[webkit-changes] [284656] trunk

Thu, 21 Oct 2021 17:10:26 -0700

Title: [284656] trunk
Revision
284656
Author
[email protected]
Date
2021-10-21 17:09:34 -0700 (Thu, 21 Oct 2021)

Log Message

RELEASE_ASSERT(result) under FormSubmission::create()
https://bugs.webkit.org/show_bug.cgi?id=232112

Reviewed by Geoffrey Garen.

Source/WebCore:

form.submit() should early return if the form's |constructing entry list| flag is true, as per:
- https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#concept-form-submit (Step 2)

We were missing this check. As a result, we would call FormSubmission::create(), which would call
form.constructEntryList(). This would end up returning an unexpected nullptr because the
form's |constructing entry list| flag is set and we would hit the `RELEASE_ASSERT(result)` in
FormSubmission::create().

Test: fast/forms/submit-form-inside-formdata-event.html

* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::submit):
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):

LayoutTests:

Add layout test coverage.

* fast/forms/submit-form-inside-formdata-event-expected.txt: Added.
* fast/forms/submit-form-inside-formdata-event.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (284655 => 284656)


--- trunk/LayoutTests/ChangeLog	2021-10-22 00:08:14 UTC (rev 284655)
+++ trunk/LayoutTests/ChangeLog	2021-10-22 00:09:34 UTC (rev 284656)
@@ -1,3 +1,15 @@
+2021-10-21  Chris Dumez  <[email protected]>
+
+        RELEASE_ASSERT(result) under FormSubmission::create()
+        https://bugs.webkit.org/show_bug.cgi?id=232112
+
+        Reviewed by Geoffrey Garen.
+
+        Add layout test coverage.
+
+        * fast/forms/submit-form-inside-formdata-event-expected.txt: Added.
+        * fast/forms/submit-form-inside-formdata-event.html: Added.
+
 2021-10-21  Simon Fraser  <[email protected]>
 
         Content offset in this codepen when switching tabs

Added: trunk/LayoutTests/fast/forms/submit-form-inside-formdata-event-expected.txt (0 => 284656)


--- trunk/LayoutTests/fast/forms/submit-form-inside-formdata-event-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/submit-form-inside-formdata-event-expected.txt	2021-10-22 00:09:34 UTC (rev 284656)
@@ -0,0 +1,12 @@
+Tests submitting the form again from inside the formdata event.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS counter is 1
+PASS counter is 2
+PASS The frame was navigated
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/forms/submit-form-inside-formdata-event.html (0 => 284656)


--- trunk/LayoutTests/fast/forms/submit-form-inside-formdata-event.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/submit-form-inside-formdata-event.html	2021-10-22 00:09:34 UTC (rev 284656)
@@ -0,0 +1,32 @@
+<DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Tests submitting the form again from inside the formdata event.");
+jsTestIsAsync = true;
+
+_onload_ = () => {
+    let form = document.getElementById("testForm");
+    let frame = document.getElementById("testFrame");
+    frame._onload_ = () => {
+        testPassed("The frame was navigated");
+        finishJSTest();
+    };
+    counter = 0;
+    form.addEventListener('formdata', e => {
+        ++counter;
+        form.submit();
+    });
+    form.submit();
+    shouldBe("counter", "1");
+    new FormData(form);
+    shouldBe("counter", "2");
+}
+</script>
+<iframe id="testFrame" name="testFrame" style="display:none"></iframe>
+<form id="testForm" action="" target="testFrame" style="display:none">
+    <input name="foo" value="bar">
+<form>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (284655 => 284656)


--- trunk/Source/WebCore/ChangeLog	2021-10-22 00:08:14 UTC (rev 284655)
+++ trunk/Source/WebCore/ChangeLog	2021-10-22 00:09:34 UTC (rev 284656)
@@ -1,3 +1,25 @@
+2021-10-21  Chris Dumez  <[email protected]>
+
+        RELEASE_ASSERT(result) under FormSubmission::create()
+        https://bugs.webkit.org/show_bug.cgi?id=232112
+
+        Reviewed by Geoffrey Garen.
+
+        form.submit() should early return if the form's |constructing entry list| flag is true, as per:
+        - https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#concept-form-submit (Step 2)
+
+        We were missing this check. As a result, we would call FormSubmission::create(), which would call
+        form.constructEntryList(). This would end up returning an unexpected nullptr because the
+        form's |constructing entry list| flag is set and we would hit the `RELEASE_ASSERT(result)` in
+        FormSubmission::create().
+
+        Test: fast/forms/submit-form-inside-formdata-event.html
+
+        * html/HTMLFormElement.cpp:
+        (WebCore::HTMLFormElement::submit):
+        * loader/FormSubmission.cpp:
+        (WebCore::FormSubmission::create):
+
 2021-10-21  Simon Fraser  <[email protected]>
 
         REGRESSION (r275641): [ iPad Debug ] accessibility/ios-simulator/scroll-in-overflow-div.html is asserting

Modified: trunk/Source/WebCore/html/HTMLFormElement.cpp (284655 => 284656)


--- trunk/Source/WebCore/html/HTMLFormElement.cpp	2021-10-22 00:08:14 UTC (rev 284655)
+++ trunk/Source/WebCore/html/HTMLFormElement.cpp	2021-10-22 00:09:34 UTC (rev 284656)
@@ -378,6 +378,9 @@
     if (!isConnected())
         return;
 
+    if (m_isConstructingEntryList)
+        return;
+
     RefPtr<FrameView> view = document().view();
     RefPtr<Frame> frame = document().frame();
     if (!view || !frame)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to