[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
tkent at chromium.org
tkent at chromium.org
Sun Feb 20 22:54:00 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 46a996c0ac01e8021dbd7c7f00fb6a6b3ba88e44
Author: tkent at chromium.org <tkent at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 13 03:55:50 2011 +0000
2011-01-12 Kenichi Ishibashi <bashi at google.com>
Reviewed by Kent Tamura.
M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
https://bugs.webkit.org/show_bug.cgi?id=51905
Calls unregisterFormElementWithFormAttribute() when 'form' attribute
is removed.
Tests: fast/forms/form-associated-element-crash.html
fast/forms/form-associated-element-crash2.html
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::formAttributeChanged):
2011-01-12 Kenichi Ishibashi <bashi at google.com>
Reviewed by Kent Tamura.
M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
https://bugs.webkit.org/show_bug.cgi?id=51905
Add test for crash when modifying the form attribute of a form
associated element before removing it.
* fast/forms/form-associated-element-crash-expected.txt: Added.
* fast/forms/form-associated-element-crash.html: Added.
* fast/forms/form-associated-element-crash2-expected.txt: Added.
* fast/forms/form-associated-element-crash2.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75676 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c93aa41..b906ac6 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -2,6 +2,21 @@
Reviewed by Kent Tamura.
+ M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
+ https://bugs.webkit.org/show_bug.cgi?id=51905
+
+ Add test for crash when modifying the form attribute of a form
+ associated element before removing it.
+
+ * fast/forms/form-associated-element-crash-expected.txt: Added.
+ * fast/forms/form-associated-element-crash.html: Added.
+ * fast/forms/form-associated-element-crash2-expected.txt: Added.
+ * fast/forms/form-associated-element-crash2.html: Added.
+
+2011-01-12 Kenichi Ishibashi <bashi at google.com>
+
+ Reviewed by Kent Tamura.
+
M_formElementsWithFormAttribute not cleared when Node is moved to another document.
https://bugs.webkit.org/show_bug.cgi?id=51418
diff --git a/LayoutTests/fast/forms/form-associated-element-crash-expected.txt b/LayoutTests/fast/forms/form-associated-element-crash-expected.txt
new file mode 100644
index 0000000..8deeea7
--- /dev/null
+++ b/LayoutTests/fast/forms/form-associated-element-crash-expected.txt
@@ -0,0 +1,4 @@
+This page is a test case for Bug 51905. WebKit should not crash when this page is loaded.
+
+PASS
+
diff --git a/LayoutTests/fast/forms/form-associated-element-crash.html b/LayoutTests/fast/forms/form-associated-element-crash.html
new file mode 100644
index 0000000..80aae53
--- /dev/null
+++ b/LayoutTests/fast/forms/form-associated-element-crash.html
@@ -0,0 +1,45 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+if (!window.gc) {
+ gc = function () {
+ if (window.GCController)
+ return GCController.collect();
+ for (var i = 0; i < 10000; i++)
+ var s = new String("abc");
+ }
+}
+
+var element = document.createElement('input');
+
+function test() {
+ element.setAttribute('form', 'form1');
+ document.body.appendChild(element);
+ element.attributes.removeNamedItem('form');
+ setTimeout(delay, 0);
+}
+
+function delay() {
+ document.body.removeChild(element);
+ element = 0;
+ gc();
+ var form = document.createElement('form');
+ form.setAttribute('id', 'form2');
+ document.body.appendChild(form);
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="test()">
+<p>
+This page is a test case for <a href="https://bugs.webkit.org/show_bug.cgi?id=51905">Bug 51905</a>. WebKit should not crash when this page is loaded.
+</p>
+PASS
+</body>
+</html>
diff --git a/LayoutTests/fast/forms/form-associated-element-crash2-expected.txt b/LayoutTests/fast/forms/form-associated-element-crash2-expected.txt
new file mode 100644
index 0000000..8deeea7
--- /dev/null
+++ b/LayoutTests/fast/forms/form-associated-element-crash2-expected.txt
@@ -0,0 +1,4 @@
+This page is a test case for Bug 51905. WebKit should not crash when this page is loaded.
+
+PASS
+
diff --git a/LayoutTests/fast/forms/form-associated-element-crash2.html b/LayoutTests/fast/forms/form-associated-element-crash2.html
new file mode 100644
index 0000000..2030306
--- /dev/null
+++ b/LayoutTests/fast/forms/form-associated-element-crash2.html
@@ -0,0 +1,48 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function gc() {
+ var array = [];
+ for (var i = 0x30000; i--; )
+ if (!(Math.round(Math.random() * 20)))
+ array = [];
+ else
+ array.push(new String(Math.random()))
+}
+
+function test()
+{
+ var element = document.createElement('input');
+ element.setAttribute('form', 'form1');
+ var div = document.createElement('div');
+ div.appendChild(element);
+ element.removeAttribute('form');
+ div.innerHTML = '';
+ element = 0;
+ gc();
+ setTimeout(delay, 0);
+}
+
+function delay()
+{
+ var form = document.createElement('form');
+ form.setAttribute('id', 'form2');
+ document.body.appendChild(form);
+ location.reload();
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="test()">
+<p>
+This page is a test case for <a href="https://bugs.webkit.org/show_bug.cgi?id=51905">Bug 51905</a>. WebKit should not crash when this page is loaded.
+</p>
+PASS
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index ac31934..9abfd5c 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -2,6 +2,22 @@
Reviewed by Kent Tamura.
+ M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
+ https://bugs.webkit.org/show_bug.cgi?id=51905
+
+ Calls unregisterFormElementWithFormAttribute() when 'form' attribute
+ is removed.
+
+ Tests: fast/forms/form-associated-element-crash.html
+ fast/forms/form-associated-element-crash2.html
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::formAttributeChanged):
+
+2011-01-12 Kenichi Ishibashi <bashi at google.com>
+
+ Reviewed by Kent Tamura.
+
M_formElementsWithFormAttribute not cleared when Node is moved to another document.
https://bugs.webkit.org/show_bug.cgi?id=51418
diff --git a/Source/WebCore/html/FormAssociatedElement.cpp b/Source/WebCore/html/FormAssociatedElement.cpp
index df74f4e..574dfe5 100644
--- a/Source/WebCore/html/FormAssociatedElement.cpp
+++ b/Source/WebCore/html/FormAssociatedElement.cpp
@@ -147,6 +147,7 @@ void FormAssociatedElement::formAttributeChanged()
m_form = element->findFormAncestor();
if (m_form)
form()->registerFormElement(this);
+ element->document()->unregisterFormElementWithFormAttribute(this);
} else
resetFormOwner(0);
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list