2011-04-12 Kenichi Ishibashi <bashi@chromium.org>
authortkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Apr 2011 03:24:58 +0000 (03:24 +0000)
committertkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Apr 2011 03:24:58 +0000 (03:24 +0000)
        Reviewed by Kent Tamura.

        Fix wrong calculation of HTMLFormElement::m_associatedElementsAfterIndex.
        https://bugs.webkit.org/show_bug.cgi?id=58247

        Added tests which ensure calculation of m_associatedElementsAfterIndex
        doesn't get wrong.

        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1-expected.txt: Added.
        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1.html: Added.
        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2-expected.txt: Added.
        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2.html: Added.
2011-04-12  Kenichi Ishibashi  <bashi@chromium.org>

        Reviewed by Kent Tamura.

        Fix wrong calculation of HTMLFormElement::m_associatedElementsAfterIndex.
        https://bugs.webkit.org/show_bug.cgi?id=58247

        - Increment m_associatedElementsAfterIndex when the form owner and an
        inserted form associated element have the same parent chain.
        - Always iterate over m_associatedElements to decrease indexes when a
        form associated element is removed. This is needed for a case that the
        form associated element is removed from the form element due to
        deleting the 'form' attribute. No behavioral change expected with this
        change.

        Tests: fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1.html
               fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2.html

        * html/HTMLFormElement.cpp:
        (WebCore::HTMLFormElement::formElementIndexWithFormAttribute):
        Incremet m_associatedElementsAfterIndex when compareDocumentPosition()
        returns DOCUMENT_POSITION_CONTAINED_BY.
        (WebCore::HTMLFormElement::removeFormElement):
        Always iterate m_associatedElements to adjust indexes.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@83690 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLFormElement.cpp

index ba09537..c55805e 100644 (file)
@@ -1,3 +1,18 @@
+2011-04-12  Kenichi Ishibashi  <bashi@chromium.org>
+
+        Reviewed by Kent Tamura.
+
+        Fix wrong calculation of HTMLFormElement::m_associatedElementsAfterIndex.
+        https://bugs.webkit.org/show_bug.cgi?id=58247
+
+        Added tests which ensure calculation of m_associatedElementsAfterIndex
+        doesn't get wrong.
+
+        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1-expected.txt: Added.
+        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1.html: Added.
+        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2-expected.txt: Added.
+        * fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2.html: Added.
+
 2011-04-12  Jian Li  <jianli@chromium.org>
 
