2011-01-12 Kenichi Ishibashi <bashi@google.com>
authortkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jan 2011 03:48:42 +0000 (03:48 +0000)
committertkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Jan 2011 03:48:42 +0000 (03:48 +0000)
        Reviewed by Kent Tamura.

        M_formElementsWithFormAttribute not cleared when Node is moved to another document.
        https://bugs.webkit.org/show_bug.cgi?id=51418

        Calls unregisterFormElementWithFormAttribute() when form associated elements
        are moved to another document.

        Test: fast/forms/change-form-element-document-crash.html

        * html/FormAssociatedElement.cpp:
        (WebCore::FormAssociatedElement::willMoveToNewOwnerDocument): Added.
        * html/FormAssociatedElement.h: Added willMoveToNewOwnerDocument().
        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::willMoveToNewOwnerDocument): Added.
        * html/HTMLFormControlElement.h: Added willMoveToNewOwnerDocument().
        * html/HTMLObjectElement.cpp:
        (WebCore::HTMLObjectElement::willMoveToNewOwnerDocument): Added.
        * html/HTMLObjectElement.h: Added willMoveToNewOwnerDocument().
        * html/HTMLPlugInImageElement.h: Moves willMoveToNewOwnerDocument() to protected.

2011-01-12  Kenichi Ishibashi  <bashi@google.com>

        Reviewed by Kent Tamura.

        M_formElementsWithFormAttribute not cleared when Node is moved to another document.
        https://bugs.webkit.org/show_bug.cgi?id=51418

        Added test for crash when moving form elements from one document to another.

        * fast/forms/change-form-element-document-crash-expected.txt: Added.
        * fast/forms/change-form-element-document-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75675 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/change-form-element-document-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/change-form-element-document-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/FormAssociatedElement.cpp
Source/WebCore/html/FormAssociatedElement.h
Source/WebCore/html/HTMLFormControlElement.cpp
Source/WebCore/html/HTMLFormControlElement.h
Source/WebCore/html/HTMLObjectElement.cpp
Source/WebCore/html/HTMLObjectElement.h
Source/WebCore/html/HTMLPlugInImageElement.h

index b974c3127a4f640b732e498ae39f197bec01d7a9..c93aa41e911b38a361abc4100a8cbad562d91a52 100644 (file)
@@ -1,3 +1,15 @@
+2011-01-12  Kenichi Ishibashi  <bashi@google.com>
+
+        Reviewed by Kent Tamura.
+
+        M_formElementsWithFormAttribute not cleared when Node is moved to another document.
+        https://bugs.webkit.org/show_bug.cgi?id=51418
+
+        Added test for crash when moving form elements from one document to another.
+
+        * fast/forms/change-form-element-document-crash-expected.txt: Added.
+        * fast/forms/change-form-element-document-crash.html: Added.
+
 2011-01-12  Justin Schuh  <jschuh@chromium.org>
 
         Unreviewed chromium test expectations fix.
diff --git a/LayoutTests/fast/forms/change-form-element-document-crash-expected.txt b/LayoutTests/fast/forms/change-form-element-document-crash-expected.txt
new file mode 100644 (file)
index 0000000..a9509e6
--- /dev/null
@@ -0,0 +1,3 @@
+This page is a test case for Bug 51418. WebKit should not crash when this page is loaded.
+
+PASS
diff --git a/LayoutTests/fast/forms/change-form-element-document-crash.html b/LayoutTests/fast/forms/change-form-element-document-crash.html
new file mode 100644 (file)
index 0000000..4925401
--- /dev/null
@@ -0,0 +1,41 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function gc() {
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; i++)
+        var s = new String("abc");
+}
+
+function crash_test(element_name) {
+    var element = document.createElement(element_name);
+    element.setAttribute('form', '1');
+    var container = document.createElement('div');
+    container.appendChild(element);
+    document.implementation.createDocument().adoptNode(container);
+    container.removeChild(element);
+    delete element;
+    gc();
+    var form = document.createElement('form');
+    form.setAttribute('id', '2');
+    document.body.appendChild(form)
+}
+
+function test() {
+    crash_test('input');
+    crash_test('object');
+    document.body.innerHTML += "PASS";
+}
+</script>
+</head>
+<body onload="test()">
+<p>
+This page is a test case for <a href="https://bugs.webkit.org/show_bug.cgi?id=51418">Bug 51418</a>. WebKit should not crash when this page is loaded.
+</p>
+</body>
+</html>
index 0598c3a6058067386fbd55939cc2dc65a43b62dc..ac31934a893cdcfe010042825797c787c31a9cba 100644 (file)
@@ -1,3 +1,26 @@
+2011-01-12  Kenichi Ishibashi  <bashi@google.com>
+
+        Reviewed by Kent Tamura.
+
+        M_formElementsWithFormAttribute not cleared when Node is moved to another document.
+        https://bugs.webkit.org/show_bug.cgi?id=51418
+
+        Calls unregisterFormElementWithFormAttribute() when form associated elements
+        are moved to another document.
+
+        Test: fast/forms/change-form-element-document-crash.html
+
+        * html/FormAssociatedElement.cpp:
+        (WebCore::FormAssociatedElement::willMoveToNewOwnerDocument): Added.
+        * html/FormAssociatedElement.h: Added willMoveToNewOwnerDocument().
+        * html/HTMLFormControlElement.cpp:
+        (WebCore::HTMLFormControlElement::willMoveToNewOwnerDocument): Added.
+        * html/HTMLFormControlElement.h: Added willMoveToNewOwnerDocument().
+        * html/HTMLObjectElement.cpp:
+        (WebCore::HTMLObjectElement::willMoveToNewOwnerDocument): Added.
+        * html/HTMLObjectElement.h: Added willMoveToNewOwnerDocument().
+        * html/HTMLPlugInImageElement.h: Moves willMoveToNewOwnerDocument() to protected.
+
 2011-01-12  Ryosuke Niwa  <rniwa@webkit.org>
 
