<http://webkit.org/b/130713>
<rdar://problem/
15661876>
Reviewed by Darin Adler.
Merged from Blink (patch by Ian Beer):
http://crbug.com/303657
https://src.chromium.org/viewvc/blink?view=rev&revision=158938
Source/WebCore:
Test: fast/forms/form-submission-crash-successful-submit-button.html
* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::submit):
LayoutTests:
* fast/forms/form-submission-crash-successful-submit-button-expected.txt: Added.
* fast/forms/form-submission-crash-successful-submit-button.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166236
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2014-03-25 David Kilzer <ddkilzer@apple.com>
+
+ Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit
+ <http://webkit.org/b/130713>
+ <rdar://problem/15661876>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by Ian Beer):
+ http://crbug.com/303657
+ https://src.chromium.org/viewvc/blink?view=rev&revision=158938
+
+ * fast/forms/form-submission-crash-successful-submit-button-expected.txt: Added.
+ * fast/forms/form-submission-crash-successful-submit-button.html: Added.
+
2014-03-20 Sergio Villar Senin <svillar@igalia.com>
[CSS Grid Layout] Vertical rectangles not considered as valid grid areas
--- /dev/null
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<body>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+jsTestIsAsync = true;
+var form1;
+var submit1;
+
+function start() {
+ form1 = document.createElement('form');
+ submit1 = document.createElement('input');
+ submit2 = document.createElement('input');
+ submit1.type = 'submit';
+ submit2.type = 'image';
+ form1.addEventListener('submit', handleSubmit, false);
+ form1.action = 'javascript:removeImage()';
+ form1.appendChild(submit1);
+ form1.appendChild(submit2);
+ submit1.click();
+ testPassed('if not crashed.');
+ finishJSTest();
+}
+
+function handleSubmit() {
+ form1.removeChild(submit1);
+}
+
+function removeImage() {
+ form1.removeChild(submit2);
+ submit2 = null;
+ gc();
+}
+
+window.onload = start;
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+2014-03-25 David Kilzer <ddkilzer@apple.com>
+
+ Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit
+ <http://webkit.org/b/130713>
+ <rdar://problem/15661876>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by Ian Beer):
+ http://crbug.com/303657
+ https://src.chromium.org/viewvc/blink?view=rev&revision=158938
+
+ Test: fast/forms/form-submission-crash-successful-submit-button.html
+
+ * html/HTMLFormElement.cpp:
+ (WebCore::HTMLFormElement::submit):
+
2014-03-25 Gabor Rapcsanyi <rgabor@webkit.org>
[ARM64] GNU assembler fails in TransformationMatrix::multiply
m_isSubmittingOrPreparingForSubmission = true;
m_wasUserSubmitted = processingUserGesture;
- HTMLFormControlElement* firstSuccessfulSubmitButton = 0;
+ RefPtr<HTMLFormControlElement> firstSuccessfulSubmitButton;
bool needButtonActivation = activateSubmitButton; // do we need to activate a submit button?
for (unsigned i = 0; i < m_associatedElements.size(); ++i) {
git://git.webkit.org / WebKit-https.git / commitdiff