This website requires JavaScript.
Explore
Help
Sign In
nephele
/
haikuwebkit
Watch
1
Star
0
Fork
You've already forked haikuwebkit
0
Code
Issues
Releases
Activity
haiku
haikuwebkit
/
LayoutTests
/
fast
/
forms
/
remove-associated-element-a...
2 lines
5 B
Plaintext
Raw
Permalink
Normal View
History
Unescape
Escape
Fix an edge case where HTMLFormElement::removeFormElement is invoked twice with the same element https://bugs.webkit.org/show_bug.cgi?id=195663 <rdar://problem/48576391> Reviewed by Ryosuke Niwa. Source/WebCore: Currently, it's possible for HTMLFormControlElement's destructor to be reentrant. This may happen if the form control element is ref'd while carrying out its destructor's logic. This may happen in two places in HTMLFormControlElement (didChangeForm and resetDefaultButton), both of which actually don't require ensuring a protected reference to the form control element since they should never result in any script execution. To fix the bug, convert these strong references into raw pointers, and add ScriptDisallowedScope to ensure that we don't change these codepaths in the future, such that they trigger arbitrary script execution. Test: fast/forms/remove-associated-element-after-gc.html * html/HTMLFormControlElement.cpp: (WebCore::HTMLFormControlElement::didChangeForm): * html/HTMLFormElement.cpp: (WebCore::HTMLFormElement::resetDefaultButton): LayoutTests: Add a layout test to exercise the scenario described in the WebCore ChangeLog. * fast/forms/remove-associated-element-after-gc-expected.txt: Added. * fast/forms/remove-associated-element-after-gc.html: Added. Canonical link: https://commits.webkit.org/210008@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242917 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-03-13 23:18:26 +00:00
PASS