[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
tkent at chromium.org
tkent at chromium.org
Mon Feb 21 00:25:24 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit fc1929013018ef9b11f89acf64c114e23af5ac07
Author: tkent at chromium.org <tkent at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Jan 31 07:18:06 2011 +0000
2011-01-30 Kenichi Ishibashi <bashi at google.com>
Reviewed by Kent Tamura.
Dangling form associated elements should not be registered on the document
https://bugs.webkit.org/show_bug.cgi?id=53223
Adds insertedIntoDocument() and remvoedFromDocument() to
FormAssociatedElement class to register the element on the document
if and only if it actually inserted into (removed from) the document.
Test: fast/forms/dangling-form-element-crash.html
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::insertedIntoDocument): Added.
(WebCore::FormAssociatedElement::removedFromDocument): Ditto.
(WebCore::FormAssociatedElement::insertedIntoTree): Don't register
the element to a document.
(WebCore::FormAssociatedElement::removedFromTree): Don't unregister
the element from a document.
* html/FormAssociatedElement.h:
* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::insertedIntoDocument): Added.
(WebCore::HTMLFormControlElement::removedFromDocument): Ditto.
* html/HTMLFormControlElement.h:
* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::insertedIntoDocument): Calls
FormAssociatedElement::insertedIntoDocument().
(WebCore::HTMLObjectElement::removedFromDocument): Calls
FormAssociatedElement::removedFromDocument().
2011-01-30 Kenichi Ishibashi <bashi at google.com>
Reviewed by Kent Tamura.
Dangling form associated elements should not be registered on the document
https://bugs.webkit.org/show_bug.cgi?id=53223
Adds a test that ensures dangling form associated elements are not
registered on the document.
* fast/forms/dangling-form-element-crash-expected.txt: Added.
* fast/forms/dangling-form-element-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77114 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5bcddb2..11f9b65 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2011-01-30 Kenichi Ishibashi <bashi at google.com>
+
+ Reviewed by Kent Tamura.
+
+ Dangling form associated elements should not be registered on the document
+ https://bugs.webkit.org/show_bug.cgi?id=53223
+
+ Adds a test that ensures dangling form associated elements are not
+ registered on the document.
+
+ * fast/forms/dangling-form-element-crash-expected.txt: Added.
+ * fast/forms/dangling-form-element-crash.html: Added.
+
2011-01-30 Simon Fraser <simon.fraser at apple.com>
Reviewed by Sam Weinig.
diff --git a/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt b/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt
new file mode 100644
index 0000000..45001df
--- /dev/null
+++ b/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt
@@ -0,0 +1,3 @@
+Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded.
+
+PASS
diff --git a/LayoutTests/fast/forms/dangling-form-element-crash.html b/LayoutTests/fast/forms/dangling-form-element-crash.html
new file mode 100644
index 0000000..f5d097e
--- /dev/null
+++ b/LayoutTests/fast/forms/dangling-form-element-crash.html
@@ -0,0 +1,36 @@
+<html>
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ function gc() {
+ if (window.GCController)
+ return GCController.collect();
+ for (var i = 0; i < 10000; ++i)
+ var s = new String("foo");
+ }
+
+ function resetFormOwner() {
+ gc();
+ var form = document.createElement('form');
+ form.id = 'foo';
+ document.body.appendChild(form);
+ document.body.innerHTML += 'PASS';
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+
+ function test() {
+ var div = document.createElement('div');
+ var input = document.createElement('input');
+ input.setAttribute('form', 'foo');
+ div.appendChild(input);
+ setTimeout(resetFormOwner, 0);
+ }
+ </script>
+<body onload="test()">
+<p>Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded.</p>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 90111f8..5cf4c84 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,34 @@
+2011-01-30 Kenichi Ishibashi <bashi at google.com>
+
+ Reviewed by Kent Tamura.
+
+ Dangling form associated elements should not be registered on the document
+ https://bugs.webkit.org/show_bug.cgi?id=53223
+
+ Adds insertedIntoDocument() and remvoedFromDocument() to
+ FormAssociatedElement class to register the element on the document
+ if and only if it actually inserted into (removed from) the document.
+
+ Test: fast/forms/dangling-form-element-crash.html
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::insertedIntoDocument): Added.
+ (WebCore::FormAssociatedElement::removedFromDocument): Ditto.
+ (WebCore::FormAssociatedElement::insertedIntoTree): Don't register
+ the element to a document.
+ (WebCore::FormAssociatedElement::removedFromTree): Don't unregister
+ the element from a document.
+ * html/FormAssociatedElement.h:
+ * html/HTMLFormControlElement.cpp:
+ (WebCore::HTMLFormControlElement::insertedIntoDocument): Added.
+ (WebCore::HTMLFormControlElement::removedFromDocument): Ditto.
+ * html/HTMLFormControlElement.h:
+ * html/HTMLObjectElement.cpp:
+ (WebCore::HTMLObjectElement::insertedIntoDocument): Calls
+ FormAssociatedElement::insertedIntoDocument().
+ (WebCore::HTMLObjectElement::removedFromDocument): Calls
+ FormAssociatedElement::removedFromDocument().
