Title: [259500] branches/safari-609.2.1.2-branch/Source/WebCore
- Revision
- 259500
- Author
- [email protected]
- Date
- 2020-04-03 12:58:14 -0700 (Fri, 03 Apr 2020)
Log Message
Cherry-pick r259244. rdar://problem/61231864
Assertion failure in HTMLFormElement::formElementIndex
https://bugs.webkit.org/show_bug.cgi?id=209643
Reviewed by Darin Adler.
The bug was caused by FormAssociatedElement::findAssociatedForm finding a wrong form element
when it's called on an element which appears later in the removed subtree.
When we find the new form element to associate this element with, check to make sure its root
element is that of the tree scope. This condition will be false if this element is in in the midst
of being removed.
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::findAssociatedForm):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609.2.1.2-branch/Source/WebCore/ChangeLog (259499 => 259500)
--- branches/safari-609.2.1.2-branch/Source/WebCore/ChangeLog 2020-04-03 19:58:11 UTC (rev 259499)
+++ branches/safari-609.2.1.2-branch/Source/WebCore/ChangeLog 2020-04-03 19:58:14 UTC (rev 259500)
@@ -1,5 +1,44 @@
2020-04-03 Alan Coon <[email protected]>
+ Cherry-pick r259244. rdar://problem/61231864
+
+ Assertion failure in HTMLFormElement::formElementIndex
+ https://bugs.webkit.org/show_bug.cgi?id=209643
+
+ Reviewed by Darin Adler.
+
+ The bug was caused by FormAssociatedElement::findAssociatedForm finding a wrong form element
+ when it's called on an element which appears later in the removed subtree.
+
+ When we find the new form element to associate this element with, check to make sure its root
+ element is that of the tree scope. This condition will be false if this element is in in the midst
+ of being removed.
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::findAssociatedForm):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-27 Ryosuke Niwa <[email protected]>
+
+ Assertion failure in HTMLFormElement::formElementIndex
+ https://bugs.webkit.org/show_bug.cgi?id=209643
+
+ Reviewed by Darin Adler.
+
+ The bug was caused by FormAssociatedElement::findAssociatedForm finding a wrong form element
+ when it's called on an element which appears later in the removed subtree.
+
+ When we find the new form element to associate this element with, check to make sure its root
+ element is that of the tree scope. This condition will be false if this element is in in the midst
+ of being removed.
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::findAssociatedForm):
+
+2020-04-03 Alan Coon <[email protected]>
+
Cherry-pick r258799. rdar://problem/61231946
Content-Type & Nosniff Ignored on XML External Entity Resources
Modified: branches/safari-609.2.1.2-branch/Source/WebCore/html/FormAssociatedElement.cpp (259499 => 259500)
--- branches/safari-609.2.1.2-branch/Source/WebCore/html/FormAssociatedElement.cpp 2020-04-03 19:58:11 UTC (rev 259499)
+++ branches/safari-609.2.1.2-branch/Source/WebCore/html/FormAssociatedElement.cpp 2020-04-03 19:58:14 UTC (rev 259500)
@@ -108,9 +108,12 @@
// the value of form attribute, so we put the result of
// treeScope().getElementById() over the given element.
RefPtr<Element> newFormCandidate = element->treeScope().getElementById(formId);
- if (is<HTMLFormElement>(newFormCandidate))
+ if (!is<HTMLFormElement>(newFormCandidate))
+ return nullptr;
+ if (&element->traverseToRootNode() == &element->treeScope().rootNode()) {
+ ASSERT(&element->traverseToRootNode() == &newFormCandidate->traverseToRootNode());
return downcast<HTMLFormElement>(newFormCandidate.get());
- return nullptr;
+ }
}
if (!currentAssociatedForm)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