         Reviewed by Eric Seidel.
index a97c0e29257dc221c1d9dc1ca4d648fe3e3deac1..df74f4e253e5123e33a68f4833bd401589eca8f8 100644 (file)
@@ -52,6 +52,13 @@ ValidityState* FormAssociatedElement::validity()
     return m_validityState.get();
 }
 
+void FormAssociatedElement::willMoveToNewOwnerDocument()
+{
+    HTMLElement* element = toHTMLElement(this);
+    if (element->fastHasAttribute(formAttr))
+        element->document()->unregisterFormElementWithFormAttribute(this);
+}
+
 void FormAssociatedElement::insertedIntoTree()
 {
     HTMLElement* element = toHTMLElement(this);
index 3c8c6e180fb43c3ccfefef6f22fa595d3a1f143c..873bdf464860b50e49b15487ef7383d8e17851fc 100644 (file)
@@ -63,6 +63,8 @@ protected:
     void insertedIntoTree();
     void removedFromTree();
 
+    void willMoveToNewOwnerDocument();
+
     void setForm(HTMLFormElement* form) { m_form = form; }
     void removeFromForm();
     void formAttributeChanged();
index 8556c1e989302a10b486fcbefef604f8ba189908..714311e1b51041becf40014a4b8bf7bf94dc297d 100644 (file)
@@ -144,6 +144,12 @@ void HTMLFormControlElement::attach()
          focus();
 }
 
+void HTMLFormControlElement::willMoveToNewOwnerDocument()
+{
+    FormAssociatedElement::willMoveToNewOwnerDocument();
+    HTMLElement::willMoveToNewOwnerDocument();
+}
+
 void HTMLFormControlElement::insertedIntoTree(bool deep)
 {
     FormAssociatedElement::insertedIntoTree();
index e5d741baf1219681160a1811c70779baae43b01d..8403b84ac5edd357066198e8e4eddcdbaee3a018 100644 (file)
@@ -109,6 +109,7 @@ protected:
     virtual void attach();
     virtual void insertedIntoTree(bool deep);
     virtual void removedFromTree(bool deep);
+    virtual void willMoveToNewOwnerDocument();
 
     virtual bool isKeyboardFocusable(KeyboardEvent*) const;
     virtual bool isMouseFocusable() const;
index 2c6e6de96f228f21f9b79331e3010fec5fdd01fd..a1dde1af0c05649d017c55bb28cb0eb16094e1bd 100644 (file)
@@ -479,6 +479,12 @@ void HTMLObjectElement::addSubresourceAttributeURLs(ListHashSet<KURL>& urls) con
         addSubresourceURL(urls, document()->completeURL(useMap));
 }
 
+void HTMLObjectElement::willMoveToNewOwnerDocument()
+{
+    FormAssociatedElement::willMoveToNewOwnerDocument();
+    HTMLPlugInImageElement::willMoveToNewOwnerDocument();
+}
+
 void HTMLObjectElement::insertedIntoTree(bool deep)
 {
     FormAssociatedElement::insertedIntoTree();
index d5797ff6f9b8f06a7a9adcc7f7f142092edba1c0..ff773f16d828c51f83010d6e9a096ebbad744ca7 100644 (file)
@@ -73,6 +73,7 @@ private:
     virtual bool rendererIsNeeded(RenderStyle*);
     virtual void insertedIntoDocument();
     virtual void removedFromDocument();
+    virtual void willMoveToNewOwnerDocument();
     
     virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0);
 
index 377fd996cc37750309a6e7c88dff57de403316b8..f394d40d9097436b6a608ac318fd5024f7401471 100644 (file)
@@ -58,12 +58,13 @@ protected:
     bool allowedToLoadFrameURL(const String& url);
     bool wouldLoadAsNetscapePlugin(const String& url, const String& serviceType);
 
+    virtual void willMoveToNewOwnerDocument();
+
 private:
     virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
     virtual void recalcStyle(StyleChange);
     
     virtual void finishParsingChildren();
-    virtual void willMoveToNewOwnerDocument();
 
     void updateWidgetIfNecessary();
     virtual bool useFallbackContent() const { return false; }