<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[189469] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/189469">189469</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2015-09-07 15:46:43 -0700 (Mon, 07 Sep 2015)</dd>
</dl>

<h3>Log Message</h3>
<pre>ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form
association after subtree insertion
https://bugs.webkit.org/show_bug.cgi?id=148919
&lt;rdar://problem/21868036&gt;

Patch by Daniel Bates &lt;dabates@apple.com&gt; on 2015-09-07
Reviewed by Andy Estes.

Source/WebCore:

Currently we update the form association of a form control upon insertion into
the document. Instead we should update the form association of a form control
after its containing subtree is inserted into the document to avoid an assertion
failure when the containing subtree has an element whose id is identical to both
the id of some other element in the document and the name of the form referenced
by the inserted form control.

Tests: fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html
       fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html
       fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html
       fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html

* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::insertedInto): Moved resetFormOwner() from here
to {HTMLFormControlElement, HTMLObjectElement}::finishedInsertingSubtree().
* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree
so that HTMLFormControlElement::finishedInsertingSubtree() is called.
(WebCore::HTMLFormControlElement::finishedInsertingSubtree): Added; turn around and
call FormAssociatedElement::resetFormOwner().
* html/HTMLFormControlElement.h:
* html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
that HTMLInputElement::finishedInsertingSubtree() is called and move logic to update radio button
group from here...
(WebCore::HTMLInputElement::finishedInsertingSubtree): to here.
* html/HTMLInputElement.h:
* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
that HTMLObjectElement::finishedInsertingSubtree() is called.
(WebCore::HTMLObjectElement::finishedInsertingSubtree): Added; turn around and
call FormAssociatedElement::resetFormOwner().
* html/HTMLObjectElement.h:
* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::insertedInto): Modified to return the result of
HTMLFormControlElementWithState::insertedInto(), which may schedule a callback after subtree
insertion.
* html/HTMLTextFormControlElement.cpp:
(WebCore::HTMLTextFormControlElement::insertedInto): Ditto.

LayoutTests:

Add tests to ensure that updating the form association of a form control in a subtree
does not cause an assertion failure.

* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt: Added.
* fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlFormAssociatedElementcpp">trunk/Source/WebCore/html/FormAssociatedElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLFormControlElementcpp">trunk/Source/WebCore/html/HTMLFormControlElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLFormControlElementh">trunk/Source/WebCore/html/HTMLFormControlElement.h</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLInputElementcpp">trunk/Source/WebCore/html/HTMLInputElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLInputElementh">trunk/Source/WebCore/html/HTMLInputElement.h</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLObjectElementcpp">trunk/Source/WebCore/html/HTMLObjectElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLObjectElementh">trunk/Source/WebCore/html/HTMLObjectElement.h</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLSelectElementcpp">trunk/Source/WebCore/html/HTMLSelectElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLTextFormControlElementcpp">trunk/Source/WebCore/html/HTMLTextFormControlElement.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure2expectedtxt">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure2html">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html</a></li>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure3expectedtxt">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure3html">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html</a></li>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure4expectedtxt">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure4html">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html</a></li>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailureexpectedtxt">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailurehtml">trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/LayoutTests/ChangeLog        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2015-09-07  Daniel Bates  &lt;dabates@apple.com&gt;
+
+        ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form
+        association after subtree insertion
+        https://bugs.webkit.org/show_bug.cgi?id=148919
+        &lt;rdar://problem/21868036&gt;
+
+        Reviewed by Andy Estes.
+
+        Add tests to ensure that updating the form association of a form control in a subtree
+        does not cause an assertion failure.
+
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt: Added.
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html: Added.
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt: Added.
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html: Added.
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt: Added.
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html: Added.
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt: Added.
+        * fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html: Added.
+
</ins><span class="cx"> 2015-09-07  Carlos Alberto Lopez Perez  &lt;clopez@igalia.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [GTK] Unreviewed GTK gardening.
</span></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2-expected.txt        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+
+PASS, this test did not cause an assertion failure.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpAsText();
+&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;div id=&quot;container&quot;&gt;&lt;/div&gt;
+&lt;div id=&quot;subtreeToMove&quot;&gt;
+    &lt;object form=&quot;A&quot;&gt;&lt;/object&gt;
+    &lt;div id=&quot;A&quot;&gt;&lt;/div&gt;
+&lt;/div&gt;
+&lt;div id=&quot;A&quot;&gt;&lt;/div&gt;
+&lt;p&gt;PASS, this test did not cause an assertion failure.&lt;/p&gt;
+&lt;script&gt;
+var container = document.getElementById(&quot;container&quot;);
+var subtreeToMove = document.getElementById(&quot;subtreeToMove&quot;);
+container.appendChild(subtreeToMove);
+&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure3expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3-expected.txt        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+
+PASS, this test did not cause an assertion failure.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure3html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpAsText();
+&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;div id=&quot;container&quot;&gt;&lt;/div&gt;
+&lt;div id=&quot;subtreeToMove&quot;&gt;
+    &lt;select form=&quot;A&quot;&gt;&lt;/select&gt;
+    &lt;div id=&quot;A&quot;&gt;&lt;/div&gt;
+&lt;/div&gt;
+&lt;div id=&quot;A&quot;&gt;&lt;/div&gt;
+&lt;p&gt;PASS, this test did not cause an assertion failure.&lt;/p&gt;
+&lt;script&gt;
+var container = document.getElementById(&quot;container&quot;);
+var subtreeToMove = document.getElementById(&quot;subtreeToMove&quot;);
+container.appendChild(subtreeToMove);
+&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure4expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4-expected.txt        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+
+PASS, this test did not cause an assertion failure.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailure4html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpAsText();
+&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;div id=&quot;container&quot;&gt;&lt;/div&gt;
+&lt;div id=&quot;subtreeToMove&quot;&gt;
+    &lt;input type=&quot;text&quot; form=&quot;A&quot;&gt;
+    &lt;div id=&quot;A&quot;&gt;&lt;/div&gt;
+&lt;/div&gt;
+&lt;div id=&quot;A&quot;&gt;&lt;/div&gt;
+&lt;p&gt;PASS, this test did not cause an assertion failure.&lt;/p&gt;
+&lt;script&gt;
+var container = document.getElementById(&quot;container&quot;);
+var subtreeToMove = document.getElementById(&quot;subtreeToMove&quot;);
+container.appendChild(subtreeToMove);
+&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailureexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure-expected.txt        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+  
+PASS, this test did not cause an assertion failure.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsupdateformownerinmovedsubtreeassertionfailurehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html (0 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html                                (rev 0)
+++ trunk/LayoutTests/fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpAsText();
