Commit fc192901 authored by tkent@chromium.org's avatar tkent@chromium.org

2011-01-30 Kenichi Ishibashi <bashi@google.com>

        Reviewed by Kent Tamura.

        Dangling form associated elements should not be registered on the document
        https://bugs.webkit.org/show_bug.cgi?id=53223

        Adds insertedIntoDocument() and remvoedFromDocument() to
        FormAssociatedElement class to register the element on the document
        if and only if it actually inserted into (removed from) the document.

        Test: fast/forms/dangling-form-element-crash.html

        * html/FormAssociatedElement.cpp:
        (WebCore::FormAssociatedElement::insertedIntoDocument): Added.
        (WebCore::FormAssociatedElement::removedFromDocument): Ditto.
        (WebCore::FormAssociatedElement::insertedIntoTree): Don't register
        the element to a document.
        (WebCore::FormAssociatedElement::removedFromTree): Don't unregister
        the element from a document.
        * html/FormAssociatedElement.h:
        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::insertedIntoDocument): Added.
        (WebCore::HTMLFormControlElement::removedFromDocument): Ditto.
        * html/HTMLFormControlElement.h:
        * html/HTMLObjectElement.cpp:
        (WebCore::HTMLObjectElement::insertedIntoDocument): Calls
        FormAssociatedElement::insertedIntoDocument().
        (WebCore::HTMLObjectElement::removedFromDocument): Calls
        FormAssociatedElement::removedFromDocument().

2011-01-30  Kenichi Ishibashi  <bashi@google.com>

        Reviewed by Kent Tamura.

        Dangling form associated elements should not be registered on the document
        https://bugs.webkit.org/show_bug.cgi?id=53223

        Adds a test that ensures dangling form associated elements are not
        registered on the document.

