<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[212026] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/212026">212026</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2017-02-09 18:15:02 -0800 (Thu, 09 Feb 2017)</dd>
</dl>

<h3>Log Message</h3>
<pre>Crash under FormSubmission::create()
https://bugs.webkit.org/show_bug.cgi?id=167200
&lt;rdar://problem/30096323&gt;

Patch by Chris Dumez &lt;cdumez@apple.com&gt; on 2017-02-09
Reviewed by Darin Adler.

Source/WebCore:

The issue is that FormSubmission::create() was iterating over
form.associatedElements() as was calling Element::appendFormData()
in the loop. HTMLObjectElement::appendFormData() was calling
pluginWidget(PluginLoadingPolicy::Load) which causes a synchronous
layout and can fire events (such as focus event) synchronously.
Firing those events synchronously allows the JS to modify the
form.associatedElements() vector we are currently iterating on.

To avoid this issue, we now call pluginWidget(PluginLoadingPolicy::DoNotLoad)
in HTMLObjectElement::appendFormData() as we are not allowed to fire
synchronous events at this point. I also added a security assertion
in FormSubmission::create() to catch cases where we fire JS events
while iterating over the form associated elements to more easily
notice these things in the future.

Test: fast/forms/formsubmission-appendFormData-crash.html

* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::appendFormData):
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):

LayoutTests:

Add layout test coverage.

