[webkit-changes] [238912] trunk

Wed, 05 Dec 2018 15:08:02 -0800

Title: [238912] trunk
Revision
238912
Author
[email protected]
Date
2018-12-05 15:06:49 -0800 (Wed, 05 Dec 2018)

Log Message

Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
https://bugs.webkit.org/show_bug.cgi?id=192392

Reviewed by Dean Jackson.

Source/WebCore:

The crash was caused by FormAssociatedElement::findAssociatedForm invoking DocumentOrderedMap::getElementById
and de-referencing nullptr Attribute* via IdTargetObserver before Element::attributeChanged had updated
ElementData::m_idForStyleResolution.

Fixed it by updating m_idForStyleResolution before invoking IdTargetObservers.

Test: fast/dom/remove-id-form-associated-elemet-id-observer-crash.html

* dom/Element.cpp:
(WebCore::Element::attributeChanged): Fixed the bug.

LayoutTests:

Added a regression test.

* fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt: Added.
* fast/dom/remove-id-form-associated-elemet-id-observer-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (238911 => 238912)


--- trunk/LayoutTests/ChangeLog	2018-12-05 22:44:30 UTC (rev 238911)
+++ trunk/LayoutTests/ChangeLog	2018-12-05 23:06:49 UTC (rev 238912)
@@ -1,3 +1,15 @@
+2018-12-05  Ryosuke Niwa  <[email protected]>
+
+        Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
+        https://bugs.webkit.org/show_bug.cgi?id=192392
+
+        Reviewed by Dean Jackson.
+
+        Added a regression test.
+
+        * fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt: Added.
+        * fast/dom/remove-id-form-associated-elemet-id-observer-crash.html: Added.
+
 2018-12-05  Youenn Fablet  <[email protected]>
 
         [iOS] Layout Test imported/w3c/web-platform-tests/service-workers/service-worker/fetch-cors-xhr.https.html is a flaky failure

Added: trunk/LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt (0 => 238912)


--- trunk/LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt	2018-12-05 23:06:49 UTC (rev 238912)
@@ -0,0 +1,3 @@
+This tests removing the id from an element when there is a form associated element observing the same ID. WebKit should not crash.
+
+PASS

Added: trunk/LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash.html (0 => 238912)


--- trunk/LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/remove-id-form-associated-elemet-id-observer-crash.html	2018-12-05 23:06:49 UTC (rev 238912)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests removing the id from an element when there is a form associated element observing the same ID.
+WebKit should not crash.</p>
+<div id="container">
+<p id="foo"></p>
+<form id="foo"></form>
+<fieldset form="foo"></fieldset>
+</div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.querySelector('#container p').removeAttribute('id');
+container.remove();
+document.write('PASS');
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (238911 => 238912)


--- trunk/Source/WebCore/ChangeLog	2018-12-05 22:44:30 UTC (rev 238911)
+++ trunk/Source/WebCore/ChangeLog	2018-12-05 23:06:49 UTC (rev 238912)
@@ -1,3 +1,21 @@
+2018-12-05  Ryosuke Niwa  <[email protected]>
+
+        Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
+        https://bugs.webkit.org/show_bug.cgi?id=192392
+
+        Reviewed by Dean Jackson.
+
+        The crash was caused by FormAssociatedElement::findAssociatedForm invoking DocumentOrderedMap::getElementById
+        and de-referencing nullptr Attribute* via IdTargetObserver before Element::attributeChanged had updated
+        ElementData::m_idForStyleResolution.
+
+        Fixed it by updating m_idForStyleResolution before invoking IdTargetObservers.
+
+        Test: fast/dom/remove-id-form-associated-elemet-id-observer-crash.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::attributeChanged): Fixed the bug.
+
 2018-12-05  Youenn Fablet  <[email protected]>
 
         Enable the possibility to do video capture in UIProcess

Modified: trunk/Source/WebCore/dom/Element.cpp (238911 => 238912)


--- trunk/Source/WebCore/dom/Element.cpp	2018-12-05 22:44:30 UTC (rev 238911)
+++ trunk/Source/WebCore/dom/Element.cpp	2018-12-05 23:06:49 UTC (rev 238912)
@@ -1500,11 +1500,6 @@
 
     if (!valueIsSameAsBefore) {
         if (name == HTMLNames::idAttr) {
-            if (!oldValue.isEmpty())
-                treeScope().idTargetObserverRegistry().notifyObservers(*oldValue.impl());
-            if (!newValue.isEmpty())
-                treeScope().idTargetObserverRegistry().notifyObservers(*newValue.impl());
-
             AtomicString oldId = elementData()->idForStyleResolution();
             AtomicString newId = makeIdForStyleResolution(newValue, document().inQuirksMode());
             if (newId != oldId) {
@@ -1511,6 +1506,11 @@
                 Style::IdChangeInvalidation styleInvalidation(*this, oldId, newId);
                 elementData()->setIdForStyleResolution(newId);
             }
+
+            if (!oldValue.isEmpty())
+                treeScope().idTargetObserverRegistry().notifyObservers(*oldValue.impl());
+            if (!newValue.isEmpty())
+                treeScope().idTargetObserverRegistry().notifyObservers(*newValue.impl());
         } else if (name == classAttr)
             classAttributeChanged(newValue);
         else if (name == HTMLNames::nameAttr)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to