- Revision
- 234408
- Author
- [email protected]
- Date
- 2018-07-31 00:01:09 -0700 (Tue, 31 Jul 2018)
Log Message
Merge r231236 - Prevent Debug ASSERT when changing forms
https://bugs.webkit.org/show_bug.cgi?id=185173
<rdar://problem/39738669>
Reviewed by Ryosuke Niwa.
Form submission could trigger a debug assertion during validation when
a form is changed during an input submission. Fix this by cleaning up
the event handling logic and make it more consistent with modern WebKit
coding style.
Test: fast/forms/form-submission-crash-3.html
* html/HTMLButtonElement.cpp:
(WebCore::HTMLButtonElement::defaultEventHandler): Make sure layout runs before
attempting to perform event handling.
* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::reportValidity): Ditto.
(WebCore::HTMLFormElement::validateInteractively): Remove call to perform layout here,
since we expect this to happen earlier in the layout pass. Add an assertion that the
tree is not dirty.
* html/ImageInputType.cpp:
(WebCore::ImageInputType::handleDOMActivateEvent): Make sure layout runs before
attempting to perform event handling.
* html/SubmitInputType.cpp:
(WebCore::SubmitInputType::handleDOMActivateEvent): Ditto.
LayoutTests:
Prevent assertion when changing forms
https://bugs.webkit.org/show_bug.cgi?id=185173
<rdar://problem/39738669>
Reviewed by Ryosuke Niwa.
* fast/forms/form-submission-crash-3-expected.txt: Added.
* fast/forms/form-submission-crash-3.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog (234407 => 234408)
--- releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog 2018-07-31 07:01:00 UTC (rev 234407)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog 2018-07-31 07:01:09 UTC (rev 234408)
@@ -1,3 +1,14 @@
+2018-05-01 Brent Fulgham <[email protected]>
+
+ Prevent assertion when changing forms
+ https://bugs.webkit.org/show_bug.cgi?id=185173
+ <rdar://problem/39738669>
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/forms/form-submission-crash-3-expected.txt: Added.
+ * fast/forms/form-submission-crash-3.html: Added.
+
2018-06-22 Michael Catanzaro <[email protected]>
REGRESSION(r230950): [GTK] WebKit::CoordinatedBackingStoreTile::setBackBuffer(): WebKitWebProcess killed by SIGSEGV (ASSERTION FAILED: it != m_tiles.end())
Added: releases/WebKitGTK/webkit-2.20/LayoutTests/fast/forms/form-submission-crash-3-expected.txt (0 => 234408)
--- releases/WebKitGTK/webkit-2.20/LayoutTests/fast/forms/form-submission-crash-3-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/fast/forms/form-submission-crash-3-expected.txt 2018-07-31 07:01:09 UTC (rev 234408)
@@ -0,0 +1,13 @@
+Test for proper handling of form removal.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+foo
+
+
Added: releases/WebKitGTK/webkit-2.20/LayoutTests/fast/forms/form-submission-crash-3.html (0 => 234408)
--- releases/WebKitGTK/webkit-2.20/LayoutTests/fast/forms/form-submission-crash-3.html (rev 0)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/fast/forms/form-submission-crash-3.html 2018-07-31 07:01:09 UTC (rev 234408)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<head>
+<script src=""
+<script>
+description("Test for proper handling of form removal.");
+
+jsTestIsAsync = true;
+
+function eventhandler() {
+ div1.innerHTML = "foo";
+ gc();
+}
+
+function eventhandler2() {
+}
+
+function start() {
+ button.setAttribute("form", "form1");
+ button.setCustomValidity("foo");
+ button._onfocus_ = eventhandler2;
+ input._onfocus_ = eventhandler;
+ button.click();
+ testPassed('if not crashed.');
+ finishJSTest();
+}
+</script>
+</head>
+<body>
+<input id="input" autofocus="autofocus" type="button">
+<div id="div1">
+ <form id="form1"></form>
+</div>
+<form id="form2">
+ <button id="button" type="submit"></button>
+</form>
+<iframe _onload_="start()"></iframe>
+</body>
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog (234407 => 234408)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog 2018-07-31 07:01:00 UTC (rev 234407)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog 2018-07-31 07:01:09 UTC (rev 234408)
@@ -1,3 +1,32 @@
+2018-05-01 Brent Fulgham <[email protected]>
+
+ Prevent Debug ASSERT when changing forms
+ https://bugs.webkit.org/show_bug.cgi?id=185173
+ <rdar://problem/39738669>
+
+ Reviewed by Ryosuke Niwa.
+
+ Form submission could trigger a debug assertion during validation when
+ a form is changed during an input submission. Fix this by cleaning up
+ the event handling logic and make it more consistent with modern WebKit
+ coding style.
+
+ Test: fast/forms/form-submission-crash-3.html
+
+ * html/HTMLButtonElement.cpp:
+ (WebCore::HTMLButtonElement::defaultEventHandler): Make sure layout runs before
+ attempting to perform event handling.
+ * html/HTMLFormElement.cpp:
+ (WebCore::HTMLFormElement::reportValidity): Ditto.
+ (WebCore::HTMLFormElement::validateInteractively): Remove call to perform layout here,
+ since we expect this to happen earlier in the layout pass. Add an assertion that the
+ tree is not dirty.
+ * html/ImageInputType.cpp:
+ (WebCore::ImageInputType::handleDOMActivateEvent): Make sure layout runs before
+ attempting to perform event handling.
