Changeset 238912 in webkit
- Timestamp:
- Dec 5, 2018 3:06:49 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r238907 r238912 1 2018-12-05 Ryosuke Niwa <rniwa@webkit.org> 2 3 Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm 4 https://bugs.webkit.org/show_bug.cgi?id=192392 5 6 Reviewed by Dean Jackson. 7 8 Added a regression test. 9 10 * fast/dom/remove-id-form-associated-elemet-id-observer-crash-expected.txt: Added. 11 * fast/dom/remove-id-form-associated-elemet-id-observer-crash.html: Added. 12 1 13 2018-12-05 Youenn Fablet <youenn@apple.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r238909 r238912 1 2018-12-05 Ryosuke Niwa <rniwa@webkit.org> 2 3 Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm 4 https://bugs.webkit.org/show_bug.cgi?id=192392 5 6 Reviewed by Dean Jackson. 7 8 The crash was caused by FormAssociatedElement::findAssociatedForm invoking DocumentOrderedMap::getElementById 9 and de-referencing nullptr Attribute* via IdTargetObserver before Element::attributeChanged had updated 10 ElementData::m_idForStyleResolution. 11 12 Fixed it by updating m_idForStyleResolution before invoking IdTargetObservers. 13 14 Test: fast/dom/remove-id-form-associated-elemet-id-observer-crash.html 15 16 * dom/Element.cpp: 17 (WebCore::Element::attributeChanged): Fixed the bug. 18 1 19 2018-12-05 Youenn Fablet <youenn@apple.com> 2 20 -
trunk/Source/WebCore/dom/Element.cpp
r238771 r238912 1501 1501 if (!valueIsSameAsBefore) { 1502 1502 if (name == HTMLNames::idAttr) { 1503 if (!oldValue.isEmpty())1504 treeScope().idTargetObserverRegistry().notifyObservers(*oldValue.impl());1505 if (!newValue.isEmpty())1506 treeScope().idTargetObserverRegistry().notifyObservers(*newValue.impl());1507 1508 1503 AtomicString oldId = elementData()->idForStyleResolution(); 1509 1504 AtomicString newId = makeIdForStyleResolution(newValue, document().inQuirksMode()); … … 1512 1507 elementData()->setIdForStyleResolution(newId); 1513 1508 } 1509 1510 if (!oldValue.isEmpty()) 1511 treeScope().idTargetObserverRegistry().notifyObservers(*oldValue.impl()); 1512 if (!newValue.isEmpty()) 1513 treeScope().idTargetObserverRegistry().notifyObservers(*newValue.impl()); 1514 1514 } else if (name == classAttr) 1515 1515 classAttributeChanged(newValue);
Note: See TracChangeset
for help on using the changeset viewer.