..84dc684c6a56f50b25fb5259b55d6c28963fcde1 100644 --- a/Source/WebCore/html/HTMLObjectElement.cpp +++ b/Source/WebCore/html/HTMLObjectElement.cpp @@ -318,6 +318,7 @@ void HTMLObjectElement::insertedIntoDocument() } HTMLPlugInImageElement::insertedIntoDocument(); + FormAssociatedElement::insertedIntoDocument(); } void HTMLObjectElement::removedFromDocument() @@ -329,6 +330,7 @@ void HTMLObjectElement::removedFromDocument() } HTMLPlugInImageElement::removedFromDocument(); + FormAssociatedElement::removedFromDocument(); } void HTMLObjectElement::attributeChanged(Attribute* attr, bool preserveDecls)