[webkit-changes] [WebKit/WebKit] 2ecaa0: <input type=radio> crashes in removeInvalidElement...

Wed May 24 18:07:48 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2ecaa0ec8a3a99ad250305824746deffb2217acb
      https://github.com/WebKit/WebKit/commit/2ecaa0ec8a3a99ad250305824746deffb2217acb
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-05-24 (Wed, 24 May 2023)

  Changed paths:
    A LayoutTests/fast/forms/input-type-radio-form-gc-crash-expected.txt
    A LayoutTests/fast/forms/input-type-radio-form-gc-crash.html
    M Source/WebCore/html/FormAssociatedCustomElement.cpp
    M Source/WebCore/html/FormAssociatedCustomElement.h
    M Source/WebCore/html/ValidatedFormListedElement.cpp
    M Source/WebCore/html/ValidatedFormListedElement.h

  Log Message:
  -----------
  <input type=radio> crashes in removeInvalidElementToAncestorFromInsertionPoint() during GC
https://bugs.webkit.org/show_bug.cgi?id=253860
<rdar://105086386>

Reviewed by Ryosuke Niwa.

When a <form> gets destroyed, it calls into formWillBeDestroyed() callback of <input type=radio>
which, when removing radio buttons themselves, calls into updateValidity() and then into
removeInvalidElementToAncestorFromInsertionPoint() with partially-deleted ContainerNode as an
argument, causing a crash.

This change guards removeInvalidElementToAncestorFromInsertionPoint() and its counterpart
from being called during form destruction.

* LayoutTests/fast/forms/input-type-radio-form-gc-crash-expected.txt: Added.
* LayoutTests/fast/forms/input-type-radio-form-gc-crash.html: Added.
* Source/WebCore/html/FormAssociatedCustomElement.cpp:
(WebCore::FormAssociatedCustomElement::didChangeForm):
(WebCore::FormAssociatedCustomElement::formWillBeDestroyed): Deleted.
* Source/WebCore/html/FormAssociatedCustomElement.h:
* Source/WebCore/html/ValidatedFormListedElement.cpp:
(WebCore::ValidatedFormListedElement::updateValidity):
(WebCore::ValidatedFormListedElement::formWillBeDestroyed):
* Source/WebCore/html/ValidatedFormListedElement.h:
(WebCore::ValidatedFormListedElement::belongsToFormThatIsBeingDestroyed const):

Originally-landed-as: 259548.534 at safari-7615-branch (f5dc82736e2c). rdar://105086386
Canonical link: https://commits.webkit.org/264496@main

  Commit: 23ef02b6528e0113ebb5a13bb0b18eef750b7a7c
      https://github.com/WebKit/WebKit/commit/23ef02b6528e0113ebb5a13bb0b18eef750b7a7c
  Author: JC Alvarado <joncarlo at apple.com>
  Date:   2023-05-24 (Wed, 24 May 2023)

  Changed paths:
    A LayoutTests/fast/editing/insert-text-hit-testing-crash-expected.txt
    A LayoutTests/fast/editing/insert-text-hit-testing-crash.html
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/rendering/HitTestRequest.h

  Log Message:
  -----------
  Update layout of child frames before hit testing a document if necessary
https://bugs.webkit.org/show_bug.cgi?id=253615
rdar://107375598

Reviewed by Alan Baradlay.

If hit testing can recurse into a child frame, we should make sure that
layout and style are updated for all children before proceeding with
hit testing.

* LayoutTests/fast/editing/insert-text-hit-testing-crash-expected.txt: Added.
* LayoutTests/fast/editing/insert-text-hit-testing-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::hitTest):

Originally-landed-as: 259548.535 at safari-7615-branch (3bc53a0a2ccf). rdar://107375598
Canonical link: https://commits.webkit.org/264497@main

Compare: https://github.com/WebKit/WebKit/compare/2f019929ef93...23ef02b6528e