+&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;div id=&quot;container&quot;&gt;&lt;/div&gt;
+&lt;div id=&quot;subtreeToMove&quot;&gt;
+    &lt;keygen form=&quot;A&quot;&gt;
+    &lt;select id=&quot;A&quot;&gt;&lt;/select&gt;
+&lt;/div&gt;
+&lt;div id=&quot;A&quot;&gt;&lt;/div&gt;
+&lt;p&gt;PASS, this test did not cause an assertion failure.&lt;/p&gt;
+&lt;script&gt;
+var container = document.getElementById(&quot;container&quot;);
+var subtreeToMove = document.getElementById(&quot;subtreeToMove&quot;);
+container.appendChild(subtreeToMove);
+&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/ChangeLog        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -1,3 +1,52 @@
</span><ins>+2015-09-07  Daniel Bates  &lt;dabates@apple.com&gt;
+
+        ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form
+        association after subtree insertion
+        https://bugs.webkit.org/show_bug.cgi?id=148919
+        &lt;rdar://problem/21868036&gt;
+
+        Reviewed by Andy Estes.
+
+        Currently we update the form association of a form control upon insertion into
+        the document. Instead we should update the form association of a form control
+        after its containing subtree is inserted into the document to avoid an assertion
+        failure when the containing subtree has an element whose id is identical to both
+        the id of some other element in the document and the name of the form referenced
+        by the inserted form control.
+
+        Tests: fast/forms/update-form-owner-in-moved-subtree-assertion-failure-2.html
+               fast/forms/update-form-owner-in-moved-subtree-assertion-failure-3.html
+               fast/forms/update-form-owner-in-moved-subtree-assertion-failure-4.html
+               fast/forms/update-form-owner-in-moved-subtree-assertion-failure.html
+
+        * html/FormAssociatedElement.cpp:
+        (WebCore::FormAssociatedElement::insertedInto): Moved resetFormOwner() from here
+        to {HTMLFormControlElement, HTMLObjectElement}::finishedInsertingSubtree().
+        * html/HTMLFormControlElement.cpp:
+        (WebCore::HTMLFormControlElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree
+        so that HTMLFormControlElement::finishedInsertingSubtree() is called.
+        (WebCore::HTMLFormControlElement::finishedInsertingSubtree): Added; turn around and
+        call FormAssociatedElement::resetFormOwner().
+        * html/HTMLFormControlElement.h:
+        * html/HTMLInputElement.cpp:
+        (WebCore::HTMLInputElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
+        that HTMLInputElement::finishedInsertingSubtree() is called and move logic to update radio button
+        group from here...
+        (WebCore::HTMLInputElement::finishedInsertingSubtree): to here.
+        * html/HTMLInputElement.h:
+        * html/HTMLObjectElement.cpp:
+        (WebCore::HTMLObjectElement::insertedInto): Return InsertionShouldCallFinishedInsertingSubtree so
+        that HTMLObjectElement::finishedInsertingSubtree() is called.
+        (WebCore::HTMLObjectElement::finishedInsertingSubtree): Added; turn around and
+        call FormAssociatedElement::resetFormOwner().
+        * html/HTMLObjectElement.h:
+        * html/HTMLSelectElement.cpp:
+        (WebCore::HTMLSelectElement::insertedInto): Modified to return the result of
+        HTMLFormControlElementWithState::insertedInto(), which may schedule a callback after subtree
+        insertion.
+        * html/HTMLTextFormControlElement.cpp:
+        (WebCore::HTMLTextFormControlElement::insertedInto): Ditto.
+
</ins><span class="cx"> 2015-09-07  Antti Koivisto  &lt;antti@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Remove GlyphPage::mayUseMixedFontsWhenFilling
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlFormAssociatedElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/FormAssociatedElement.cpp (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/FormAssociatedElement.cpp        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/FormAssociatedElement.cpp        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -68,7 +68,6 @@
</span><span class="cx"> 
</span><span class="cx"> void FormAssociatedElement::insertedInto(ContainerNode&amp; insertionPoint)
</span><span class="cx"> {
</span><del>-    resetFormOwner();
</del><span class="cx">     if (!insertionPoint.inDocument())
</span><span class="cx">         return;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLFormControlElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLFormControlElement.cpp (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLFormControlElement.cpp        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLFormControlElement.cpp        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -260,8 +260,12 @@
</span><span class="cx">     setNeedsWillValidateCheck();
</span><span class="cx">     HTMLElement::insertedInto(insertionPoint);
</span><span class="cx">     FormAssociatedElement::insertedInto(insertionPoint);
</span><ins>+    return InsertionShouldCallFinishedInsertingSubtree;
+}
</ins><span class="cx"> 
</span><del>-    return InsertionDone;
</del><ins>+void HTMLFormControlElement::finishedInsertingSubtree()
+{
+    resetFormOwner();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void HTMLFormControlElement::removedFrom(ContainerNode&amp; insertionPoint)
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLFormControlElementh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLFormControlElement.h (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLFormControlElement.h        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLFormControlElement.h        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -129,6 +129,7 @@
</span><span class="cx">     virtual void requiredAttributeChanged();
</span><span class="cx">     virtual void didAttachRenderers() override;
</span><span class="cx">     virtual InsertionNotificationRequest insertedInto(ContainerNode&amp;) override;
</span><ins>+    void finishedInsertingSubtree() override;
</ins><span class="cx">     virtual void removedFrom(ContainerNode&amp;) override;
</span><span class="cx">     virtual void didMoveToNewDocument(Document* oldDocument) override;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLInputElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLInputElement.cpp (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLInputElement.cpp        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLInputElement.cpp        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -1473,14 +1473,19 @@
