Crash in RadioButtonGroups::requiredStateChanged
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Mar 2020 21:25:21 +0000 (21:25 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Mar 2020 21:25:21 +0000 (21:25 +0000)
https://bugs.webkit.org/show_bug.cgi?id=209585

Reviewed by Zalan Bujtas.

Source/WebCore:

Like r254722, radio group could be null in RadioButtonGroups::requiredStateChanged. Added a null check.

Test: fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash.html

* dom/RadioButtonGroups.cpp:
(WebCore::RadioButtonGroups::requiredStateChanged):

LayoutTests:

Added a regression test.

* fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
* fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259079 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/RadioButtonGroups.cpp

index c6c4190..88bc721 100644 (file)
@@ -1,3 +1,15 @@
+2020-03-26  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in RadioButtonGroups::requiredStateChanged
+        https://bugs.webkit.org/show_bug.cgi?id=209585
+
+        Reviewed by Zalan Bujtas.
+
+        Added a regression test.
+
+        * fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
+        * fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash.html: Added.
+
 2020-03-26  Jason Lawrence  <lawrence.j@apple.com>
 
         [ Catalina ] compositing/clipping/border-radius-async-overflow-stacking.html is flaky failing.
diff --git a/LayoutTests/fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash-expected.txt b/LayoutTests/fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash-expected.txt
new file mode 100644 (file)
index 0000000..87b3134
--- /dev/null
@@ -0,0 +1,5 @@
+This tests updating the required state of a radio button in the middle of node insertions.
+The test passes if WebKit does not crash or hit a debug assertion.
+
+
+
diff --git a/LayoutTests/fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash.html b/LayoutTests/fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash.html
new file mode 100644 (file)
index 0000000..c116505
--- /dev/null
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests updating the required state of a radio button in the middle of node insertions.<br>
+The test passes if WebKit does not crash or hit a debug assertion.</p>
+<div id="result"></div>
+<style>
+:indeterminate { color: green; }
+</style>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const div = document.createElement('div');
+
+const script = document.createElement('script');
+script.textContent = 'input.required = true';
+div.appendChild(script);
+
+const input = document.createElement('input');
+input.type = 'radio';
+input.name = 'baz';
+input.form = 'foo';
+div.appendChild(input);
+
+const input2 = document.createElement('input');
+input2.type = 'radio';
+input2.name = 'bar';
+input2.form = 'foo';
+document.body.appendChild(input2);
+
+document.body.appendChild(div);
+
+</script>
+</body>
+</html>
index 7bf87de..9935299 100644 (file)
@@ -1,3 +1,17 @@
+2020-03-26  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in RadioButtonGroups::requiredStateChanged
+        https://bugs.webkit.org/show_bug.cgi?id=209585
+
+        Reviewed by Zalan Bujtas.
+
+        Like r254722, radio group could be null in RadioButtonGroups::requiredStateChanged. Added a null check.
+
+        Test: fast/forms/update-required-state-on-radio-before-finalizing-tree-insertion-crash.html
+
+        * dom/RadioButtonGroups.cpp:
+        (WebCore::RadioButtonGroups::requiredStateChanged):
+
 2020-03-26  Charlie Turner  <cturner@igalia.com>
 
         [GStreamer] Fix missing NULL-check in setSyncOnClock
index b98eaa8..6a66065 100644 (file)
@@ -237,7 +237,8 @@ void RadioButtonGroups::requiredStateChanged(HTMLInputElement& element)
     if (element.name().isEmpty())
         return;
     auto* group = m_nameToGroupMap.get(element.name().impl());
-    ASSERT(group);
+    if (!group)
+        return;
     group->requiredStateChanged(element);
 }