* fast/forms/formsubmission-appendFormData-crash-expected.txt: Added.
* fast/forms/formsubmission-appendFormData-crash.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLObjectElementcpp">trunk/Source/WebCore/html/HTMLObjectElement.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFormSubmissioncpp">trunk/Source/WebCore/loader/FormSubmission.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastformsformsubmissionappendFormDatacrashexpectedtxt">trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastformsformsubmissionappendFormDatacrashhtml">trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (212025 => 212026)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2017-02-10 02:13:07 UTC (rev 212025)
+++ trunk/LayoutTests/ChangeLog        2017-02-10 02:15:02 UTC (rev 212026)
</span><span class="lines">@@ -1,5 +1,18 @@
</span><span class="cx"> 2017-02-09  Chris Dumez  &lt;cdumez@apple.com&gt;
</span><span class="cx"> 
</span><ins>+        Crash under FormSubmission::create()
+        https://bugs.webkit.org/show_bug.cgi?id=167200
+        &lt;rdar://problem/30096323&gt;
+
+        Reviewed by Darin Adler.
+
+        Add layout test coverage.
+
+        * fast/forms/formsubmission-appendFormData-crash-expected.txt: Added.
+        * fast/forms/formsubmission-appendFormData-crash.html: Added.
+
+2017-02-09  Chris Dumez  &lt;cdumez@apple.com&gt;
+
</ins><span class="cx">         Crash under HTMLFormElement::registerFormElement()
</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=167162
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsfastformsformsubmissionappendFormDatacrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash-expected.txt (0 => 212026)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash-expected.txt        2017-02-10 02:15:02 UTC (rev 212026)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This test passes if it does not crash.
+
+ a  
</ins></span></pre></div>
<a id="trunkLayoutTestsfastformsformsubmissionappendFormDatacrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash.html (0 => 212026)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash.html                                (rev 0)
+++ trunk/LayoutTests/fast/forms/formsubmission-appendFormData-crash.html        2017-02-10 02:15:02 UTC (rev 212026)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;body&gt;
+&lt;script&gt;
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function runTest() {
+    object.name = &quot;foo&quot;;
+    input.autofocus = true;
+    output.appendChild(input);
+    form.submit();
+    setTimeout(function() {
+    if (window.testRunner)
+        testRunner.notifyDone();
+    }, 0);
+}
+
+function focushandler() {
+    for(var i = 0; i &lt; 100; i++) {
+        var e = document.createElement(&quot;input&quot;);
+        form.appendChild(e);
+    }
+}
+&lt;/script&gt;
+&lt;body onload=&quot;runTest()&quot;&gt;
+    &lt;p&gt;This test passes if it does not crash.&lt;/p&gt;
+    &lt;form id=&quot;form&quot;&gt;
+    &lt;object id=&quot;object&quot;&gt;
+    &lt;output id=&quot;output&quot;&gt;a&lt;/output&gt;
+    &lt;input id=&quot;input&quot; onfocus=&quot;focushandler()&quot;&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (212025 => 212026)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2017-02-10 02:13:07 UTC (rev 212025)
+++ trunk/Source/WebCore/ChangeLog        2017-02-10 02:15:02 UTC (rev 212026)
</span><span class="lines">@@ -1,5 +1,35 @@
</span><span class="cx"> 2017-02-09  Chris Dumez  &lt;cdumez@apple.com&gt;
</span><span class="cx"> 
</span><ins>+        Crash under FormSubmission::create()
+        https://bugs.webkit.org/show_bug.cgi?id=167200
+        &lt;rdar://problem/30096323&gt;
+
+        Reviewed by Darin Adler.
+
+        The issue is that FormSubmission::create() was iterating over
+        form.associatedElements() as was calling Element::appendFormData()
+        in the loop. HTMLObjectElement::appendFormData() was calling
+        pluginWidget(PluginLoadingPolicy::Load) which causes a synchronous
+        layout and can fire events (such as focus event) synchronously.
+        Firing those events synchronously allows the JS to modify the
+        form.associatedElements() vector we are currently iterating on.
+
+        To avoid this issue, we now call pluginWidget(PluginLoadingPolicy::DoNotLoad)
+        in HTMLObjectElement::appendFormData() as we are not allowed to fire
+        synchronous events at this point. I also added a security assertion
+        in FormSubmission::create() to catch cases where we fire JS events
+        while iterating over the form associated elements to more easily
+        notice these things in the future.
+
+        Test: fast/forms/formsubmission-appendFormData-crash.html
+
+        * html/HTMLObjectElement.cpp:
+        (WebCore::HTMLObjectElement::appendFormData):
+        * loader/FormSubmission.cpp:
+        (WebCore::FormSubmission::create):
+
+2017-02-09  Chris Dumez  &lt;cdumez@apple.com&gt;
+
</ins><span class="cx">         Crash under HTMLFormElement::registerFormElement()
</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=167162
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLObjectElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLObjectElement.cpp (212025 => 212026)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLObjectElement.cpp        2017-02-10 02:13:07 UTC (rev 212025)
+++ trunk/Source/WebCore/html/HTMLObjectElement.cpp        2017-02-10 02:15:02 UTC (rev 212026)
</span><span class="lines">@@ -506,7 +506,9 @@
</span><span class="cx">     if (name().isEmpty())
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><del>-    Widget* widget = pluginWidget();
</del><ins>+    // Use PluginLoadingPolicy::DoNotLoad here or it would fire JS events synchronously
+    // which would not be safe here.
+    auto* widget = pluginWidget(PluginLoadingPolicy::DoNotLoad);
</ins><span class="cx">     if (!is&lt;PluginViewBase&gt;(widget))
</span><span class="cx">         return false;
</span><span class="cx">     String value;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFormSubmissioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FormSubmission.cpp (212025 => 212026)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FormSubmission.cpp        2017-02-10 02:13:07 UTC (rev 212025)
+++ trunk/Source/WebCore/loader/FormSubmission.cpp        2017-02-10 02:15:02 UTC (rev 212026)
</span><span class="lines">@@ -47,6 +47,7 @@
</span><span class="cx"> #include &quot;HTMLInputElement.h&quot;
</span><span class="cx"> #include &quot;HTMLNames.h&quot;
</span><span class="cx"> #include &quot;HTMLParserIdioms.h&quot;
</span><ins>+#include &quot;NoEventDispatchAssertion.h&quot;
</ins><span class="cx"> #include &quot;TextEncoding.h&quot;
</span><span class="cx"> #include &lt;wtf/CurrentTime.h&gt;
</span><span class="cx"> 
</span><span class="lines">@@ -190,18 +191,22 @@
</span><span class="cx">     StringPairVector formValues;
</span><span class="cx"> 
</span><span class="cx">     bool containsPasswordData = false;
</span><del>-    for (auto&amp; control : form.associatedElements()) {
-        auto&amp; element = control-&gt;asHTMLElement();
-        if (!element.isDisabledFormControl())
-            control-&gt;appendFormData(domFormData, isMultiPartForm);
-        if (is&lt;HTMLInputElement&gt;(element)) {
-            auto&amp; input = downcast&lt;HTMLInputElement&gt;(element);
-            if (input.isTextField()) {
-                formValues.append({ input.name().string(), input.value() });
-                input.addSearchResult();
</del><ins>+    {
+        NoEventDispatchAssertion noEventDispatchAssertion;
+
+        for (auto&amp; control : form.associatedElements()) {
+            auto&amp; element = control-&gt;asHTMLElement();
+            if (!element.isDisabledFormControl())
+                control-&gt;appendFormData(domFormData, isMultiPartForm);
+            if (is&lt;HTMLInputElement&gt;(element)) {
+                auto&amp; input = downcast&lt;HTMLInputElement&gt;(element);
+                if (input.isTextField()) {
+                    formValues.append({ input.name().string(), input.value() });
+                    input.addSearchResult();
+                }
+                if (input.isPasswordField() &amp;&amp; !input.value().isEmpty())
+                    containsPasswordData = true;
</ins><span class="cx">             }
</span><del>-            if (input.isPasswordField() &amp;&amp; !input.value().isEmpty())
-                containsPasswordData = true;
</del><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre>
</div>
</div>

</body>
</html>