Diff
Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2015-09-15 06:59:24 UTC (rev 189781)
@@ -1,3 +1,24 @@
+2015-09-07 Daniel Bates <daba...@apple.com>
+
+ ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form
+ association after subtree insertion
+ https://bugs.webkit.org/show_bug.cgi?id=148919
+ <rdar://problem/21868036>
+
+ Reviewed by Andy Estes.
+
+ Add tests to ensure that updating the form association of a form control in a subtree
+ does not cause an assertion failure.
+
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt: Added.
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html: Added.
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt: Added.
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html: Added.
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt: Added.
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html: Added.
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt: Added.
+ * fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html: Added.
+
2015-09-06 Youenn Fablet <youenn.fab...@crf.canon.fr>
XHR2 timeout property should allow late updates
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,2 @@
+
+PASS, this test did not cause an assertion failure.
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<div id="container"></div>
+<div id="subtreeToMove">
+ <object form="A"></object>
+ <div id="A"></div>
+</div>
+<div id="A"></div>
+<p>PASS, this test did not cause an assertion failure.</p>
+<script>
+var container = document.getElementById("container");
+var subtreeToMove = document.getElementById("subtreeToMove");
+container.appendChild(subtreeToMove);
+</script>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,2 @@
+
+PASS, this test did not cause an assertion failure.
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<div id="container"></div>
+<div id="subtreeToMove">
+ <select form="A"></select>
+ <div id="A"></div>
+</div>
+<div id="A"></div>
+<p>PASS, this test did not cause an assertion failure.</p>
+<script>
+var container = document.getElementById("container");
+var subtreeToMove = document.getElementById("subtreeToMove");
+container.appendChild(subtreeToMove);
+</script>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,2 @@
+
+PASS, this test did not cause an assertion failure.
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<div id="container"></div>
+<div id="subtreeToMove">
+ <input type="text" form="A">
+ <div id="A"></div>
+</div>
+<div id="A"></div>
+<p>PASS, this test did not cause an assertion failure.</p>
+<script>
+var container = document.getElementById("container");
+var subtreeToMove = document.getElementById("subtreeToMove");
+container.appendChild(subtreeToMove);
+</script>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,2 @@
+
+PASS, this test did not cause an assertion failure.
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html (0 => 189781)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html 2015-09-15 06:59:24 UTC (rev 189781)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<div id="container"></div>
+<div id="subtreeToMove">
+ <keygen form="A">
+ <select id="A"></select>
+</div>
+<div id="A"></div>
+<p>PASS, this test did not cause an assertion failure.</p>
+<script>
+var container = document.getElementById("container");
+var subtreeToMove = document.getElementById("subtreeToMove");
+container.appendChild(subtreeToMove);
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-09-15 06:59:24 UTC (rev 189781)
@@ -1,3 +1,52 @@
+2015-09-07 Daniel Bates <daba...@apple.com>
+
+ ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form
+ association after subtree insertion
+ https://bugs.webkit.org/show_bug.cgi?id=148919
+ <rdar://problem/21868036>
+
+ Reviewed by Andy Estes.
+
+ Currently we update the form association of a form control upon insertion into
+ the document. Instead we should update the form association of a form control
+ after its containing subtree is inserted into the document to avoid an assertion
+ failure when the containing subtree has an element whose id is identical to both
+ the id of some other element in the document and the name of the form referenced
+ by the inserted form control.
+
+ Tests: fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html
+ fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html
+ fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html
+ fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::insertedInto): Moved resetFormOwner() from here
+ to {HTMLFormControlElement, HTMLObjectElement}::finishedInsertingSubtree().
+ * html/HTMLFormControlElement.cpp:
+ (WebCore::HTMLFormControlElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree
+ so that HTMLFormControlElement::finishedInsertingSubtree() is called.
+ (WebCore::HTMLFormControlElement::finishedInsertingSubtree): Added; turn around and
+ call FormAssociatedElement::resetFormOwner().
+ * html/HTMLFormControlElement.h:
+ * html/HTMLInputElement.cpp:
+ (WebCore::HTMLInputElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
+ that HTMLInputElement::finishedInsertingSubtree() is called and move logic to update radio button
+ group from here...
+ (WebCore::HTMLInputElement::finishedInsertingSubtree): to here.
+ * html/HTMLInputElement.h:
+ * html/HTMLObjectElement.cpp:
+ (WebCore::HTMLObjectElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
+ that HTMLObjectElement::finishedInsertingSubtree() is called.
+ (WebCore::HTMLObjectElement::finishedInsertingSubtree): Added; turn around and
+ call FormAssociatedElement::resetFormOwner().
+ * html/HTMLObjectElement.h:
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::insertedInto): Modified to return the result of
+ HTMLFormControlElementWithState::insertedInto(), which may schedule a callback after subtree
+ insertion.
+ * html/HTMLTextFormControlElement.cpp:
+ (WebCore::HTMLTextFormControlElement::insertedInto): Ditto.