+ * html/SubmitInputType.cpp:
+ (WebCore::SubmitInputType::handleDOMActivateEvent): Ditto.
+
2018-06-22 Michael Catanzaro <[email protected]>
REGRESSION(r230950): [GTK] WebKit::CoordinatedBackingStoreTile::setBackBuffer(): WebKitWebProcess killed by SIGSEGV (ASSERTION FAILED: it != m_tiles.end())
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/html/HTMLButtonElement.cpp (234407 => 234408)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/html/HTMLButtonElement.cpp 2018-07-31 07:01:00 UTC (rev 234407)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/html/HTMLButtonElement.cpp 2018-07-31 07:01:09 UTC (rev 234408)
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll ([email protected])
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
- * Copyright (C) 2004, 2005, 2006, 2007, 2010, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
* (C) 2006 Alexey Proskuryakov ([email protected])
* Copyright (C) 2007 Samuel Weinig ([email protected])
*
@@ -32,6 +32,7 @@
#include "HTMLNames.h"
#include "KeyboardEvent.h"
#include "RenderButton.h"
+#include <wtf/SetForScope.h>
#include <wtf/StdLibExtras.h>
namespace WebCore {
@@ -115,16 +116,26 @@
void HTMLButtonElement::defaultEventHandler(Event& event)
{
if (event.type() == eventNames().DOMActivateEvent && !isDisabledFormControl()) {
- if (form() && m_type == SUBMIT) {
- m_isActivatedSubmit = true;
- form()->prepareForSubmission(event);
- event.setDefaultHandled();
- m_isActivatedSubmit = false; // Do this in case submission was canceled.
+ RefPtr<HTMLFormElement> protectedForm(form());
+
+ if (protectedForm) {
+ // Update layout before processing form actions in case the style changes
+ // the Form or button relationships.
+ document().updateLayoutIgnorePendingStylesheets();
+
+ if (auto currentForm = form()) {
+ if (m_type == SUBMIT) {
+ SetForScope<bool> activatedSubmitState(m_isActivatedSubmit, true);
+ currentForm->prepareForSubmission(event);
+ }
+
+ if (m_type == RESET)
+ currentForm->reset();
+ }
+
+ if (m_type == SUBMIT || m_type == RESET)
+ event.setDefaultHandled();
}
- if (form() && m_type == RESET) {
- form()->reset();
- event.setDefaultHandled();
- }
}
if (is<KeyboardEvent>(event)) {
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/html/HTMLFormElement.cpp (234407 => 234408)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/html/HTMLFormElement.cpp 2018-07-31 07:01:00 UTC (rev 234407)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/html/HTMLFormElement.cpp 2018-07-31 07:01:09 UTC (rev 234408)
@@ -219,9 +219,9 @@
// Because the form has invalid controls, we abort the form submission and
// show a validation message on a focusable form control.
- // Needs to update layout now because we'd like to call isFocusable(), which
- // has !renderer()->needsLayout() assertion.
- document().updateLayoutIgnorePendingStylesheets();
+ // Make sure layout is up-to-date in case we call isFocusable() (which
+ // has !renderer()->needsLayout() assertion).
+ ASSERT(!document().view() || !document().view()->needsLayout());
Ref<HTMLFormElement> protectedThis(*this);
@@ -740,6 +740,12 @@
bool HTMLFormElement::reportValidity()
{
+ Ref<HTMLFormElement> protectedThis(*this);
+
+ // Update layout before processing form actions in case the style changes
+ // the Form or button relationships.
+ document().updateLayoutIgnorePendingStylesheets();
+
return validateInteractively();
}
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/html/ImageInputType.cpp (234407 => 234408)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/html/ImageInputType.cpp 2018-07-31 07:01:00 UTC (rev 234407)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/html/ImageInputType.cpp 2018-07-31 07:01:09 UTC (rev 234408)
@@ -86,6 +86,9 @@
Ref<HTMLInputElement> element(this->element());
if (element->isDisabledFormControl() || !element->form())
return;
+
+ Ref<HTMLFormElement> protectedForm(*element->form());
+
element->setActivatedSubmit(true);
m_clickLocation = IntPoint();
@@ -98,7 +101,13 @@
}
}
- element->form()->prepareForSubmission(event); // Event handlers can run.
+ // Update layout before processing form actions in case the style changes
+ // the Form or button relationships.
+ element->document().updateLayoutIgnorePendingStylesheets();
+
+ if (auto currentForm = element->form())
+ currentForm->prepareForSubmission(event); // Event handlers can run.
+
element->setActivatedSubmit(false);
event.setDefaultHandled();
}
Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/html/SubmitInputType.cpp (234407 => 234408)
--- releases/WebKitGTK/webkit-2.20/Source/WebCore/html/SubmitInputType.cpp 2018-07-31 07:01:00 UTC (rev 234407)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/html/SubmitInputType.cpp 2018-07-31 07:01:09 UTC (rev 234408)
@@ -64,8 +64,16 @@
Ref<HTMLInputElement> element(this->element());
if (element->isDisabledFormControl() || !element->form())
return;
+
+ Ref<HTMLFormElement> protectedForm(*element->form());
+
+ // Update layout before processing form actions in case the style changes
+ // the Form or button relationships.
+ element->document().updateLayoutIgnorePendingStylesheets();
+
element->setActivatedSubmit(true);
- element->form()->prepareForSubmission(event); // Event handlers can run.
+ if (auto currentForm = element->form())
+ currentForm->prepareForSubmission(event); // Event handlers can run.
element->setActivatedSubmit(false);
event.setDefaultHandled();
}
