HTMLImageElement::insertedIntoAncestor doesn't check that we're appending the <img> as a direct child of a <picture>, which means that some random other ancestor <picture> could be used instead.
WPT PR that tests this: https://github.com/web-platform-tests/wpt/pull/28680 Forthcoming patch makes that test pass.
Created attachment 427022 [details] Patch
Comment on attachment 427022 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427022&action=review > Source/WebCore/ChangeLog:8 > + Tests: https://github.com/web-platform-tests/wpt/pull/28680 Please update the imported test now that it has been merged upstream. > Source/WebCore/html/parser/HTMLConstructionSite.cpp:702 > if (is<HTMLPictureElement>(currentNode()) && is<HTMLImageElement>(*element)) > downcast<HTMLImageElement>(*element).setPictureElement(&downcast<HTMLPictureElement>(currentNode())); This is crazy. How is this code even needed?
Created attachment 427118 [details] Patch
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Committed r276679 (237096@main): <https://commits.webkit.org/237096@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427118 [details].
<rdar://problem/77237671>