2011-01-30 Kenichi Ishibashi <bashi@google.com>
authortkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 31 Jan 2011 07:18:06 +0000 (07:18 +0000)
committertkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 31 Jan 2011 07:18:06 +0000 (07:18 +0000)
        Reviewed by Kent Tamura.

        Dangling form associated elements should not be registered on the document
        https://bugs.webkit.org/show_bug.cgi?id=53223

        Adds insertedIntoDocument() and remvoedFromDocument() to
        FormAssociatedElement class to register the element on the document
        if and only if it actually inserted into (removed from) the document.

        Test: fast/forms/dangling-form-element-crash.html

        * html/FormAssociatedElement.cpp:
        (WebCore::FormAssociatedElement::insertedIntoDocument): Added.
        (WebCore::FormAssociatedElement::removedFromDocument): Ditto.
        (WebCore::FormAssociatedElement::insertedIntoTree): Don't register
        the element to a document.
        (WebCore::FormAssociatedElement::removedFromTree): Don't unregister
        the element from a document.
        * html/FormAssociatedElement.h:
        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::insertedIntoDocument): Added.
        (WebCore::HTMLFormControlElement::removedFromDocument): Ditto.
        * html/HTMLFormControlElement.h:
        * html/HTMLObjectElement.cpp:
        (WebCore::HTMLObjectElement::insertedIntoDocument): Calls
        FormAssociatedElement::insertedIntoDocument().
        (WebCore::HTMLObjectElement::removedFromDocument): Calls
        FormAssociatedElement::removedFromDocument().

2011-01-30  Kenichi Ishibashi  <bashi@google.com>

        Reviewed by Kent Tamura.

        Dangling form associated elements should not be registered on the document
        https://bugs.webkit.org/show_bug.cgi?id=53223

        Adds a test that ensures dangling form associated elements are not
        registered on the document.

        * fast/forms/dangling-form-element-crash-expected.txt: Added.
        * fast/forms/dangling-form-element-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@77114 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/dangling-form-element-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/dangling-form-element-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/FormAssociatedElement.cpp
Source/WebCore/html/FormAssociatedElement.h
Source/WebCore/html/HTMLFormControlElement.cpp
Source/WebCore/html/HTMLFormControlElement.h
Source/WebCore/html/HTMLObjectElement.cpp

index 5bcddb2..11f9b65 100644 (file)
@@ -1,3 +1,16 @@
+2011-01-30  Kenichi Ishibashi  <bashi@google.com>
+
+        Reviewed by Kent Tamura.
+
+        Dangling form associated elements should not be registered on the document
+        https://bugs.webkit.org/show_bug.cgi?id=53223
+
+        Adds a test that ensures dangling form associated elements are not
+        registered on the document.
+
+        * fast/forms/dangling-form-element-crash-expected.txt: Added.
+        * fast/forms/dangling-form-element-crash.html: Added.
+
 2011-01-30  Simon Fraser  <simon.fraser@apple.com>
 
         Reviewed by Sam Weinig.
diff --git a/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt b/LayoutTests/fast/forms/dangling-form-element-crash-expected.txt
new file mode 100644 (file)
index 0000000..45001df
--- /dev/null
@@ -0,0 +1,3 @@
+Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded.
+
+PASS
diff --git a/LayoutTests/fast/forms/dangling-form-element-crash.html b/LayoutTests/fast/forms/dangling-form-element-crash.html
new file mode 100644 (file)
index 0000000..f5d097e
--- /dev/null
@@ -0,0 +1,36 @@
+<html>
+  <script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+
+    function gc() {
+        if (window.GCController)
+            return GCController.collect();
+        for (var i = 0; i < 10000; ++i)
+            var s = new String("foo");
+    }
+
+    function resetFormOwner() {
+        gc();
+        var form = document.createElement('form');
+        form.id = 'foo';
+        document.body.appendChild(form);
+        document.body.innerHTML += 'PASS';
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+
+    function test() {
+        var div = document.createElement('div');
+        var input = document.createElement('input');
+        input.setAttribute('form', 'foo');
+        div.appendChild(input);
+        setTimeout(resetFormOwner, 0);
+    }
+  </script>
+<body onload="test()">
+<p>Checks dangling form associated elements doesn't cause crash. WebKit should not crash when this page is loaded.</p>
+</body>
+</html>
index 90111f8..5cf4c84 100644 (file)
@@ -1,3 +1,34 @@
+2011-01-30  Kenichi Ishibashi  <bashi@google.com>
+
+        Reviewed by Kent Tamura.
+
+        Dangling form associated elements should not be registered on the document
+        https://bugs.webkit.org/show_bug.cgi?id=53223
+
+        Adds insertedIntoDocument() and remvoedFromDocument() to
+        FormAssociatedElement class to register the element on the document
+        if and only if it actually inserted into (removed from) the document.
+
+        Test: fast/forms/dangling-form-element-crash.html
+
+        * html/FormAssociatedElement.cpp:
+        (WebCore::FormAssociatedElement::insertedIntoDocument): Added.
+        (WebCore::FormAssociatedElement::removedFromDocument): Ditto.
+        (WebCore::FormAssociatedElement::insertedIntoTree): Don't register
+        the element to a document.
+        (WebCore::FormAssociatedElement::removedFromTree): Don't unregister
+        the element from a document.
+        * html/FormAssociatedElement.h:
+        * html/HTMLFormControlElement.cpp:
+        (WebCore::HTMLFormControlElement::insertedIntoDocument): Added.
+        (WebCore::HTMLFormControlElement::removedFromDocument): Ditto.
+        * html/HTMLFormControlElement.h:
+        * html/HTMLObjectElement.cpp:
+        (WebCore::HTMLObjectElement::insertedIntoDocument): Calls
+        FormAssociatedElement::insertedIntoDocument().
+        (WebCore::HTMLObjectElement::removedFromDocument): Calls
+        FormAssociatedElement::removedFromDocument().
+
 2011-01-30  Csaba Osztrogon√°c  <ossy@webkit.org>
 
