Title: [217473] trunk
- Revision
- 217473
- Author
- [email protected]
- Date
- 2017-05-25 21:19:14 -0700 (Thu, 25 May 2017)
Log Message
imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_owner_and_table_2.html is crashing
https://bugs.webkit.org/show_bug.cgi?id=172628
<rdar://problem/32418707>
Reviewed by Sam Weinig.
Source/WebCore:
In the event where a form is removed synchronously by a script during parsing,
FormAssociatedElement::m_formSetByParser may end up referring to a form that
is no longer in the document. As a result, we should make sure m_formSetByParser
is still connected in FormAssociatedElement::insertedInto() before we call
FormAssociatedElement::setForm(m_formSetByParser).
Test: fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::insertedInto):
LayoutTests:
Add reduced test case.
* TestExpectations:
Unskip test that is no longer crashing in debug builds.
* fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt: Added.
* fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (217472 => 217473)
--- trunk/LayoutTests/ChangeLog 2017-05-26 03:53:24 UTC (rev 217472)
+++ trunk/LayoutTests/ChangeLog 2017-05-26 04:19:14 UTC (rev 217473)
@@ -1,3 +1,19 @@
+2017-05-25 Chris Dumez <[email protected]>
+
+ imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_owner_and_table_2.html is crashing
+ https://bugs.webkit.org/show_bug.cgi?id=172628
+ <rdar://problem/32418707>
+
+ Reviewed by Sam Weinig.
+
+ Add reduced test case.
+
+ * TestExpectations:
+ Unskip test that is no longer crashing in debug builds.
+
+ * fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt: Added.
+ * fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html: Added.
+
2017-05-25 Zalan Bujtas <[email protected]>
Frame's composited content is visible when the frame has visibility: hidden.
Modified: trunk/LayoutTests/TestExpectations (217472 => 217473)
--- trunk/LayoutTests/TestExpectations 2017-05-26 03:53:24 UTC (rev 217472)
+++ trunk/LayoutTests/TestExpectations 2017-05-26 04:19:14 UTC (rev 217473)
@@ -802,7 +802,6 @@
imported/w3c/web-platform-tests/html/browsers/history/the-history-interface/history_go_zero.html [ Pass Failure ]
[ Debug ] imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_attribute.html [ Skip ]
-[ Debug ] imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_owner_and_table_2.html [ Skip ]
# FIXME: The following failures need individual bugs.
webkit.org/b/148805 imported/w3c/css/css-multicol-1/multicol-inherit-003.xht [ ImageOnlyFailure ]
Added: trunk/LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt (0 => 217473)
--- trunk/LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt 2017-05-26 04:19:14 UTC (rev 217473)
@@ -0,0 +1,12 @@
+This test passes if it does not crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.getElementById('input1').form is null
+PASS document.getElementById('input2').form is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
Added: trunk/LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html (0 => 217473)
--- trunk/LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html 2017-05-26 04:19:14 UTC (rev 217473)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("This test passes if it does not crash");
+</script>
+<table id='table1'>
+ <form id='form1'>
+ <script>
+ document.getElementById('form1').remove();
+ gc();
+ </script>
+ <tr><td><input id='input1'></td></tr>
+ <tr><td><input id='input2' form="form1"></td></tr>
+</table>
+<script>
+shouldBeNull("document.getElementById('input1').form");
+shouldBeNull("document.getElementById('input2').form");
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (217472 => 217473)
--- trunk/Source/WebCore/ChangeLog 2017-05-26 03:53:24 UTC (rev 217472)
+++ trunk/Source/WebCore/ChangeLog 2017-05-26 04:19:14 UTC (rev 217473)
@@ -1,3 +1,22 @@
+2017-05-25 Chris Dumez <[email protected]>
+
+ imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_owner_and_table_2.html is crashing
+ https://bugs.webkit.org/show_bug.cgi?id=172628
+ <rdar://problem/32418707>
+
+ Reviewed by Sam Weinig.
+
+ In the event where a form is removed synchronously by a script during parsing,
+ FormAssociatedElement::m_formSetByParser may end up referring to a form that
+ is no longer in the document. As a result, we should make sure m_formSetByParser
+ is still connected in FormAssociatedElement::insertedInto() before we call
+ FormAssociatedElement::setForm(m_formSetByParser).
+
+ Test: fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::insertedInto):
+
2017-05-25 Zalan Bujtas <[email protected]>
Frame's composited content is visible when the frame has visibility: hidden.
Modified: trunk/Source/WebCore/html/FormAssociatedElement.cpp (217472 => 217473)
--- trunk/Source/WebCore/html/FormAssociatedElement.cpp 2017-05-26 03:53:24 UTC (rev 217472)
+++ trunk/Source/WebCore/html/FormAssociatedElement.cpp 2017-05-26 04:19:14 UTC (rev 217473)
@@ -71,7 +71,9 @@
{
HTMLElement& element = asHTMLElement();
if (m_formSetByParser) {
- setForm(m_formSetByParser);
+ // The form could have been removed by a script during parsing.
+ if (m_formSetByParser->isConnected())
+ setForm(m_formSetByParser);
m_formSetByParser = nullptr;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
