Title: [259326] branches/safari-609-branch/Source/WebCore
- Revision
- 259326
- Author
- repst...@apple.com
- Date
- 2020-03-31 17:31:11 -0700 (Tue, 31 Mar 2020)
Log Message
Cherry-pick r259244. rdar://problem/61131078
Assertion failure in HTMLFormElement::formElementIndex
https://bugs.webkit.org/show_bug.cgi?id=209643
Reviewed by Darin Adler.
The bug was caused by FormAssociatedElement::findAssociatedForm finding a wrong form element
when it's called on an element which appears later in the removed subtree.
When we find the new form element to associate this element with, check to make sure its root
element is that of the tree scope. This condition will be false if this element is in in the midst
of being removed.
* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::findAssociatedForm):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (259325 => 259326)
--- branches/safari-609-branch/Source/WebCore/ChangeLog 2020-04-01 00:12:10 UTC (rev 259325)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog 2020-04-01 00:31:11 UTC (rev 259326)
@@ -1,5 +1,44 @@
2020-03-31 Russell Epstein <repst...@apple.com>
+ Cherry-pick r259244. rdar://problem/61131078
+
+ Assertion failure in HTMLFormElement::formElementIndex
+ https://bugs.webkit.org/show_bug.cgi?id=209643
+
+ Reviewed by Darin Adler.
+
+ The bug was caused by FormAssociatedElement::findAssociatedForm finding a wrong form element
+ when it's called on an element which appears later in the removed subtree.
+
+ When we find the new form element to associate this element with, check to make sure its root
+ element is that of the tree scope. This condition will be false if this element is in in the midst
+ of being removed.
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::findAssociatedForm):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-27 Ryosuke Niwa <rn...@webkit.org>
+
+ Assertion failure in HTMLFormElement::formElementIndex
+ https://bugs.webkit.org/show_bug.cgi?id=209643
+
+ Reviewed by Darin Adler.
+
+ The bug was caused by FormAssociatedElement::findAssociatedForm finding a wrong form element
+ when it's called on an element which appears later in the removed subtree.
+
+ When we find the new form element to associate this element with, check to make sure its root
+ element is that of the tree scope. This condition will be false if this element is in in the midst
+ of being removed.
+
+ * html/FormAssociatedElement.cpp:
+ (WebCore::FormAssociatedElement::findAssociatedForm):
+
+2020-03-31 Russell Epstein <repst...@apple.com>
+
Cherry-pick r258326. rdar://problem/61113047
Remove no longer used code in LibWebRTCMediaEndpoint to handle remote streams
Modified: branches/safari-609-branch/Source/WebCore/html/FormAssociatedElement.cpp (259325 => 259326)
--- branches/safari-609-branch/Source/WebCore/html/FormAssociatedElement.cpp 2020-04-01 00:12:10 UTC (rev 259325)
+++ branches/safari-609-branch/Source/WebCore/html/FormAssociatedElement.cpp 2020-04-01 00:31:11 UTC (rev 259326)
@@ -108,9 +108,12 @@
// the value of form attribute, so we put the result of
// treeScope().getElementById() over the given element.
RefPtr<Element> newFormCandidate = element->treeScope().getElementById(formId);
- if (is<HTMLFormElement>(newFormCandidate))
+ if (!is<HTMLFormElement>(newFormCandidate))
+ return nullptr;
+ if (&element->traverseToRootNode() == &element->treeScope().rootNode()) {
+ ASSERT(&element->traverseToRootNode() == &newFormCandidate->traverseToRootNode());
return downcast<HTMLFormElement>(newFormCandidate.get());
- return nullptr;
+ }
}
if (!currentAssociatedForm)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
