Title: [106771] trunk
- Revision
- 106771
- Author
- [email protected]
- Date
- 2012-02-05 19:53:42 -0800 (Sun, 05 Feb 2012)
Log Message
Crash in FormSubmission::create.
https://bugs.webkit.org/show_bug.cgi?id=77813
Reviewed by Kent Tamura.
Source/WebCore:
Test: fast/forms/form-submission-create-crash.xhtml
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
LayoutTests:
* fast/forms/form-submission-create-crash-expected.txt: Added.
* fast/forms/form-submission-create-crash.xhtml: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (106770 => 106771)
--- trunk/LayoutTests/ChangeLog 2012-02-06 02:25:23 UTC (rev 106770)
+++ trunk/LayoutTests/ChangeLog 2012-02-06 03:53:42 UTC (rev 106771)
@@ -1,3 +1,13 @@
+2012-02-05 Abhishek Arya <[email protected]>
+
+ Crash in FormSubmission::create.
+ https://bugs.webkit.org/show_bug.cgi?id=77813
+
+ Reviewed by Kent Tamura.
+
+ * fast/forms/form-submission-create-crash-expected.txt: Added.
+ * fast/forms/form-submission-create-crash.xhtml: Added.
+
2012-02-05 Adam Barth <[email protected]>
Rebaseline xss-inactive-closure.html. This test "fails" because of a
Added: trunk/LayoutTests/fast/forms/form-submission-create-crash-expected.txt (0 => 106771)
--- trunk/LayoutTests/fast/forms/form-submission-create-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/form-submission-create-crash-expected.txt 2012-02-06 03:53:42 UTC (rev 106771)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/forms/form-submission-create-crash.xhtml (0 => 106771)
--- trunk/LayoutTests/fast/forms/form-submission-create-crash.xhtml (rev 0)
+++ trunk/LayoutTests/fast/forms/form-submission-create-crash.xhtml 2012-02-06 03:53:42 UTC (rev 106771)
@@ -0,0 +1,25 @@
+<html xmlns='http://www.w3.org/1999/xhtml'>
+Test passes if it does not crash.
+<form>
+<input id="submit" type="submit" />
+</form>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+textNode = document.createTextNode("x");
+document.getElementById("submit").appendChild(textNode);
+
+runTest = function() {
+ event = document.createEvent("MouseEvent");
+ event.initEvent("click");
+ textNode.dispatchEvent(event);
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+setTimeout(runTest, 0);
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (106770 => 106771)
--- trunk/Source/WebCore/ChangeLog 2012-02-06 02:25:23 UTC (rev 106770)
+++ trunk/Source/WebCore/ChangeLog 2012-02-06 03:53:42 UTC (rev 106771)
@@ -1,3 +1,15 @@
+2012-02-05 Abhishek Arya <[email protected]>
+
+ Crash in FormSubmission::create.
+ https://bugs.webkit.org/show_bug.cgi?id=77813
+
+ Reviewed by Kent Tamura.
+
+ Test: fast/forms/form-submission-create-crash.xhtml
+
+ * loader/FormSubmission.cpp:
+ (WebCore::FormSubmission::create):
+
2012-02-05 Andreas Kling <[email protected]>
Remove unused file MappedAttributeEntry.h.
Modified: trunk/Source/WebCore/loader/FormSubmission.cpp (106770 => 106771)
--- trunk/Source/WebCore/loader/FormSubmission.cpp 2012-02-06 02:25:23 UTC (rev 106770)
+++ trunk/Source/WebCore/loader/FormSubmission.cpp 2012-02-06 03:53:42 UTC (rev 106771)
@@ -142,8 +142,11 @@
ASSERT(form);
HTMLFormControlElement* submitButton = 0;
- if (event && event->target() && event->target()->toNode())
- submitButton = static_cast<HTMLFormControlElement*>(event->target()->toNode());
+ if (event && event->target()) {
+ Node* node = event->target()->toNode();
+ if (node && node->isElementNode() && toElement(node)->isFormControlElement())
+ submitButton = static_cast<HTMLFormControlElement*>(node);
+ }
FormSubmission::Attributes copiedAttributes;
copiedAttributes.copyFrom(attributes);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
