[webkit-changes] [166236] trunk

[ddkilzer]

Title: [166236] trunk

Revision

166236

Author

ddkil...@apple.com

Date

2014-03-25 09:42:15 -0700 (Tue, 25 Mar 2014)

Log Message

Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit
<http://webkit.org/b/130713>
<rdar://problem/15661876>

Reviewed by Darin Adler.

Merged from Blink (patch by Ian Beer):
http://crbug.com/303657
https://src.chromium.org/viewvc/blink?view=rev&revision=158938

Source/WebCore:

Test: fast/forms/form-submission-crash-successful-submit-button.html

* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::submit):

LayoutTests:

* fast/forms/form-submission-crash-successful-submit-button-expected.txt: Added.
* fast/forms/form-submission-crash-successful-submit-button.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/HTMLFormElement.cpp

Added Paths

• trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button-expected.txt
• trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button.html

Diff

Modified: trunk/LayoutTests/ChangeLog (166235 => 166236)

--- trunk/LayoutTests/ChangeLog	2014-03-25 15:53:39 UTC (rev 166235)
+++ trunk/LayoutTests/ChangeLog	2014-03-25 16:42:15 UTC (rev 166236)
@@ -1,3 +1,18 @@
+2014-03-25  David Kilzer  <ddkil...@apple.com>
+
+        Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit
+        <http://webkit.org/b/130713>
+        <rdar://problem/15661876>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by Ian Beer):
+        http://crbug.com/303657
+        https://src.chromium.org/viewvc/blink?view=rev&revision=158938
+
+        * fast/forms/form-submission-crash-successful-submit-button-expected.txt: Added.
+        * fast/forms/form-submission-crash-successful-submit-button.html: Added.
+
 2014-03-20  Sergio Villar Senin  <svil...@igalia.com>
 
         [CSS Grid Layout] Vertical rectangles not considered as valid grid areas

Added: trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button-expected.txt (0 => 166236)

--- trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button-expected.txt	2014-03-25 16:42:15 UTC (rev 166236)
@@ -0,0 +1,5 @@
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button.html (0 => 166236)

--- trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/form-submission-crash-successful-submit-button.html	2014-03-25 16:42:15 UTC (rev 166236)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<body>
+<script src=""
+<script>
+jsTestIsAsync = true;
+var form1;
+var submit1;
+
+function start() {
+    form1 = document.createElement('form');
+    submit1 = document.createElement('input');
+    submit2 = document.createElement('input');
+    submit1.type = 'submit';
+    submit2.type = 'image';
+    form1.addEventListener('submit', handleSubmit, false);
+    form1.action = '';
+    form1.appendChild(submit1);
+    form1.appendChild(submit2);
+    submit1.click();
+    testPassed('if not crashed.');
+    finishJSTest();
+}
+
+function handleSubmit() {
+    form1.removeChild(submit1);
+}
+
+function removeImage() {
+    form1.removeChild(submit2);
+    submit2 = null;
+    gc();
+}
+
+window._onload_ = start;
+</script>
+<script src=""
+</body>

Modified: trunk/Source/WebCore/ChangeLog (166235 => 166236)

--- trunk/Source/WebCore/ChangeLog	2014-03-25 15:53:39 UTC (rev 166235)
+++ trunk/Source/WebCore/ChangeLog	2014-03-25 16:42:15 UTC (rev 166236)
@@ -1,3 +1,20 @@
+2014-03-25  David Kilzer  <ddkil...@apple.com>
+
+        Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit
+        <http://webkit.org/b/130713>
+        <rdar://problem/15661876>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by Ian Beer):
+        http://crbug.com/303657
+        https://src.chromium.org/viewvc/blink?view=rev&revision=158938
+
+        Test: fast/forms/form-submission-crash-successful-submit-button.html
+
+        * html/HTMLFormElement.cpp:
+        (WebCore::HTMLFormElement::submit):
+
 2014-03-25  Gabor Rapcsanyi  <rga...@webkit.org>
 
         [ARM64] GNU assembler fails in TransformationMatrix::multiply

Modified: trunk/Source/WebCore/html/HTMLFormElement.cpp (166235 => 166236)

--- trunk/Source/WebCore/html/HTMLFormElement.cpp	2014-03-25 15:53:39 UTC (rev 166235)
+++ trunk/Source/WebCore/html/HTMLFormElement.cpp	2014-03-25 16:42:15 UTC (rev 166236)
@@ -333,7 +333,7 @@
     m_isSubmittingOrPreparingForSubmission = true;
     m_wasUserSubmitted = processingUserGesture;
 
-    HTMLFormControlElement* firstSuccessfulSubmitButton = 0;
+    RefPtr<HTMLFormControlElement> firstSuccessfulSubmitButton;
     bool needButtonActivation = activateSubmitButton; // do we need to activate a submit button?
 
     for (unsigned i = 0; i < m_associatedElements.size(); ++i) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes