Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement...
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 23:06:49 +0000 (23:06 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 23:06:49 +0000 (23:06 +0000)
commit5ec7136f31abd3db06f27a15d7acc5568fa0793a
treea99bc4c004c6d12ebf3e3bdd1745f4448bce884f
parent5dc15ea4039b27289594fe25125dec9e6d1a8ddf
Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
https://bugs.webkit.org/show_bug.cgi?id=192392

Reviewed by Dean Jackson.

Source/WebCore:

The crash was caused by FormAssociatedElement::findAssociatedForm invoking DocumentOrderedMap::getElementById
and de-referencing nullptr Attribute* via IdTargetObserver before Element::attributeChanged had updated
ElementData::m_idForStyleResolution.

Fixed it by updating m_idForStyleResolution before invoking IdTargetObservers.

Test: fast/dom/remove-id-form-associated-elemet-id-observer-crash.html

* dom/Element.cpp:
(WebCore::Element::attributeChanged): Fixed the bug.

LayoutTests:

Added a regression test.

* fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt: Added.
* fast/dom/remove-id-form-associated-elemet-id-observer-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238912 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Element.cpp