         Unreviewed, rolling out r77098, r77099, r77100, r77109, and
index 574dfe5..3571744 100644 (file)
@@ -59,11 +59,24 @@ void FormAssociatedElement::willMoveToNewOwnerDocument()
         element->document()->unregisterFormElementWithFormAttribute(this);
 }
 
+void FormAssociatedElement::insertedIntoDocument()
+{
+    HTMLElement* element = toHTMLElement(this);
+    if (element->fastHasAttribute(formAttr))
+        element->document()->registerFormElementWithFormAttribute(this);
+}
+
+void FormAssociatedElement::removedFromDocument()
+{
+    HTMLElement* element = toHTMLElement(this);
+    if (element->fastHasAttribute(formAttr))
+        element->document()->unregisterFormElementWithFormAttribute(this);
+}
+
 void FormAssociatedElement::insertedIntoTree()
 {
     HTMLElement* element = toHTMLElement(this);
     if (element->fastHasAttribute(formAttr)) {
-        element->document()->registerFormElementWithFormAttribute(this);
         Element* formElement = element->document()->getElementById(element->fastGetAttribute(formAttr));
         if (formElement && formElement->hasTagName(formTag)) {
             if (m_form)
@@ -94,8 +107,6 @@ static inline Node* findRoot(Node* n)
 void FormAssociatedElement::removedFromTree()
 {
     HTMLElement* element = toHTMLElement(this);
-    if (element->fastHasAttribute(formAttr))
-        element->document()->unregisterFormElementWithFormAttribute(this);
 
     // If the form and element are both in the same tree, preserve the connection to the form.
     // Otherwise, null out our form and remove ourselves from the form's list of elements.
index ebefdc6..aa5abd9 100644 (file)
@@ -63,7 +63,8 @@ protected:
 
     void insertedIntoTree();
     void removedFromTree();
-
+    void insertedIntoDocument();
+    void removedFromDocument();
     void willMoveToNewOwnerDocument();
 
     void setForm(HTMLFormElement* form) { m_form = form; }
index 18cc942..0daa521 100644 (file)
@@ -165,6 +165,18 @@ void HTMLFormControlElement::removedFromTree(bool deep)
     HTMLElement::removedFromTree(deep);
 }
 
+void HTMLFormControlElement::insertedIntoDocument()
+{
+    HTMLElement::insertedIntoDocument();
+    FormAssociatedElement::insertedIntoDocument();
+}
+
+void HTMLFormControlElement::removedFromDocument()
+{
+    HTMLElement::removedFromDocument();
+    FormAssociatedElement::removedFromDocument();
+}
+
 const AtomicString& HTMLFormControlElement::formControlName() const
 {
     const AtomicString& name = fastGetAttribute(nameAttr);
index e0be3f0..368dcfa 100644 (file)
@@ -111,6 +111,8 @@ protected:
     virtual void attach();
     virtual void insertedIntoTree(bool deep);
     virtual void removedFromTree(bool deep);
+    virtual void insertedIntoDocument();
+    virtual void removedFromDocument();
     virtual void willMoveToNewOwnerDocument();
 
     virtual bool isKeyboardFocusable(KeyboardEvent*) const;
index 7e8cd41..84dc684 100644 (file)
@@ -318,6 +318,7 @@ void HTMLObjectElement::insertedIntoDocument()
     }
 
     HTMLPlugInImageElement::insertedIntoDocument();
+    FormAssociatedElement::insertedIntoDocument();
 }
 
 void HTMLObjectElement::removedFromDocument()
@@ -329,6 +330,7 @@ void HTMLObjectElement::removedFromDocument()
     }
 
     HTMLPlugInImageElement::removedFromDocument();
+    FormAssociatedElement::removedFromDocument();
 }
 
 void HTMLObjectElement::attributeChanged(Attribute* attr, bool preserveDecls)