+
2015-09-06 Youenn Fablet <youenn.fab...@crf.canon.fr>
XHR2 timeout property should allow late updates
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/FormAssociatedElement.cpp (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/FormAssociatedElement.cpp 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/FormAssociatedElement.cpp 2015-09-15 06:59:24 UTC (rev 189781)
@@ -68,7 +68,6 @@
void FormAssociatedElement::insertedInto(ContainerNode& insertionPoint)
{
- resetFormOwner();
if (!insertionPoint.inDocument())
return;
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLFormControlElement.cpp (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLFormControlElement.cpp 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLFormControlElement.cpp 2015-09-15 06:59:24 UTC (rev 189781)
@@ -260,8 +260,12 @@
setNeedsWillValidateCheck();
HTMLElement::insertedInto(insertionPoint);
FormAssociatedElement::insertedInto(insertionPoint);
+ return InsertionShouldCallFinishedInsertingSubtree;
+}
- return InsertionDone;
+void HTMLFormControlElement::finishedInsertingSubtree()
+{
+ resetFormOwner();
}
void HTMLFormControlElement::removedFrom(ContainerNode& insertionPoint)
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLFormControlElement.h (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLFormControlElement.h 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLFormControlElement.h 2015-09-15 06:59:24 UTC (rev 189781)
@@ -129,6 +129,7 @@
virtual void requiredAttributeChanged();
virtual void didAttachRenderers() override;
virtual InsertionNotificationRequest insertedInto(ContainerNode&) override;
+ void finishedInsertingSubtree() override;
virtual void removedFrom(ContainerNode&) override;
virtual void didMoveToNewDocument(Document* oldDocument) override;
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLInputElement.cpp (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLInputElement.cpp 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLInputElement.cpp 2015-09-15 06:59:24 UTC (rev 189781)
@@ -1473,14 +1473,19 @@
Node::InsertionNotificationRequest HTMLInputElement::insertedInto(ContainerNode& insertionPoint)
{
HTMLTextFormControlElement::insertedInto(insertionPoint);
- if (insertionPoint.inDocument() && !form())
- addToRadioButtonGroup();
#if ENABLE(DATALIST_ELEMENT)
resetListAttributeTargetObserver();
#endif
- return InsertionDone;
+ return InsertionShouldCallFinishedInsertingSubtree;
}
+void HTMLInputElement::finishedInsertingSubtree()
+{
+ HTMLTextFormControlElement::finishedInsertingSubtree();
+ if (inDocument() && !form())
+ addToRadioButtonGroup();
+}
+
void HTMLInputElement::removedFrom(ContainerNode& insertionPoint)
{
if (insertionPoint.inDocument() && !form())
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLInputElement.h (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLInputElement.h 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLInputElement.h 2015-09-15 06:59:24 UTC (rev 189781)
@@ -335,6 +335,7 @@
virtual void willChangeForm() override final;
virtual void didChangeForm() override final;
virtual InsertionNotificationRequest insertedInto(ContainerNode&) override final;
+ void finishedInsertingSubtree() override final;
virtual void removedFrom(ContainerNode&) override final;
virtual void didMoveToNewDocument(Document* oldDocument) override final;
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLObjectElement.cpp (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLObjectElement.cpp 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLObjectElement.cpp 2015-09-15 06:59:24 UTC (rev 189781)
@@ -337,9 +337,14 @@
{
HTMLPlugInImageElement::insertedInto(insertionPoint);
FormAssociatedElement::insertedInto(insertionPoint);
- return InsertionDone;
+ return InsertionShouldCallFinishedInsertingSubtree;
}
+void HTMLObjectElement::finishedInsertingSubtree()
+{
+ resetFormOwner();
+}
+
void HTMLObjectElement::removedFrom(ContainerNode& insertionPoint)
{
HTMLPlugInImageElement::removedFrom(insertionPoint);
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLObjectElement.h (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLObjectElement.h 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLObjectElement.h 2015-09-15 06:59:24 UTC (rev 189781)
@@ -63,6 +63,7 @@
virtual void collectStyleForPresentationAttribute(const QualifiedName&, const AtomicString&, MutableStyleProperties&) override;
virtual InsertionNotificationRequest insertedInto(ContainerNode&) override;
+ void finishedInsertingSubtree() override final;
virtual void removedFrom(ContainerNode&) override;
virtual void didMoveToNewDocument(Document* oldDocument) override;
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLSelectElement.cpp (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLSelectElement.cpp 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLSelectElement.cpp 2015-09-15 06:59:24 UTC (rev 189781)
@@ -1590,8 +1590,7 @@
// items yet - but for innerHTML and related methods, this method is called
// after the whole subtree is constructed.
recalcListItems();
- HTMLFormControlElementWithState::insertedInto(insertionPoint);
- return InsertionDone;
+ return HTMLFormControlElementWithState::insertedInto(insertionPoint);
}
void HTMLSelectElement::accessKeySetSelectedIndex(int index)
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLTextFormControlElement.cpp (189780 => 189781)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLTextFormControlElement.cpp 2015-09-15 06:53:31 UTC (rev 189780)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/HTMLTextFormControlElement.cpp 2015-09-15 06:59:24 UTC (rev 189781)
@@ -78,12 +78,12 @@
Node::InsertionNotificationRequest HTMLTextFormControlElement::insertedInto(ContainerNode& insertionPoint)
{
- HTMLFormControlElementWithState::insertedInto(insertionPoint);
+ InsertionNotificationRequest insertionNotificationRequest = HTMLFormControlElementWithState::insertedInto(insertionPoint);
if (!insertionPoint.inDocument())
- return InsertionDone;
+ return insertionNotificationRequest;
String initialValue = value();
setTextAsOfLastFormControlChangeEvent(initialValue.isNull() ? emptyString() : initialValue);
- return InsertionDone;
+ return insertionNotificationRequest;
}
void HTMLTextFormControlElement::dispatchFocusEvent(RefPtr<Element>&& oldFocusedElement, FocusDirection direction)
