Fix an edge case where HTMLFormElement::removeFormElement is invoked twice with the...
authorwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Mar 2019 23:18:26 +0000 (23:18 +0000)
committerwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Mar 2019 23:18:26 +0000 (23:18 +0000)
commit148cc6b4e0ef42b4cae24789e63ce483f5f9b3ef
treed2a17b566b1892f831a93f58542c5ed5946afa68
parent8ab925e8a408c7b00b367c186bbd6db7969488eb
Fix an edge case where HTMLFormElement::removeFormElement is invoked twice with the same element
https://bugs.webkit.org/show_bug.cgi?id=195663
<rdar://problem/48576391>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Currently, it's possible for HTMLFormControlElement's destructor to be reentrant. This may happen if the form
control element is ref'd while carrying out its destructor's logic. This may happen in two places in
HTMLFormControlElement (didChangeForm and resetDefaultButton), both of which actually don't require ensuring a
protected reference to the form control element since they should never result in any script execution.

To fix the bug, convert these strong references into raw pointers, and add ScriptDisallowedScope to ensure that
we don't change these codepaths in the future, such that they trigger arbitrary script execution.

Test: fast/forms/remove-associated-element-after-gc.html

* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::didChangeForm):
* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::resetDefaultButton):

LayoutTests:

Add a layout test to exercise the scenario described in the WebCore ChangeLog.

* fast/forms/remove-associated-element-after-gc-expected.txt: Added.
* fast/forms/remove-associated-element-after-gc.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242917 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/forms/remove-associated-element-after-gc-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/remove-associated-element-after-gc.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLFormControlElement.cpp
Source/WebCore/html/HTMLFormElement.cpp