2011-01-12 Kenichi Ishibashi <bashi@google.com>
authortkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jan 2011 03:55:50 +0000 (03:55 +0000)
committertkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jan 2011 03:55:50 +0000 (03:55 +0000)
        Reviewed by Kent Tamura.

        M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
        https://bugs.webkit.org/show_bug.cgi?id=51905

        Calls unregisterFormElementWithFormAttribute() when 'form' attribute
        is removed.

        Tests: fast/forms/form-associated-element-crash.html
               fast/forms/form-associated-element-crash2.html

        * html/FormAssociatedElement.cpp:
        (WebCore::FormAssociatedElement::formAttributeChanged):

2011-01-12  Kenichi Ishibashi  <bashi@google.com>

        Reviewed by Kent Tamura.

        M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
        https://bugs.webkit.org/show_bug.cgi?id=51905

        Add test for crash when modifying the form attribute of a form
        associated element before removing it.

        * fast/forms/form-associated-element-crash-expected.txt: Added.
        * fast/forms/form-associated-element-crash.html: Added.
        * fast/forms/form-associated-element-crash2-expected.txt: Added.
        * fast/forms/form-associated-element-crash2.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75676 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/form-associated-element-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/form-associated-element-crash.html [new file with mode: 0644]
LayoutTests/fast/forms/form-associated-element-crash2-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/form-associated-element-crash2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/FormAssociatedElement.cpp

index c93aa41..b906ac6 100644 (file)
@@ -2,6 +2,21 @@
 
         Reviewed by Kent Tamura.
 
+        M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
+        https://bugs.webkit.org/show_bug.cgi?id=51905
+
+        Add test for crash when modifying the form attribute of a form
+        associated element before removing it.
+
+        * fast/forms/form-associated-element-crash-expected.txt: Added.
+        * fast/forms/form-associated-element-crash.html: Added.
+        * fast/forms/form-associated-element-crash2-expected.txt: Added.
+        * fast/forms/form-associated-element-crash2.html: Added.
+
+2011-01-12  Kenichi Ishibashi  <bashi@google.com>
+
+        Reviewed by Kent Tamura.
+
         M_formElementsWithFormAttribute not cleared when Node is moved to another document.
         https://bugs.webkit.org/show_bug.cgi?id=51418
 
diff --git a/LayoutTests/fast/forms/form-associated-element-crash-expected.txt b/LayoutTests/fast/forms/form-associated-element-crash-expected.txt
new file mode 100644 (file)
index 0000000..8deeea7
--- /dev/null
@@ -0,0 +1,4 @@
+This page is a test case for Bug 51905. WebKit should not crash when this page is loaded.
+
+PASS
+
diff --git a/LayoutTests/fast/forms/form-associated-element-crash.html b/LayoutTests/fast/forms/form-associated-element-crash.html
new file mode 100644 (file)
index 0000000..80aae53
--- /dev/null
@@ -0,0 +1,45 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+if (!window.gc) {
+    gc = function () {
+        if (window.GCController)
+            return GCController.collect();
+        for (var i = 0; i < 10000; i++)
+            var s = new String("abc");
+    }
+}
+
+var element = document.createElement('input');
+
+function test() {
+    element.setAttribute('form', 'form1');
+    document.body.appendChild(element);
+    element.attributes.removeNamedItem('form');
+    setTimeout(delay, 0);
+}
+
+function delay() {
+    document.body.removeChild(element);
+    element = 0;
+    gc();
+    var form = document.createElement('form');
+    form.setAttribute('id', 'form2');
+    document.body.appendChild(form);
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="test()">
+<p>
+This page is a test case for <a href="https://bugs.webkit.org/show_bug.cgi?id=51905">Bug 51905</a>. WebKit should not crash when this page is loaded.
+</p>
+PASS
+</body>
+</html>
diff --git a/LayoutTests/fast/forms/form-associated-element-crash2-expected.txt b/LayoutTests/fast/forms/form-associated-element-crash2-expected.txt
new file mode 100644 (file)
index 0000000..8deeea7
--- /dev/null
@@ -0,0 +1,4 @@
+This page is a test case for Bug 51905. WebKit should not crash when this page is loaded.
+
+PASS
+
diff --git a/LayoutTests/fast/forms/form-associated-element-crash2.html b/LayoutTests/fast/forms/form-associated-element-crash2.html
new file mode 100644 (file)
index 0000000..2030306
--- /dev/null
@@ -0,0 +1,48 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function gc() {
+    var array = [];
+    for (var i = 0x30000; i--; )
+        if (!(Math.round(Math.random() * 20)))
+            array = [];
+        else
+            array.push(new String(Math.random()))
+}
+
+function test()
+{
+    var element = document.createElement('input');
+    element.setAttribute('form', 'form1');
+    var div = document.createElement('div');
+    div.appendChild(element);
+    element.removeAttribute('form');
+    div.innerHTML = '';
+    element = 0;
+    gc();
+    setTimeout(delay, 0);
+}
+
+function delay()
+{
+    var form = document.createElement('form');
+    form.setAttribute('id', 'form2');
+    document.body.appendChild(form);
+    location.reload();
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="test()">
+<p>
+This page is a test case for <a href="https://bugs.webkit.org/show_bug.cgi?id=51905">Bug 51905</a>. WebKit should not crash when this page is loaded.
+</p>
+PASS
+</body>
+</html>
index ac31934..9abfd5c 100644 (file)
@@ -2,6 +2,22 @@
 
         Reviewed by Kent Tamura.
 
+        M_formElementsWithFormAttribute not cleared when FormAssociatedElement is inserted with a null m_form and then removed.
+        https://bugs.webkit.org/show_bug.cgi?id=51905
+
+        Calls unregisterFormElementWithFormAttribute() when 'form' attribute
+        is removed.
+
+        Tests: fast/forms/form-associated-element-crash.html
+               fast/forms/form-associated-element-crash2.html
+
+        * html/FormAssociatedElement.cpp:
+        (WebCore::FormAssociatedElement::formAttributeChanged):
+
+2011-01-12  Kenichi Ishibashi  <bashi@google.com>
+
+        Reviewed by Kent Tamura.
+
         M_formElementsWithFormAttribute not cleared when Node is moved to another document.
         https://bugs.webkit.org/show_bug.cgi?id=51418
 
index df74f4e..574dfe5 100644 (file)
@@ -147,6 +147,7 @@ void FormAssociatedElement::formAttributeChanged()
         m_form = element->findFormAncestor();
         if (m_form)
             form()->registerFormElement(this);
+        element->document()->unregisterFormElementWithFormAttribute(this);
     } else
         resetFormOwner(0);
 }