ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Sep 2015 22:46:43 +0000 (22:46 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Sep 2015 22:46:43 +0000 (22:46 +0000)
commit0e4cc0fbd9b8dbe592ad11117bdbc96a4788f746
treeb9ad7e781b55cb3079a557e336c8069dd1824e6e
parent0b996a014d84e2d0a118345a0cee5423008af6d1
ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form
association after subtree insertion
https://bugs.webkit.org/show_bug.cgi?id=148919
<rdar://problem/21868036>

Patch by Daniel Bates <dabates@apple.com> on 2015-09-07
Reviewed by Andy Estes.

Source/WebCore:

Currently we update the form association of a form control upon insertion into
the document. Instead we should update the form association of a form control
after its containing subtree is inserted into the document to avoid an assertion
failure when the containing subtree has an element whose id is identical to both
the id of some other element in the document and the name of the form referenced
by the inserted form control.

Tests: fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html
       fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html
       fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html
       fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html

* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::insertedInto): Moved resetFormOwner() from here
to {HTMLFormControlElement, HTMLObjectElement}::finishedInsertingSubtree().
* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree
so that HTMLFormControlElement::finishedInsertingSubtree() is called.
(WebCore::HTMLFormControlElement::finishedInsertingSubtree): Added; turn around and
call FormAssociatedElement::resetFormOwner().
* html/HTMLFormControlElement.h:
* html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
that HTMLInputElement::finishedInsertingSubtree() is called and move logic to update radio button
group from here...
(WebCore::HTMLInputElement::finishedInsertingSubtree): to here.
* html/HTMLInputElement.h:
* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
that HTMLObjectElement::finishedInsertingSubtree() is called.
(WebCore::HTMLObjectElement::finishedInsertingSubtree): Added; turn around and
call FormAssociatedElement::resetFormOwner().
* html/HTMLObjectElement.h:
* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::insertedInto): Modified to return the result of
HTMLFormControlElementWithState::insertedInto(), which may schedule a callback after subtree
insertion.
* html/HTMLTextFormControlElement.cpp:
(WebCore::HTMLTextFormControlElement::insertedInto): Ditto.

LayoutTests:

Add tests to ensure that updating the form association of a form control in a subtree
does not cause an assertion failure.

* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@189469 268f45cc-cd09-0410-ab3c-d52691b4dbfc
19 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html [new file with mode: 0644]
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html [new file with mode: 0644]
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html [new file with mode: 0644]
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/FormAssociatedElement.cpp
Source/WebCore/html/HTMLFormControlElement.cpp
Source/WebCore/html/HTMLFormControlElement.h
Source/WebCore/html/HTMLInputElement.cpp
Source/WebCore/html/HTMLInputElement.h
Source/WebCore/html/HTMLObjectElement.cpp
Source/WebCore/html/HTMLObjectElement.h
Source/WebCore/html/HTMLSelectElement.cpp
Source/WebCore/html/HTMLTextFormControlElement.cpp