</span><span class="cx"> Node::InsertionNotificationRequest HTMLInputElement::insertedInto(ContainerNode&amp; insertionPoint)
</span><span class="cx"> {
</span><span class="cx">     HTMLTextFormControlElement::insertedInto(insertionPoint);
</span><del>-    if (insertionPoint.inDocument() &amp;&amp; !form())
-        addToRadioButtonGroup();
</del><span class="cx"> #if ENABLE(DATALIST_ELEMENT)
</span><span class="cx">     resetListAttributeTargetObserver();
</span><span class="cx"> #endif
</span><del>-    return InsertionDone;
</del><ins>+    return InsertionShouldCallFinishedInsertingSubtree;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void HTMLInputElement::finishedInsertingSubtree()
+{
+    HTMLTextFormControlElement::finishedInsertingSubtree();
+    if (inDocument() &amp;&amp; !form())
+        addToRadioButtonGroup();
+}
+
</ins><span class="cx"> void HTMLInputElement::removedFrom(ContainerNode&amp; insertionPoint)
</span><span class="cx"> {
</span><span class="cx">     if (insertionPoint.inDocument() &amp;&amp; !form())
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLInputElementh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLInputElement.h (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLInputElement.h        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLInputElement.h        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -335,6 +335,7 @@
</span><span class="cx">     virtual void willChangeForm() override final;
</span><span class="cx">     virtual void didChangeForm() override final;
</span><span class="cx">     virtual InsertionNotificationRequest insertedInto(ContainerNode&amp;) override final;
</span><ins>+    void finishedInsertingSubtree() override final;
</ins><span class="cx">     virtual void removedFrom(ContainerNode&amp;) override final;
</span><span class="cx">     virtual void didMoveToNewDocument(Document* oldDocument) override final;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLObjectElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLObjectElement.cpp (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLObjectElement.cpp        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLObjectElement.cpp        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -337,9 +337,14 @@
</span><span class="cx"> {
</span><span class="cx">     HTMLPlugInImageElement::insertedInto(insertionPoint);
</span><span class="cx">     FormAssociatedElement::insertedInto(insertionPoint);
</span><del>-    return InsertionDone;
</del><ins>+    return InsertionShouldCallFinishedInsertingSubtree;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void HTMLObjectElement::finishedInsertingSubtree()
+{
+    resetFormOwner();
+}
+
</ins><span class="cx"> void HTMLObjectElement::removedFrom(ContainerNode&amp; insertionPoint)
</span><span class="cx"> {
</span><span class="cx">     HTMLPlugInImageElement::removedFrom(insertionPoint);
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLObjectElementh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLObjectElement.h (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLObjectElement.h        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLObjectElement.h        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -63,6 +63,7 @@
</span><span class="cx">     virtual void collectStyleForPresentationAttribute(const QualifiedName&amp;, const AtomicString&amp;, MutableStyleProperties&amp;) override;
</span><span class="cx"> 
</span><span class="cx">     virtual InsertionNotificationRequest insertedInto(ContainerNode&amp;) override;
</span><ins>+    void finishedInsertingSubtree() override final;
</ins><span class="cx">     virtual void removedFrom(ContainerNode&amp;) override;
</span><span class="cx"> 
</span><span class="cx">     virtual void didMoveToNewDocument(Document* oldDocument) override;
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLSelectElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLSelectElement.cpp (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLSelectElement.cpp        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLSelectElement.cpp        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -1592,8 +1592,7 @@
</span><span class="cx">     // items yet - but for innerHTML and related methods, this method is called
</span><span class="cx">     // after the whole subtree is constructed.
</span><span class="cx">     recalcListItems();
</span><del>-    HTMLFormControlElementWithState::insertedInto(insertionPoint);
-    return InsertionDone;
</del><ins>+    return HTMLFormControlElementWithState::insertedInto(insertionPoint);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void HTMLSelectElement::accessKeySetSelectedIndex(int index)
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLTextFormControlElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLTextFormControlElement.cpp (189468 => 189469)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLTextFormControlElement.cpp        2015-09-07 22:46:32 UTC (rev 189468)
+++ trunk/Source/WebCore/html/HTMLTextFormControlElement.cpp        2015-09-07 22:46:43 UTC (rev 189469)
</span><span class="lines">@@ -78,12 +78,12 @@
</span><span class="cx"> 
</span><span class="cx"> Node::InsertionNotificationRequest HTMLTextFormControlElement::insertedInto(ContainerNode&amp; insertionPoint)
</span><span class="cx"> {
</span><del>-    HTMLFormControlElementWithState::insertedInto(insertionPoint);
</del><ins>+    InsertionNotificationRequest insertionNotificationRequest = HTMLFormControlElementWithState::insertedInto(insertionPoint);
</ins><span class="cx">     if (!insertionPoint.inDocument())
</span><del>-        return InsertionDone;
</del><ins>+        return insertionNotificationRequest;
</ins><span class="cx">     String initialValue = value();
</span><span class="cx">     setTextAsOfLastFormControlChangeEvent(initialValue.isNull() ? emptyString() : initialValue);
</span><del>-    return InsertionDone;
</del><ins>+    return insertionNotificationRequest;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void HTMLTextFormControlElement::dispatchFocusEvent(RefPtr&lt;Element&gt;&amp;&amp; oldFocusedElement, FocusDirection direction)
</span></span></pre>
</div>
</div>

</body>
</html>