Changeset 238912 in webkit


Ignore:
Timestamp:
Dec 5, 2018 3:06:49 PM (5 years ago)
Author:
rniwa@webkit.org
Message:

Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
https://bugs.webkit.org/show_bug.cgi?id=192392

Reviewed by Dean Jackson.

Source/WebCore:

The crash was caused by FormAssociatedElement::findAssociatedForm invoking DocumentOrderedMap::getElementById
and de-referencing nullptr Attribute* via IdTargetObserver before Element::attributeChanged had updated
ElementData::m_idForStyleResolution.

Fixed it by updating m_idForStyleResolution before invoking IdTargetObservers.

Test: fast/dom/remove-id-form-associated-elemet-id-observer-crash.html

  • dom/Element.cpp:

(WebCore::Element::attributeChanged): Fixed the bug.

LayoutTests:

Added a regression test.

  • fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt: Added.
  • fast/dom/remove-id-form-associated-elemet-id-observer-crash.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r238907 r238912  
     12018-12-05  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
     4        https://bugs.webkit.org/show_bug.cgi?id=192392
     5
     6        Reviewed by Dean Jackson.
     7
     8        Added a regression test.
     9
     10        * fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt: Added.
     11        * fast/dom/remove-id-form-associated-elemet-id-observer-crash.html: Added.
     12
    1132018-12-05  Youenn Fablet  <youenn@apple.com>
    214
  • trunk/Source/WebCore/ChangeLog

    r238909 r238912  
     12018-12-05  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm
     4        https://bugs.webkit.org/show_bug.cgi?id=192392
     5
     6        Reviewed by Dean Jackson.
     7
     8        The crash was caused by FormAssociatedElement::findAssociatedForm invoking DocumentOrderedMap::getElementById
     9        and de-referencing nullptr Attribute* via IdTargetObserver before Element::attributeChanged had updated
     10        ElementData::m_idForStyleResolution.
     11
     12        Fixed it by updating m_idForStyleResolution before invoking IdTargetObservers.
     13
     14        Test: fast/dom/remove-id-form-associated-elemet-id-observer-crash.html
     15
     16        * dom/Element.cpp:
     17        (WebCore::Element::attributeChanged): Fixed the bug.
     18
    1192018-12-05  Youenn Fablet  <youenn@apple.com>
    220
  • trunk/Source/WebCore/dom/Element.cpp

    r238771 r238912  
    15011501    if (!valueIsSameAsBefore) {
    15021502        if (name == HTMLNames::idAttr) {
    1503             if (!oldValue.isEmpty())
    1504                 treeScope().idTargetObserverRegistry().notifyObservers(*oldValue.impl());
    1505             if (!newValue.isEmpty())
    1506                 treeScope().idTargetObserverRegistry().notifyObservers(*newValue.impl());
    1507 
    15081503            AtomicString oldId = elementData()->idForStyleResolution();
    15091504            AtomicString newId = makeIdForStyleResolution(newValue, document().inQuirksMode());
     
    15121507                elementData()->setIdForStyleResolution(newId);
    15131508            }
     1509
     1510            if (!oldValue.isEmpty())
     1511                treeScope().idTargetObserverRegistry().notifyObservers(*oldValue.impl());
     1512            if (!newValue.isEmpty())
     1513                treeScope().idTargetObserverRegistry().notifyObservers(*newValue.impl());
    15141514        } else if (name == classAttr)
    15151515            classAttributeChanged(newValue);
Note: See TracChangeset for help on using the changeset viewer.