+
2011-01-30 Csaba Osztrogonác <ossy at webkit.org>
Unreviewed, rolling out r77098, r77099, r77100, r77109, and
diff --git a/Source/WebCore/html/FormAssociatedElement.cpp b/Source/WebCore/html/FormAssociatedElement.cpp
index 574dfe5..3571744 100644
--- a/Source/WebCore/html/FormAssociatedElement.cpp
+++ b/Source/WebCore/html/FormAssociatedElement.cpp
@@ -59,11 +59,24 @@ void FormAssociatedElement::willMoveToNewOwnerDocument()
element->document()->unregisterFormElementWithFormAttribute(this);
}
+void FormAssociatedElement::insertedIntoDocument()
+{
+ HTMLElement* element = toHTMLElement(this);
+ if (element->fastHasAttribute(formAttr))
+ element->document()->registerFormElementWithFormAttribute(this);
+}
+
+void FormAssociatedElement::removedFromDocument()
+{
+ HTMLElement* element = toHTMLElement(this);
+ if (element->fastHasAttribute(formAttr))
+ element->document()->unregisterFormElementWithFormAttribute(this);
+}
+
void FormAssociatedElement::insertedIntoTree()
{
HTMLElement* element = toHTMLElement(this);
if (element->fastHasAttribute(formAttr)) {
- element->document()->registerFormElementWithFormAttribute(this);
Element* formElement = element->document()->getElementById(element->fastGetAttribute(formAttr));
if (formElement && formElement->hasTagName(formTag)) {
if (m_form)
@@ -94,8 +107,6 @@ static inline Node* findRoot(Node* n)
void FormAssociatedElement::removedFromTree()
{
HTMLElement* element = toHTMLElement(this);
- if (element->fastHasAttribute(formAttr))
- element->document()->unregisterFormElementWithFormAttribute(this);
// If the form and element are both in the same tree, preserve the connection to the form.
// Otherwise, null out our form and remove ourselves from the form's list of elements.
diff --git a/Source/WebCore/html/FormAssociatedElement.h b/Source/WebCore/html/FormAssociatedElement.h
index ebefdc6..aa5abd9 100644
--- a/Source/WebCore/html/FormAssociatedElement.h
+++ b/Source/WebCore/html/FormAssociatedElement.h
@@ -63,7 +63,8 @@ protected:
void insertedIntoTree();
void removedFromTree();
-
+ void insertedIntoDocument();
+ void removedFromDocument();
void willMoveToNewOwnerDocument();
void setForm(HTMLFormElement* form) { m_form = form; }
diff --git a/Source/WebCore/html/HTMLFormControlElement.cpp b/Source/WebCore/html/HTMLFormControlElement.cpp
index 18cc942..0daa521 100644
--- a/Source/WebCore/html/HTMLFormControlElement.cpp
+++ b/Source/WebCore/html/HTMLFormControlElement.cpp
@@ -165,6 +165,18 @@ void HTMLFormControlElement::removedFromTree(bool deep)
HTMLElement::removedFromTree(deep);
}
+void HTMLFormControlElement::insertedIntoDocument()
+{
+ HTMLElement::insertedIntoDocument();
+ FormAssociatedElement::insertedIntoDocument();
+}
+
+void HTMLFormControlElement::removedFromDocument()
+{
+ HTMLElement::removedFromDocument();
+ FormAssociatedElement::removedFromDocument();
+}
+
const AtomicString& HTMLFormControlElement::formControlName() const
{
const AtomicString& name = fastGetAttribute(nameAttr);
diff --git a/Source/WebCore/html/HTMLFormControlElement.h b/Source/WebCore/html/HTMLFormControlElement.h
index e0be3f0..368dcfa 100644
--- a/Source/WebCore/html/HTMLFormControlElement.h
+++ b/Source/WebCore/html/HTMLFormControlElement.h
@@ -111,6 +111,8 @@ protected:
virtual void attach();
virtual void insertedIntoTree(bool deep);
virtual void removedFromTree(bool deep);
+ virtual void insertedIntoDocument();
+ virtual void removedFromDocument();
virtual void willMoveToNewOwnerDocument();
virtual bool isKeyboardFocusable(KeyboardEvent*) const;
diff --git a/Source/WebCore/html/HTMLObjectElement.cpp b/Source/WebCore/html/HTMLObjectElement.cpp
index 7e8cd41..84dc684 100644
--- a/Source/WebCore/html/HTMLObjectElement.cpp
+++ b/Source/WebCore/html/HTMLObjectElement.cpp
@@ -318,6 +318,7 @@ void HTMLObjectElement::insertedIntoDocument()
}
HTMLPlugInImageElement::insertedIntoDocument();
+ FormAssociatedElement::insertedIntoDocument();
}
void HTMLObjectElement::removedFromDocument()
@@ -329,6 +330,7 @@ void HTMLObjectElement::removedFromDocument()
}
HTMLPlugInImageElement::removedFromDocument();
+ FormAssociatedElement::removedFromDocument();
}
void HTMLObjectElement::attributeChanged(Attribute* attr, bool preserveDecls)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list