         Unreviewed, update chromium test expectations.
diff --git a/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1-expected.txt b/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1-expected.txt
new file mode 100644 (file)
index 0000000..02d7cb5
--- /dev/null
@@ -0,0 +1,4 @@
+This page verifies fix for bug 58247. WebKit should not crash when this page is rendered.
+
+
+PASS
diff --git a/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1.html b/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1.html
new file mode 100644 (file)
index 0000000..c9d7fe3
--- /dev/null
@@ -0,0 +1,18 @@
+<head>
+  <script>
+      function pass() {
+          var div = document.createElement('div');
+          div.innerHTML = 'PASS';
+          document.body.appendChild(div);
+      }
+      if (window.layoutTestController)
+          layoutTestController.dumpAsText();
+  </script>
+</head>
+<body onload="pass()">
+<p>This page verifies fix for bug 58247. WebKit should not crash when this page is rendered.</p>
+
+<a </var><form><button  form="f"><progress>
+<keygen form="f"><a </datalist><button>
+</body>
+
diff --git a/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2-expected.txt b/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2-expected.txt
new file mode 100644 (file)
index 0000000..02d7cb5
--- /dev/null
@@ -0,0 +1,4 @@
+This page verifies fix for bug 58247. WebKit should not crash when this page is rendered.
+
+
+PASS
diff --git a/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2.html b/LayoutTests/fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2.html
new file mode 100644 (file)
index 0000000..5f68010
--- /dev/null
@@ -0,0 +1,17 @@
+<head>
+  <script>
+      function pass() {
+          var div = document.createElement('div');
+          div.innerHTML = 'PASS';
+          document.body.appendChild(div);
+      }
+      if (window.layoutTestController)
+          layoutTestController.dumpAsText();
+  </script>
+</head>
+<body onload="pass()">
+<p>This page verifies fix for bug 58247. WebKit should not crash when this page is rendered.</p>
+
+<form><em><ol </del><fieldset  form="f"</sub><option </dt><button  form="f"></em><meter </time>
+</body>
+
index a6054dd..7a06409 100644 (file)
@@ -1,3 +1,28 @@
+2011-04-12  Kenichi Ishibashi  <bashi@chromium.org>
+
+        Reviewed by Kent Tamura.
+
+        Fix wrong calculation of HTMLFormElement::m_associatedElementsAfterIndex.
+        https://bugs.webkit.org/show_bug.cgi?id=58247
+
+        - Increment m_associatedElementsAfterIndex when the form owner and an
+        inserted form associated element have the same parent chain.
+        - Always iterate over m_associatedElements to decrease indexes when a
+        form associated element is removed. This is needed for a case that the
+        form associated element is removed from the form element due to
+        deleting the 'form' attribute. No behavioral change expected with this
+        change.
+
+        Tests: fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail1.html
+               fast/dom/HTMLFormElement/associated-elements-after-index-assertion-fail2.html
+
+        * html/HTMLFormElement.cpp:
+        (WebCore::HTMLFormElement::formElementIndexWithFormAttribute):
+        Incremet m_associatedElementsAfterIndex when compareDocumentPosition()
+        returns DOCUMENT_POSITION_CONTAINED_BY.
+        (WebCore::HTMLFormElement::removeFormElement):
+        Always iterate m_associatedElements to adjust indexes.
+
 2011-04-12  Diego Gonzalez  <diegohcg@webkit.org>
 
         Reviewed by Kenneth Rohde Christiansen.
index 76534c3..cfea3d8 100644 (file)
@@ -411,7 +411,7 @@ unsigned HTMLFormElement::formElementIndexWithFormAttribute(Element* element)
     // Compares the position of the form element and the inserted element.
     // Updates the indeces in order to the relation of the position:
     unsigned short position = compareDocumentPosition(element);
-    if (position & DOCUMENT_POSITION_CONTAINS)
+    if (position & (DOCUMENT_POSITION_CONTAINS | DOCUMENT_POSITION_CONTAINED_BY))
         ++m_associatedElementsAfterIndex;
     else if (position & DOCUMENT_POSITION_PRECEDING) {
         ++m_associatedElementsBeforeIndex;
@@ -482,18 +482,15 @@ void HTMLFormElement::removeFormElement(FormAssociatedElement* e)
 {
     if (e->isFormControlElement())
         m_checkedRadioButtons.removeButton(static_cast<HTMLFormControlElement*>(e));
-    HTMLElement* element = toHTMLElement(e);
-    if (element->fastHasAttribute(formAttr)) {
-        unsigned index;
-        for (index = 0; index < m_associatedElements.size(); ++index)
-            if (m_associatedElements[index] == e)
-                break;
-        ASSERT(index < m_associatedElements.size());
-        if (index < m_associatedElementsBeforeIndex)
-            --m_associatedElementsBeforeIndex;
-        if (index < m_associatedElementsAfterIndex)
-            --m_associatedElementsAfterIndex;
-    } else
+    unsigned index;
+    for (index = 0; index < m_associatedElements.size(); ++index) {
+        if (m_associatedElements[index] == e)
+            break;
+    }
+    ASSERT(index < m_associatedElements.size());
+    if (index < m_associatedElementsBeforeIndex)
+        --m_associatedElementsBeforeIndex;
+    if (index < m_associatedElementsAfterIndex)
         --m_associatedElementsAfterIndex;
     removeFromVector(m_associatedElements, e);
 }