        * fast/forms/dangling-form-element-crash-expected.txt: Added.
        * fast/forms/dangling-form-element-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77114 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent ad0e9df1
2011-01-30 Kenichi Ishibashi <bashi@google.com>
Reviewed by Kent Tamura.
Dangling form associated elements should not be registered on the document
https://bugs.webkit.org/show_bug.cgi?id=53223
Adds a test that ensures dangling form associated elements are not
registered on the document.
* fast/forms/dangling-form-element-crash-expected.txt: Added.
* fast/forms/dangling-form-element-crash.html: Added.
2011-01-30 Simon Fraser <simon.fraser@apple.com> 2011-01-30 Simon Fraser <simon.fraser@apple.com>
Reviewed by Sam Weinig. Reviewed by Sam Weinig.
Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded.
PASS
<html>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
function gc() {
if (window.GCController)
return GCController.collect();
for (var i = 0; i < 10000; ++i)
var s = new String("foo");
}
function resetFormOwner() {
gc();
var form = document.createElement('form');
form.id = 'foo';
document.body.appendChild(form);
document.body.innerHTML += 'PASS';
if (window.layoutTestController)
layoutTestController.notifyDone();
}
function test() {
var div = document.createElement('div');
var input = document.createElement('input');
input.setAttribute('form', 'foo');
div.appendChild(input);
setTimeout(resetFormOwner, 0);
}
</script>
<body onload="test()">
<p>Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded.</p>
</body>
</html>
2011-01-30 Kenichi Ishibashi <bashi@google.com>
Reviewed by Kent Tamura.
Dangling form associated elements should not be registered on the document
https://bugs.webkit.org/show_bug.cgi?id=53223
Adds insertedIntoDocument() and remvoedFromDocument() to
FormAssociatedElement class to register the element on the document
if and only if it actually inserted into (removed from) the document.
Test: fast/forms/dangling-form-element-crash.html
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::insertedIntoDocument): Added.
(WebCore::FormAssociatedElement::removedFromDocument): Ditto.
(WebCore::FormAssociatedElement::insertedIntoTree): Don't register
the element to a document.
(WebCore::FormAssociatedElement::removedFromTree): Don't unregister
the element from a document.
* html/FormAssociatedElement.h:
* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::insertedIntoDocument): Added.
(WebCore::HTMLFormControlElement::removedFromDocument): Ditto.
* html/HTMLFormControlElement.h:
* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::insertedIntoDocument): Calls
FormAssociatedElement::insertedIntoDocument().
(WebCore::HTMLObjectElement::removedFromDocument): Calls
FormAssociatedElement::removedFromDocument().
2011-01-30 Csaba Osztrogonác <ossy@webkit.org> 2011-01-30 Csaba Osztrogonác <ossy@webkit.org>
Unreviewed, rolling out r77098, r77099, r77100, r77109, and Unreviewed, rolling out r77098, r77099, r77100, r77109, and
...@@ -59,11 +59,24 @@ void FormAssociatedElement::willMoveToNewOwnerDocument() ...@@ -59,11 +59,24 @@ void FormAssociatedElement::willMoveToNewOwnerDocument()
element->document()->unregisterFormElementWithFormAttribute(this); element->document()->unregisterFormElementWithFormAttribute(this);
} }
void FormAssociatedElement::insertedIntoDocument()
{
HTMLElement* element = toHTMLElement(this);
if (element->fastHasAttribute(formAttr))
element->document()->registerFormElementWithFormAttribute(this);
}
void FormAssociatedElement::removedFromDocument()
{
HTMLElement* element = toHTMLElement(this);
if (element->fastHasAttribute(formAttr))
element->document()->unregisterFormElementWithFormAttribute(this);
}
void FormAssociatedElement::insertedIntoTree() void FormAssociatedElement::insertedIntoTree()
{ {
HTMLElement* element = toHTMLElement(this); HTMLElement* element = toHTMLElement(this);
if (element->fastHasAttribute(formAttr)) { if (element->fastHasAttribute(formAttr)) {
element->document()->registerFormElementWithFormAttribute(this);
Element* formElement = element->document()->getElementById(element->fastGetAttribute(formAttr)); Element* formElement = element->document()->getElementById(element->fastGetAttribute(formAttr));
if (formElement && formElement->hasTagName(formTag)) { if (formElement && formElement->hasTagName(formTag)) {
if (m_form) if (m_form)
...@@ -94,8 +107,6 @@ static inline Node* findRoot(Node* n) ...@@ -94,8 +107,6 @@ static inline Node* findRoot(Node* n)
void FormAssociatedElement::removedFromTree() void FormAssociatedElement::removedFromTree()
{ {
HTMLElement* element = toHTMLElement(this); HTMLElement* element = toHTMLElement(this);
if (element->fastHasAttribute(formAttr))
element->document()->unregisterFormElementWithFormAttribute(this);
// If the form and element are both in the same tree, preserve the connection to the form. // If the form and element are both in the same tree, preserve the connection to the form.
// Otherwise, null out our form and remove ourselves from the form's list of elements. // Otherwise, null out our form and remove ourselves from the form's list of elements.
......
...@@ -63,7 +63,8 @@ protected: ...@@ -63,7 +63,8 @@ protected:
void insertedIntoTree(); void insertedIntoTree();
void removedFromTree(); void removedFromTree();
void insertedIntoDocument();
void removedFromDocument();
void willMoveToNewOwnerDocument(); void willMoveToNewOwnerDocument();
void setForm(HTMLFormElement* form) { m_form = form; } void setForm(HTMLFormElement* form) { m_form = form; }
......
...@@ -165,6 +165,18 @@ void HTMLFormControlElement::removedFromTree(bool deep) ...@@ -165,6 +165,18 @@ void HTMLFormControlElement::removedFromTree(bool deep)
HTMLElement::removedFromTree(deep); HTMLElement::removedFromTree(deep);
} }
void HTMLFormControlElement::insertedIntoDocument()
{
HTMLElement::insertedIntoDocument();
FormAssociatedElement::insertedIntoDocument();
}
void HTMLFormControlElement::removedFromDocument()
{
HTMLElement::removedFromDocument();
FormAssociatedElement::removedFromDocument();
}
const AtomicString& HTMLFormControlElement::formControlName() const const AtomicString& HTMLFormControlElement::formControlName() const
{ {
const AtomicString& name = fastGetAttribute(nameAttr); const AtomicString& name = fastGetAttribute(nameAttr);
......
...@@ -111,6 +111,8 @@ protected: ...@@ -111,6 +111,8 @@ protected:
virtual void attach(); virtual void attach();
virtual void insertedIntoTree(bool deep); virtual void insertedIntoTree(bool deep);
virtual void removedFromTree(bool deep); virtual void removedFromTree(bool deep);
virtual void insertedIntoDocument();
virtual void removedFromDocument();
virtual void willMoveToNewOwnerDocument(); virtual void willMoveToNewOwnerDocument();
virtual bool isKeyboardFocusable(KeyboardEvent*) const; virtual bool isKeyboardFocusable(KeyboardEvent*) const;
......
...@@ -318,6 +318,7 @@ void HTMLObjectElement::insertedIntoDocument() ...@@ -318,6 +318,7 @@ void HTMLObjectElement::insertedIntoDocument()
} }
HTMLPlugInImageElement::insertedIntoDocument(); HTMLPlugInImageElement::insertedIntoDocument();
FormAssociatedElement::insertedIntoDocument();
} }
void HTMLObjectElement::removedFromDocument() void HTMLObjectElement::removedFromDocument()
...@@ -329,6 +330,7 @@ void HTMLObjectElement::removedFromDocument() ...@@ -329,6 +330,7 @@ void HTMLObjectElement::removedFromDocument()
} }
HTMLPlugInImageElement::removedFromDocument(); HTMLPlugInImageElement::removedFromDocument();
FormAssociatedElement::removedFromDocument();
} }
void HTMLObjectElement::attributeChanged(Attribute* attr, bool preserveDecls) void HTMLObjectElement::attributeChanged(Attribute* attr, bool preserveDecls)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment